From 15f8f4594de812d538a12f023364c2fa67a2a7b0 Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Thu, 2 Aug 2018 10:46:40 -0700 Subject: [PATCH 01/22] updating --- .../msix-app-ackaging-tool.md | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 windows/application-management/msix-app-ackaging-tool.md diff --git a/windows/application-management/msix-app-ackaging-tool.md b/windows/application-management/msix-app-ackaging-tool.md new file mode 100644 index 0000000000..f380710a6e --- /dev/null +++ b/windows/application-management/msix-app-ackaging-tool.md @@ -0,0 +1,64 @@ +--- +title: Repackage your existing win32 applications to the MSIX format. +description: Learn how to install and use the MSIX packaging tool. +keyboards: ["MSIX", "application", "app", "win32", "packaging tool"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +ms.author: mikeblodge +ms.topic: article +ms.date: 08/01/2018 +--- + +# Repackage existing win32 applications to the MSIX format + +The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon). + +> Prerequisites: +- Participation in the Windows Insider Program +- Minimum Windows 10 build 17701 +- Admin privileges on your PC account +- A valid MSA alias (to access the app from the Store) + +## What's new +- Moved "Send Feedback" to a top-level page in settings for better visibility. +- "Settings" saves now persist across app launches. +- All pop ups now have a uniform size. + + +## Installing the MSIX Packaging Tool + +1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF). +2. Open the product description page. +3. Click the install icon to begin installation. + +This is an early preview build and not all features are supported. Here is what you can expect to be able to do with this preview: + +- Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon. +- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon. +- Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**. + +Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features: + +- Some options in the Settings page, such as adding/removing VFS/VREG and defining a default save location. +- Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0). +- Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM. +- Command Line Interface support +- Conversion of App-V 4.x packages + +## How to file feedback + +Open Feedback Hub. Alternatively, launch the tool and select the **Settings** gear icon in the top right corner to open the Feedback tab. Here you can file feedback for suggestions, problems, and see other feedback items. + +## Best practices + +- When Packaging ClickOnce installers, it is necessary to send a shortcut to the desktop if the installer is not doing so already. In general, it's a good practice to always send a shortcut to your desktop for the main app executable. +- When creating modification packages, you need to declare the **Package Name** (Identity Name) of the parent application in the tool UI so that the tool sets the correct package dependency in the manifest of the modification package. +- Declaring an installation location field on the Package information page is optional but *recommended*. Make sure that this path matches the installation location of application Installer. +- Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. + +## Known bugs +1. Signing the package with Password protected certificates does not work. Please use a non-password protected password in the tool, or use Signtool (available from SDK) to sign your package for sideload testing. +2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. + From 78ee22dd58906b408798465633f9aa9c0332a91a Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Thu, 2 Aug 2018 15:03:05 -0700 Subject: [PATCH 02/22] updating --- .../{msix-app-ackaging-tool.md => msix-app-packaging-tool.md} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename windows/application-management/{msix-app-ackaging-tool.md => msix-app-packaging-tool.md} (99%) diff --git a/windows/application-management/msix-app-ackaging-tool.md b/windows/application-management/msix-app-packaging-tool.md similarity index 99% rename from windows/application-management/msix-app-ackaging-tool.md rename to windows/application-management/msix-app-packaging-tool.md index f380710a6e..6e5fdc953a 100644 --- a/windows/application-management/msix-app-ackaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -16,6 +16,7 @@ ms.date: 08/01/2018 The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon). > Prerequisites: + - Participation in the Windows Insider Program - Minimum Windows 10 build 17701 - Admin privileges on your PC account @@ -58,7 +59,7 @@ Open Feedback Hub. Alternatively, launch the tool and select the **Settings** ge - Declaring an installation location field on the Package information page is optional but *recommended*. Make sure that this path matches the installation location of application Installer. - Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. -## Known bugs +## Known issues 1. Signing the package with Password protected certificates does not work. Please use a non-password protected password in the tool, or use Signtool (available from SDK) to sign your package for sideload testing. 2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. From 634804869be912ecb98ade4a25d25f66f94c0d55 Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Thu, 2 Aug 2018 15:50:40 -0700 Subject: [PATCH 03/22] updating --- windows/application-management/msix-app-packaging-tool.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 6e5fdc953a..e48cb1bcec 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -25,6 +25,7 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft ## What's new - Moved "Send Feedback" to a top-level page in settings for better visibility. - "Settings" saves now persist across app launches. +- Changing default save location is now supported through Settings menu. - All pop ups now have a uniform size. @@ -60,6 +61,9 @@ Open Feedback Hub. Alternatively, launch the tool and select the **Settings** ge - Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. ## Known issues -1. Signing the package with Password protected certificates does not work. Please use a non-password protected password in the tool, or use Signtool (available from SDK) to sign your package for sideload testing. -2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. +1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. +2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. +3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. +4. Signing the package with Password protected certificates does not work. Please use a non-password protected password in the tool, or use Signtool (available from SDK) to sign your package for sideload testing. + From 78c11800c5fdb289eb56b3420783fcea89511ac3 Mon Sep 17 00:00:00 2001 From: Saumya Singh Date: Mon, 6 Aug 2018 11:06:07 -0700 Subject: [PATCH 04/22] Updated policy for cloud speech services privacy --- windows/client-management/mdm/policy-csp-privacy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index ac16face75..57093ef791 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -433,7 +433,7 @@ The following list shows the supported values: -Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. +Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. Most restricted value is 0. @@ -450,7 +450,7 @@ ADMX Info: The following list shows the supported values: - 0 – Not allowed. -- 1 (default) – Allowed. +- 1 (default) – Choice deferred to user's preference. From ac24f2f615b5a6fc925453a29e63b228b7e7cc4c Mon Sep 17 00:00:00 2001 From: John Flores Date: Mon, 6 Aug 2018 14:17:47 -0700 Subject: [PATCH 05/22] Content Idea Request 84638 --- .../security-policy-settings/account-lockout-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index c0380358d5..16a6c63d06 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -25,8 +25,8 @@ The following topics provide a discussion of each policy setting's implementatio | Topic | Description | | - | - | -| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. | | [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. | +| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. | | [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |   ## Related topics From 2f2f92f631d5e6c77e33bf1f836c2fcfed385a4c Mon Sep 17 00:00:00 2001 From: Patti Short <35278231+shortpatti@users.noreply.github.com> Date: Mon, 6 Aug 2018 15:01:17 -0700 Subject: [PATCH 06/22] Update do-not-sync-browser-settings-include.md --- .../edge/includes/do-not-sync-browser-settings-include.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md index 87c355b74f..0cec03f45e 100644 --- a/browsers/edge/includes/do-not-sync-browser-settings-include.md +++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md @@ -27,9 +27,9 @@ For more details about configuring the browser syncing options, see [Sync browse - **GP ADMX file name:** SettingSync.admx #### MDM settings -- **MDM name:** [Experience/DoNotSyncBrowserSetting](../available-policies.md#do-not-sync-browser-settings) +- **MDM name:** [Experience/DoNotSyncBrowserSettings](../available-policies.md#do-not-sync-browser-settings) - **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSetting +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings - **Data type:** Integer #### Registry settings @@ -48,4 +48,4 @@ For more details about configuring the browser syncing options, see [Sync browse [About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices)

-

\ No newline at end of file +
From 37559c148be935055027f4506ed2be549cd11adf Mon Sep 17 00:00:00 2001 From: Patti Short <35278231+shortpatti@users.noreply.github.com> Date: Mon, 6 Aug 2018 15:02:14 -0700 Subject: [PATCH 07/22] Update new-policies.md --- browsers/edge/new-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/edge/new-policies.md b/browsers/edge/new-policies.md index f44167ad09..8783ea1791 100644 --- a/browsers/edge/new-policies.md +++ b/browsers/edge/new-policies.md @@ -44,7 +44,7 @@ We are discontinuing the **Configure Favorites** group policy. Use the **[Provis | [Configure kiosk mode](#configure-kiosk-mode) | New | [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | New | | [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout) | New | [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | New | | [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) | New | [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | New | -| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | Experience/DoNotSyncBrowserSetting | New | +| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | Experience/DoNotSyncBrowserSettings | New | | [Prevent certificate error overrides](#prevent-certificate-error-overrides) | New | [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | New | | [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing) | New | Experience/PreventUsersFromTurningOnBrowserSyncing | New | | [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | PreventTurningOffRequiredExtensions | New | From e0e28aba669d2ce2de9e709f128f08e80fc2a704 Mon Sep 17 00:00:00 2001 From: Jonathan Herlin Date: Tue, 7 Aug 2018 10:57:57 +0200 Subject: [PATCH 08/22] Fix code block formatting Fix code block formatting --- .../bitlocker/bitlocker-how-to-enable-network-unlock.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 0b99703f80..4643595543 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -351,6 +351,7 @@ The following steps can be used to configure Network Unlock on these older syste 6. [Step Six: Configure registry settings for Network Unlock](#bkmk-stepsix) Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. + certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f From b674c3fde018455f3e78bd9fee226e62eeff54d1 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 7 Aug 2018 14:18:22 +0000 Subject: [PATCH 09/22] Merged PR 10414: Remove wrong note --- windows/configuration/wcd/wcd-sharedpc.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index 09c6c4a000..8cc91e3ca4 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -15,8 +15,7 @@ ms.date: 10/16/2017 Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. ->[!TIP] ->You can use the [ApplicationManagement](wcd-applicationmanagement.md) settings node to configure only the account management settings without enabling shared PC mode. + ## Applies to From e38f8b999e8817f58722158ec241da01894173e2 Mon Sep 17 00:00:00 2001 From: Patti Short Date: Tue, 7 Aug 2018 09:51:34 -0700 Subject: [PATCH 10/22] now the conflict is fixed --- .../edge/includes/do-not-sync-browser-settings-include.md | 4 ---- browsers/edge/new-policies.md | 4 ---- 2 files changed, 8 deletions(-) diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md index 4b6a8343c2..267812b6ac 100644 --- a/browsers/edge/includes/do-not-sync-browser-settings-include.md +++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md @@ -27,11 +27,7 @@ For more details about configuring the browser syncing options, see [Sync browse - **GP ADMX file name:** SettingSync.admx #### MDM settings -<<<<<<< HEAD - **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) -======= -- **MDM name:** [Experience/DoNotSyncBrowserSettings](../available-policies.md#do-not-sync-browser-settings) ->>>>>>> 5fa3b7b039c599d82dd9013a4b2092f20578f503 - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings - **Data type:** Integer diff --git a/browsers/edge/new-policies.md b/browsers/edge/new-policies.md index ab2a400dae..48df9f6016 100644 --- a/browsers/edge/new-policies.md +++ b/browsers/edge/new-policies.md @@ -44,11 +44,7 @@ We are discontinuing the **Configure Favorites** group policy. Use the **[Provis | [Configure kiosk mode](#configure-kiosk-mode) | New | [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | New | | [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout) | New | [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | New | | [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) | New | [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | New | -<<<<<<< HEAD | [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) | New | -======= -| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | Experience/DoNotSyncBrowserSettings | New | ->>>>>>> 5fa3b7b039c599d82dd9013a4b2092f20578f503 | [Prevent certificate error overrides](#prevent-certificate-error-overrides) | New | [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | New | | [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing) | New | Experience/PreventUsersFromTurningOnBrowserSyncing | New | | [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) | New | From 2ec008a9fc1259b5b6d94958e3edc14d83c0fffa Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Wed, 8 Aug 2018 07:55:27 -0700 Subject: [PATCH 11/22] editing what's new section --- .../msix-app-packaging-tool.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index e48cb1bcec..861d510bc9 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -23,10 +23,14 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft - A valid MSA alias (to access the app from the Store) ## What's new -- Moved "Send Feedback" to a top-level page in settings for better visibility. -- "Settings" saves now persist across app launches. -- Changing default save location is now supported through Settings menu. -- All pop ups now have a uniform size. +v1.2018.807.0 +- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu. +- Fixed an issue where signing in with password protected certificates would fail in the tool. +- Fixed an issue where the tool was crashing when editing an existing MSIX package. +- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures. +- Minor UI tweaks to add clarity. +- Minor updates to the logs for added clarity. + ## Installing the MSIX Packaging Tool @@ -43,7 +47,6 @@ This is an early preview build and not all features are supported. Here is what Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features: -- Some options in the Settings page, such as adding/removing VFS/VREG and defining a default save location. - Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0). - Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM. - Command Line Interface support @@ -64,6 +67,5 @@ Open Feedback Hub. Alternatively, launch the tool and select the **Settings** ge 1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. 2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. 3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. -4. Signing the package with Password protected certificates does not work. Please use a non-password protected password in the tool, or use Signtool (available from SDK) to sign your package for sideload testing. From 28685c2c11c2f12eb39b2cc39b0c77cf775b1ac2 Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Wed, 8 Aug 2018 07:59:41 -0700 Subject: [PATCH 12/22] editing metadata --- windows/application-management/msix-app-packaging-tool.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 861d510bc9..75f8dc0b50 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -1,7 +1,7 @@ --- title: Repackage your existing win32 applications to the MSIX format. description: Learn how to install and use the MSIX packaging tool. -keyboards: ["MSIX", "application", "app", "win32", "packaging tool"] +keywords: ["MSIX", "application", "app", "win32", "packaging tool"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library From 6fd6d731e20c23aea4e7e3baf7f05f336f637d69 Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Wed, 8 Aug 2018 08:02:30 -0700 Subject: [PATCH 13/22] edited toc to add msix page --- windows/application-management/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index e726c4d38f..b3f1796488 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -4,6 +4,7 @@ ## [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) ## [Understand apps in Windows 10](apps-in-windows-10.md) ## [Add apps and features in Windows 10](add-apps-and-features.md) +### [Repackage win32 apps in the MSIX format](msix-app-packaging-tool.md) ## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md) ### [Getting Started with App-V](app-v/appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md) From 3fd7aaf8217fcf02ac9a0da4f45f431f775f1703 Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Wed, 8 Aug 2018 08:45:28 -0700 Subject: [PATCH 14/22] updating the version number --- windows/application-management/msix-app-packaging-tool.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 75f8dc0b50..cd0dce59af 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -23,7 +23,7 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft - A valid MSA alias (to access the app from the Store) ## What's new -v1.2018.807.0 +v1.2018.808.0 - Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu. - Fixed an issue where signing in with password protected certificates would fail in the tool. - Fixed an issue where the tool was crashing when editing an existing MSIX package. From e047af48659220096c6ea857911f184cdd623895 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 8 Aug 2018 15:55:48 +0000 Subject: [PATCH 15/22] Merged PR 10440: Clarify purchase options for Billing and Global admin Add info about requirements for subscription-based software purchases in Store for Business. --- .../roles-and-permissions-microsoft-store-for-business.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 6dad7ccd03..22e03ceda8 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -10,7 +10,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 3/30/2018 +ms.date: 8/7/2018 --- # Roles and permissions in Microsoft Store for Business and Education @@ -31,10 +31,11 @@ This table lists the global user accounts and the permissions they have in Micro | | Global Administrator | Billing Administrator | | ------------------------------ | --------------------- | --------------------- | -| Sign up for Microsoft Store for Business and Education | X | | +| Sign up for Microsoft Store for Business and Education | X | | Modify company profile settings | X | | | Acquire apps | X | X | | Distribute apps | X | X | +| Purchase subscription-based software | X | X |   - **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. @@ -43,7 +44,7 @@ This table lists the global user accounts and the permissions they have in Micro ## Microsoft Store roles and permissions -Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. +Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. This table lists the roles and their permissions. From 457954c4a2ed851db779eb4d23a4a3cb22801b37 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 8 Aug 2018 09:14:10 -0700 Subject: [PATCH 16/22] fixed hide overrides --- .../create-wip-policy-using-intune-azure.md | 8 ++++---- .../create-wip-policy-using-intune.md | 6 +++--- .../create-wip-policy-using-mam-intune-azure.md | 6 +++--- .../create-wip-policy-using-sccm.md | 6 +++--- .../deploy-wip-policy-using-intune.md | 2 +- .../protect-enterprise-data-using-wip.md | 6 +++--- .../wip-learning.md | 16 ++++++++-------- 7 files changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 2a988c9641..7adccd0ac3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -8,7 +8,7 @@ ms.pagetype: security author: justinha ms.author: justinha ms.localizationpriority: medium -ms.date: 07/10/2018 +ms.date: 08/08/2018 --- # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune @@ -348,14 +348,14 @@ If you're running into compatibility issues where your app is incompatible with ## Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). **To add your protection mode** -1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. +1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. The **Required settings** blade appears. @@ -363,7 +363,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi |Mode |Description | |-----|------------| - |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| + |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md index 1b084c9605..d75ea228ef 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 05/30/2018 +ms.date: 08/08/2018 ms.localizationpriority: medium --- @@ -308,11 +308,11 @@ If you're running into compatibility issues where your app is incompatible with ## Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Hide Overrides**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Block**. |Mode |Description | |-----|------------| -|Hide Overrides|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Block|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Allow Overrides|WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md index e5590cd3ed..4d7cafc461 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.author: justinha -ms.date: 05/30/2018 +ms.date: 08/08/2018 localizationpriority: medium --- @@ -377,7 +377,7 @@ In the **Required settings** blade you must pick your Windows Information Protec ### Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). @@ -392,7 +392,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi |Mode |Description | |-----|------------| - |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| + |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 1c8de7d581..e766991a5a 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 10/16/2017 +ms.date: 08/08/2018 --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager @@ -340,14 +340,14 @@ If you're running into compatibility issues where your app is incompatible with ## Manage the WIP-protection level for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**. +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). |Mode |Description | |-----|------------| -|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md index fa52656359..26b5ff9472 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 09/11/2017 +ms.date: 08/08/2018 --- # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 1ad43ba3f3..6ebcf8b468 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -77,13 +77,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device. - - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode. You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list. - - **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. @@ -132,7 +132,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes: |Mode|Description| |----|-----------| -|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| |Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 87c74dd9a0..7225edb78c 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -10,7 +10,7 @@ ms.sitesec: library ms.pagetype: security author: coreyp-at-msft ms.localizationpriority: medium -ms.date: 04/18/2018 +ms.date: 08/08/2018 --- # Fine-tune Windows Information Protection (WIP) with WIP Learning @@ -21,16 +21,16 @@ ms.date: 04/18/2018 With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS). -The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Hide overrides”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. +The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list. -## Access the WIP Learning reports - -1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter. - +## Access the WIP Learning reports + +1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter. + 2. Choose **Intune** > **Mobile Apps**. - + 3. Choose **App protection status**. 4. Choose **Reports**. @@ -95,7 +95,7 @@ Here, you can copy the **WipAppid** and use it to adjust your WIP protection pol 9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** -When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide overrides**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) +When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file From 164dde37c0555d5ef3244a68fd9a2893cbee3b93 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Wed, 8 Aug 2018 10:24:38 -0700 Subject: [PATCH 17/22] Edited requirements table. --- .../windows-defender-exploit-guard.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 96ed1733a8..90ebc28935 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- @@ -68,14 +68,13 @@ This section covers requirements for each feature in Windows Defender EG. |--------|---------| | ![not supported](./images/ball_empty.png) | Not supported | | ![supported](./images/ball_50.png) | Supported | -| ![supported, enhanced](./images/ball_75.png) | Includes advanced exploit protection for the kernel mode via [HVCI](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity) | -| ![supported, full reporting](./images/ball_full.png) | Includes automated reporting into the Windows Defender ATP console| +| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an Attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | -| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_75.png) | ![supported, full reporting](./images/ball_full.png) | -| Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | +| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | +| Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) | | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | From ab90399e87a89ff6bc2e84789127d695b677118d Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 8 Aug 2018 17:43:44 +0000 Subject: [PATCH 18/22] Merged PR 10448: Added new Browser policies to the What's new topic --- ...ew-in-windows-mdm-enrollment-management.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index c49ddb2579..e4e1e68a4c 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1381,6 +1381,24 @@ For details about Microsoft mobile device management protocols for Windows 10 s

  • Authentication/EnableFastFirstSignIn
  • Authentication/EnableWebSignIn
  • Authentication/PreferredAadTenantDomainName
    • +
  • Browser/AllowFullScreenMode
    • +
  • Browser/AllowPrelaunch
    • +
  • Browser/AllowPrinting
    • +
  • Browser/AllowSavingHistory
    • +
  • Browser/AllowSideloadingOfExtensions
    • +
  • Browser/AllowTabPreloading
    • +
  • Browser/AllowWebContentOnNewTabPage
    • +
  • Browser/ConfigureFavoritesBar
    • +
  • Browser/ConfigureHomeButton
    • +
  • Browser/ConfigureKioskMode
    • +
  • Browser/ConfigureKioskResetAfterIdleTimeout
    • +
  • Browser/ConfigureOpenMicrosoftEdgeWith
    • +
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
    • +
  • Browser/ForceEnabledExtensions
    • +
  • Browser/PreventCertErrorOverrides
    • +
  • Browser/SetHomeButtonURL
    • +
  • Browser/SetNewTabPageURL
    • +
  • Browser/UnlockHomeButton
  • Defender/CheckForSignaturesBeforeRunningScan
  • Defender/DisableCatchupFullScan
  • Defender/DisableCatchupQuickScan
    • @@ -1396,6 +1414,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Experience/AllowClipboardHistory
  • Experience/DoNotSyncBrowserSetting
  • Experience/PreventUsersFromTurningOnBrowserSyncing
    • +
  • Privacy/AllowCrossDeviceClipboard
    • +
  • Privacy/UploadUserActivities
  • Security/RecoveryEnvironmentAuthentication
  • TaskManager/AllowEndTask
  • Update/EngagedRestartDeadlineForFeatureUpdates
    • @@ -1741,8 +1761,28 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies in Windows 10, next major version:

      +
    • Browser/AllowFullScreenMode
      • +
    • Browser/AllowPrelaunch
      • +
    • Browser/AllowPrinting
      • +
    • Browser/AllowSavingHistory
      • +
    • Browser/AllowSideloadingOfExtensions
      • +
    • Browser/AllowTabPreloading
      • +
    • Browser/AllowWebContentOnNewTabPage
      • +
    • Browser/ConfigureFavoritesBar
      • +
    • Browser/ConfigureHomeButton
      • +
    • Browser/ConfigureKioskMode
      • +
    • Browser/ConfigureKioskResetAfterIdleTimeout
      • +
    • Browser/ConfigureOpenMicrosoftEdgeWith
      • +
    • Browser/ConfigureTelemetryForMicrosoft365Analytics
      • +
    • Browser/ForceEnabledExtensions
      • +
    • Browser/PreventCertErrorOverrides
      • +
    • Browser/SetHomeButtonURL
      • +
    • Browser/SetNewTabPageURL
      • +
    • Browser/UnlockHomeButton
    • Experience/DoNotSyncBrowserSetting
    • Experience/PreventUsersFromTurningOnBrowserSyncing
      • +
    • Privacy/AllowCrossDeviceClipboard
      • +
    • Privacy/UploadUserActivities
    From 49eeff4e58f099671b1fec4509c11b5f769a1253 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 8 Aug 2018 18:21:26 +0000 Subject: [PATCH 19/22] Merged PR 10452: Fixed version information for AllowInputPersonalization fixed version information --- windows/client-management/mdm/policy-csp-privacy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 57093ef791..ce7a93c11d 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -433,7 +433,7 @@ The following list shows the supported values: -Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. +Updated in Windows 10, next major version. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. Most restricted value is 0. From ac84c3edb9acbe94a3042639a0076eb9cfb767ce Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 8 Aug 2018 18:21:47 +0000 Subject: [PATCH 20/22] Merged PR 10450: Update/AllowAutoUpdate - added one new setting option --- windows/client-management/mdm/policy-csp-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 8bda477361..4b7d9f5023 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/30/2018 +ms.date: 08/06/2018 --- # Policy CSP - Update @@ -428,7 +428,7 @@ The following list shows the supported values: - 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. - 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. - 5 – Turn off automatic updates. - +- 6 - When AllowAutoUpdate is set to 6, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by other policies. (Added Windows 10, next major version). From e90febbe3b2397ed0d081c49bab76e6dbbc51f8c Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 8 Aug 2018 19:07:40 +0000 Subject: [PATCH 21/22] Merged PR 10455: clarify skipwifi (#1438) --- windows/configuration/wcd/wcd-firstexperience.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index 3c2044f533..cb1554991e 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 08/08/2018 --- # FirstExperience (Windows Configuration Designer reference) @@ -27,5 +27,5 @@ PreferredRegion | Enter the [geographical location identifier](https://msdn.micr PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](https://msdn.microsoft.com/library/ms912391.aspx) SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration. SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training. -SkipWifi | Set to **True** to skip connecting to a Wi-fi network. +SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.

    **Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](https://docs.microsoft.com/hololens/hololens-setup). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#create-a-provisioning-package-for-hololens-using-the-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md). From bdd07e0983b9a580d28daac2eaa39756aa46da69 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 8 Aug 2018 19:38:19 +0000 Subject: [PATCH 22/22] Merged PR 10456: NetworkProxy CSP - Added a note to ProxySettingsPerUser that user proxy configuration is not supported --- windows/client-management/mdm/networkproxy-csp.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 9b846e226a..fcc6d7386e 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/12/2018 +ms.date: 08/08/2018 --- # NetworkProxy CSP @@ -34,7 +34,10 @@ The following diagram shows the NetworkProxy configuration service provider in t The root node for the NetworkProxy configuration service provider..

    **ProxySettingsPerUser** -Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide; set to 1 for proxy configuratio per user. +Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide. + +> [!Note] +> Per user proxy configuration setting is not supported. **AutoDetect** Automatically detect settings. If enabled, the system tries to find the path to a PAC script.