diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 0ac57ede0d..dc313f8f5d 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -83,7 +83,7 @@ Install the following module in Powershell ``` syntax install-module AzureAD Install-module MsOnline - ``` +``` ### Connecting to online services diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 5c34d22900..5e2329f8c0 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,13 +7,18 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 11/15/2018 --- # Change history for Surface documentation This topic lists new and updated topics in the Surface documentation library. +## January 2019 + +New or changed topic | Description +--- | --- +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Studio 2 | + ## November 2018 New or changed topic | Description diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 52a92a6ef7..1d736b1ece 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -9,7 +9,6 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 11/15/2018 ms.author: jdecker ms.topic: article --- @@ -89,6 +88,12 @@ Download the following updates for [Surface Studio from the Microsoft Download C * SurfaceStudio_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 +## Surface Studio 2 + +Download the following updates for [Surface Studio 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57593). + +* SurfaceStudio2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 + ## Surface Book diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md index 97ddde85fb..890ee785d2 100644 --- a/education/get-started/change-history-ms-edu-get-started.md +++ b/education/get-started/change-history-ms-edu-get-started.md @@ -1,43 +1,42 @@ ---- -title: Change history for Microsoft Education Get Started -description: New and changed topics in the Microsoft Education get started guide. -keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history +--- +title: Change history for Microsoft Education Get Started +description: New and changed topics in the Microsoft Education get started guide. +keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history ms.prod: w10 -ms.technology: Windows -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: edu -author: CelesteDG -ms.author: celested -ms.date: 07/07/2017 ---- - -# Change history for Microsoft Education Get Started - -This topic lists the changes in the Microsoft Education IT admin get started. - -## July 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. | -| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. | -| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. | -| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. | -| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. | -| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. | -| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. | -| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. | - - -## June 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to deploy Microsoft Teams.
- Updated steps for School Data Sync to show the latest workflow and user experience.
- Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. | - -## May 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. | +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +author: CelesteDG +ms.author: celested +ms.date: 07/07/2017 +--- + +# Change history for Microsoft Education Get Started + +This topic lists the changes in the Microsoft Education IT admin get started. + +## July 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. | +| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. | +| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. | +| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. | +| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. | +| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. | +| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. | +| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. | + + +## June 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to deploy Microsoft Teams.
- Updated steps for School Data Sync to show the latest workflow and user experience.
- Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. | + +## May 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. | diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md index caf9b51520..6da930b66d 100644 --- a/education/get-started/configure-microsoft-store-for-education.md +++ b/education/get-started/configure-microsoft-store-for-education.md @@ -3,7 +3,6 @@ title: Configure Microsoft Store for Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md index bab1e61628..5d3af7dc3d 100644 --- a/education/get-started/enable-microsoft-teams.md +++ b/education/get-started/enable-microsoft-teams.md @@ -3,7 +3,6 @@ title: Enable Microsoft Teams for your school description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md index b15394f6ac..120b357bc2 100644 --- a/education/get-started/finish-setup-and-other-tasks.md +++ b/education/get-started/finish-setup-and-other-tasks.md @@ -3,7 +3,6 @@ title: Finish Windows 10 device setup and other tasks description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index 39dad1f8e4..6df81f8b27 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -3,7 +3,6 @@ title: Deploy and manage a full cloud IT solution with Microsoft Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: hero-article diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md index 82ee6a90cd..01a5f5b4a9 100644 --- a/education/get-started/set-up-office365-edu-tenant.md +++ b/education/get-started/set-up-office365-edu-tenant.md @@ -3,7 +3,6 @@ title: Set up an Office 365 Education tenant description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md index 5b79384b77..a62a0e282d 100644 --- a/education/get-started/set-up-windows-10-education-devices.md +++ b/education/get-started/set-up-windows-10-education-devices.md @@ -3,7 +3,6 @@ title: Set up Windows 10 education devices description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md index ba8630edd9..e1f8ef557e 100644 --- a/education/get-started/set-up-windows-education-devices.md +++ b/education/get-started/set-up-windows-education-devices.md @@ -3,7 +3,6 @@ title: Set up Windows 10 devices using Windows OOBE description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md index baef903733..d1ab32cfa9 100644 --- a/education/get-started/use-intune-for-education.md +++ b/education/get-started/use-intune-for-education.md @@ -3,7 +3,6 @@ title: Use Intune for Education to manage groups, apps, and settings description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md index f880134137..f2bcfb50f9 100644 --- a/education/get-started/use-school-data-sync.md +++ b/education/get-started/use-school-data-sync.md @@ -3,7 +3,6 @@ title: Use School Data Sync to import student data description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/images/M365-education.svg b/education/images/M365-education.svg index 7f83629296..9591f90f68 100644 --- a/education/images/M365-education.svg +++ b/education/images/M365-education.svg @@ -1,4 +1,4 @@ - +
@@ -44,7 +45,7 @@ ms.date: 10/30/2017
  • - +
    diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index 652ef9e87c..0861f90f74 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -3,7 +3,6 @@ title: Educator Trial in a Box Guide description: Need help or have a question about using Microsoft Education? Start here. keywords: support, troubleshooting, education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article @@ -162,7 +161,7 @@ Use video to create a project summary. 1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**. -2. Open Microsoft Edge and visit http://aka.ms/PhotosTIB to download a zip file of the project media. +2. Open Microsoft Edge and visit https://aka.ms/PhotosTIB to download a zip file of the project media. 3. Once the download has completed, open the zip file and select **Extract** > **Extract all**. Select **Browse** and choose the **Pictures** folder as the destination, and then select **Extract**. diff --git a/education/trial-in-a-box/images/it-admin1.svg b/education/trial-in-a-box/images/it-admin1.svg index f69dc4d324..695337f601 100644 --- a/education/trial-in-a-box/images/it-admin1.svg +++ b/education/trial-in-a-box/images/it-admin1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/student1.svg b/education/trial-in-a-box/images/student1.svg index 832a1214ae..25c267bae9 100644 --- a/education/trial-in-a-box/images/student1.svg +++ b/education/trial-in-a-box/images/student1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/student2.svg b/education/trial-in-a-box/images/student2.svg index 6566eab49b..5d473d1baf 100644 --- a/education/trial-in-a-box/images/student2.svg +++ b/education/trial-in-a-box/images/student2.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/teacher1.svg b/education/trial-in-a-box/images/teacher1.svg index 7db5c7dd32..00feb1e22a 100644 --- a/education/trial-in-a-box/images/teacher1.svg +++ b/education/trial-in-a-box/images/teacher1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/teacher2.svg b/education/trial-in-a-box/images/teacher2.svg index e4f1cd4b74..592c516120 100644 --- a/education/trial-in-a-box/images/teacher2.svg +++ b/education/trial-in-a-box/images/teacher2.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 4a891bb989..c91f1c0264 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -3,7 +3,6 @@ title: Microsoft Education Trial in a Box description: For IT admins, educators, and students, discover what you can do with Microsoft 365 Education. Try it out with our Trial in a Box program. keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, IT admin, educator, student, explore, Trial in a Box ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index a8ba174071..49d37afbff 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -3,7 +3,6 @@ title: IT Admin Trial in a Box Guide description: Try out Microsoft 365 Education to implement a full cloud infrastructure for your school, manage devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md index 11a23af4ec..cc82641391 100644 --- a/education/trial-in-a-box/support-options.md +++ b/education/trial-in-a-box/support-options.md @@ -3,7 +3,6 @@ title: Microsoft Education Trial in a Box Support description: Need help or have a question about using Microsoft Education Trial in a Box? Start here. keywords: support, troubleshooting, education, Microsoft 365 Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 8a5441c5cc..3ab4c50a66 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -3,7 +3,6 @@ title: Reset devices with Autopilot Reset description: Gives an overview of Autopilot Reset and how you can enable and use it in your schools. keywords: Autopilot Reset, Windows 10, education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 76c3513812..4185c9baae 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -3,7 +3,6 @@ title: Change history for Windows 10 for Education (Windows 10) description: New and changed topics in Windows 10 for Education keywords: Windows 10 education documentation, change history ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index d6bd7cb98c..58dcd89d1e 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -3,7 +3,6 @@ title: Change to Windows 10 Education from Windows 10 Pro description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro. keywords: change, free change, Windows 10 Pro to Windows 10 Pro Education, Windows 10 Pro to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 5ca42d662f..e981deb743 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -4,7 +4,6 @@ description: In this guide you will learn how to migrate a Google Chromebook-bas ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA keywords: migrate, automate, device, Chromebook migration ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu, devices diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 25b1199a54..9d1acc0a3c 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -5,7 +5,6 @@ keywords: Windows 10 deployment, recommendations, privacy settings, school, educ ms.mktglfcycl: plan ms.sitesec: library ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.localizationpriority: medium author: CelesteDG @@ -149,7 +148,7 @@ For example: ![Set SetEduPolicies to True in Windows Configuration Designer](images/setedupolicies_wcd.png) ## Ad-free search with Bing -Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at http://www.bing.com/classroom/about-us. +Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at https://www.bing.com/classroom/about-us. > [!NOTE] > If you enable the guest account in shared PC mode, students using the guest account will not have an ad-free experience searching with Bing in Microsoft Edge unless the PC is connected to your school network and your school network has been configured as described in [IP registration for entire school network using Microsoft Edge](#ip-registration-for-entire-school-network-using-microsoft-edge). diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md index 3b0c7b4e62..f8c2aecdf4 100644 --- a/education/windows/create-tests-using-microsoft-forms.md +++ b/education/windows/create-tests-using-microsoft-forms.md @@ -1,32 +1,31 @@ ---- -title: Create tests using Microsoft Forms -description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. -keywords: school, Take a Test, Microsoft Forms +--- +title: Create tests using Microsoft Forms +description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. +keywords: school, Take a Test, Microsoft Forms ms.prod: w10 -ms.technology: Windows -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -author: CelesteDG -ms.author: celested -redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms ---- - -# Create tests using Microsoft Forms -**Applies to:** - -- Windows 10 - - -For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms. - -To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test. - -Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment. - -[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959) - - -## Related topics - -[Take tests in Windows 10](take-tests-in-windows-10.md) +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +author: CelesteDG +ms.author: celested +redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms +--- + +# Create tests using Microsoft Forms +**Applies to:** + +- Windows 10 + + +For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms. + +To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test. + +Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment. + +[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959) + + +## Related topics + +[Take tests in Windows 10](take-tests-in-windows-10.md) diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index f33287b723..b8897a3042 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 in a school district (Windows 10) description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices. keywords: configure, tools, device, school district, deploy Windows 10 ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index d430864463..d226f570db 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. keywords: configure, tools, device, school, deploy Windows 10 ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 17435853f2..82c72e22f5 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -8,8 +8,7 @@ ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 10/13/2017 -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 --- # Deployment recommendations for school IT administrators diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index d90e41f458..af93be32ee 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -2,7 +2,7 @@ title: Education scenarios Microsoft Store for Education description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools. keywords: school, Microsoft Store for Education, Microsoft education store -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,7 @@ searchScope: - Store author: trudyha ms.author: trudyha -ms.date: 3/30/2018 -ms.technology: Windows +ms.date: 03/30/2018 --- # Working with Microsoft Store for Education diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md index a184220261..f58a24b82c 100644 --- a/education/windows/enable-s-mode-on-surface-go-devices.md +++ b/education/windows/enable-s-mode-on-surface-go-devices.md @@ -3,13 +3,12 @@ title: Enable S mode on Surface Go devices for Education description: Steps that an education customer can perform to enable S mode on Surface Go devices keywords: Surface Go for Education, S mode ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium author: kaushika-msft -ms.author: +ms.author: kaushik ms.date: 07/30/2018 --- @@ -54,8 +53,8 @@ process](https://docs.microsoft.com/windows/deployment/windows-10-deployment-sce publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" - xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State" + xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"> 1 @@ -100,8 +99,8 @@ Education customers who wish to avoid the additional overhead associated with Wi publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" - xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State" + xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"> 1 diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md index 6fb8b22725..d0b001b4b7 100644 --- a/education/windows/get-minecraft-device-promotion.md +++ b/education/windows/get-minecraft-device-promotion.md @@ -2,7 +2,7 @@ title: Get Minecraft Education Edition with your Windows 10 device promotion description: Windows 10 device promotion for Minecraft Education Edition licenses keywords: school, Minecraft, education edition -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +11,6 @@ searchScope: - Store ms.author: trudyha ms.date: 06/05/2018 -ms.technology: Windows --- # Get Minecraft: Education Edition with Windows 10 device promotion diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 11aeea97ed..aadf84aabc 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -2,7 +2,7 @@ title: Get Minecraft Education Edition description: Learn how to get and distribute Minecraft Education Edition. keywords: school, Minecraft, education edition -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +11,6 @@ searchScope: - Store ms.author: trudyha ms.date: 07/27/2017 -ms.technology: Windows ms.topic: conceptual --- @@ -22,7 +21,7 @@ ms.topic: conceptual - Windows 10 -[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. +[Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. diff --git a/education/windows/index.md b/education/windows/index.md index 5f82e1d09a..d30a753c88 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -3,7 +3,6 @@ title: Windows 10 for Education (Windows 10) description: Learn how to use Windows 10 in schools. keywords: Windows 10, education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index e9dabad759..363cc0b93e 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -5,7 +5,6 @@ keywords: Windows 10 S switch, S mode Switch, switch in S mode, Switch S mode, W ms.mktglfcycl: deploy ms.localizationpriority: medium ms.prod: w10 -ms.technology: Windows ms.sitesec: library ms.pagetype: edu ms.date: 12/03/2018 diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index d2daacd44e..2def962415 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -2,7 +2,7 @@ title: For IT administrators get Minecraft Education Edition description: Learn how IT admins can get and distribute Minecraft in their schools. keywords: Minecraft, Education Edition, IT admins, acquire -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,7 @@ author: trudyha searchScope: - Store ms.author: trudyha -ms.date: 1/5/2018 -ms.technology: Windows +ms.date: 01/05/2018 ms.topic: conceptual --- @@ -21,7 +20,7 @@ ms.topic: conceptual - Windows 10 -When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. +When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. >[!Note] >If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). @@ -34,7 +33,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions ### Minecraft: Education Edition - direct purchase -1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**. +1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**. diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 16b59b9799..4a0081092e 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -3,7 +3,6 @@ title: Azure AD Join with Setup School PCs app description: Describes how Azure AD Join is configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 021860eac7..e362f372b9 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -3,7 +3,6 @@ title: What's in Set up School PCs provisioning package description: Lists the provisioning package settings that are configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md index 6276de2a50..3b3a9148a0 100644 --- a/education/windows/set-up-school-pcs-shared-pc-mode.md +++ b/education/windows/set-up-school-pcs-shared-pc-mode.md @@ -3,7 +3,6 @@ title: Shared PC mode for school devices description: Describes how shared PC mode is set for devices set up with the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index d826440afe..957af5e711 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -3,7 +3,6 @@ title: Set up School PCs app technical reference overview description: Describes the purpose of the Set up School PCs app for Windows 10 devices. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index e942cf9a0a..b1f56ae163 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -3,7 +3,6 @@ title: What's new in the Windows Set up School PCs app description: Find out about app updates and new features in Set up School PCs. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 0f59dd6be5..a14aa4c69b 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -2,8 +2,7 @@ title: Set up student PCs to join domain description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. keywords: school, student PC setup, Windows Configuration Designer -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 32c2f71bbb..77b6702db0 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -3,7 +3,6 @@ title: Provision student PCs with apps description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index 90bffc1644..f4f62a27f3 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -3,7 +3,6 @@ title: Set up Windows devices for education description: Decide which option for setting up Windows 10 is right for you. keywords: school, Windows device setup, education device setup ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index c444c9f842..8cfa0f104d 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -3,7 +3,6 @@ title: Take a Test app technical reference description: The policies and settings applied by the Take a Test app. keywords: take a test, test taking, school, policies ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -24,7 +23,7 @@ Take a Test is an app that locks down the PC and displays an online assessment w Whether you are a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments -Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](http://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api). +Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api). ## PC lockdown for assessment diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 3c4d28cb04..c08098f28d 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -3,7 +3,6 @@ title: Set up Take a Test on multiple PCs description: Learn how to set up and use the Take a Test app on multiple PCs. keywords: take a test, test taking, school, set up on multiple PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -29,7 +28,7 @@ To configure a dedicated test account on multiple PCs, select any of the followi - [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education) - [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager) - [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer) -- [Group Policy to deploy a scheduled task that runs a Powershell script](#set-up-a-test-account-in-group-policy) +- [Group Policy to deploy a scheduled task that runs a Powershell script](https://docs.microsoft.com/education/windows/take-a-test-multiple-pcs#create-a-scheduled-task-in-group-policy) ### Set up a test account in the Set up School PCs app If you want to set up a test account using the Set up School PCs app, configure the settings in the **Set up the Take a Test app** page in the Set up School PCs app. Follow the instructions in [Use the Set up School PCs app](use-set-up-school-pcs-app.md) to configure the test-taking account and create a provisioning package. @@ -169,7 +168,7 @@ This sample PowerShell script configures the tester account and the assessment U ``` $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; -$obj.LaunchURI='http://www.foo.com'; +$obj.LaunchURI='https://www.foo.com'; $obj.TesterAccount='TestAccount'; $obj.put() Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount @@ -266,7 +265,7 @@ Once the shortcut is created, you can copy it and distribute it to students. ## Assessment URLs This assessment URL uses our lockdown API: -- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). +- SBAC/AIR: [https://mobile.tds.airast.org/launchpad/](https://mobile.tds.airast.org/launchpad/). ## Related topics diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 666b4d00a1..43ab25e727 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -3,7 +3,6 @@ title: Set up Take a Test on a single PC description: Learn how to set up and use the Take a Test app on a single PC. keywords: take a test, test taking, school, set up on single PC ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 7dfc8d1034..bede949a26 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -3,7 +3,6 @@ title: Take tests in Windows 10 description: Learn how to set up and use the Take a Test app. keywords: take a test, test taking, school, how to, use Take a Test ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 87afbb458f..b5f3145c61 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -2,8 +2,7 @@ title: For teachers get Minecraft Education Edition description: Learn how teachers can get and distribute Minecraft. keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +10,7 @@ author: trudyha searchScope: - Store ms.author: trudyha -ms.date: 1/5/2018 +ms.date: 01/05/2018 ms.topic: conceptual --- @@ -24,13 +23,13 @@ ms.topic: conceptual The following article describes how teachers can get and distribute Minecraft: Education Edition. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers. -To get started, go to http://education.minecraft.net/ and select **GET STARTED**. +To get started, go to https://education.minecraft.net/ and select **GET STARTED**. ## Try Minecraft: Education Edition for Free Minecraft: Education Edition is available for anyone to try for free! The free trial is fully-functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing. -To learn more and get started, go to http://education.minecraft.net/ and select **GET STARTED**. +To learn more and get started, go to https://education.minecraft.net/ and select **GET STARTED**. ## Purchase Minecraft: Education Edition for Teachers and Students diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index 29964738e0..ac962a298b 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -4,7 +4,6 @@ description: Provides guidance on downloading and testing Windows 10 in S mode f keywords: Windows 10 in S mode, try, download, school, education, Windows 10 in S mode installer, existing Windows 10 education devices ms.mktglfcycl: deploy ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.sitesec: library ms.localizationpriority: medium @@ -80,21 +79,21 @@ Check with your device manufacturer before trying Windows 10 in S mode on your d | | | | | - | - | - | -| Acer | Alldocube | American Future Tech | -| ASBISC | Asus | Atec | -| Axdia | Casper | Cyberpower | -| Daewoo | Daten | Dell | -| Epson | EXO | Fujitsu | -| Getac | Global K | Guangzhou | -| HP | Huawei | I Life | -| iNET | Intel | LANIT Trading | -| Lenovo | LG | MCJ | -| Micro P/Exertis | Microsoft | MSI | -| Panasonic | PC Arts | Positivo SA | -| Positivo da Bahia | Samsung | Teclast | -| Thirdwave | Tongfang | Toshiba | -| Trekstor | Trigem | Vaio | -| Wortmann | Yifang | | +| Acer | Alldocube | American Future Tech | +| ASBISC | Asus | Atec | +| Axdia | Casper | Cyberpower | +| Daewoo | Daten | Dell | +| Epson | EXO | Fujitsu | +| Getac | Global K | Guangzhou | +| HP | Huawei | I Life | +| iNET | Intel | LANIT Trading | +| Lenovo | LG | MCJ | +| Micro P/Exertis | Microsoft | MSI | +| Panasonic | PC Arts | Positivo SA | +| Positivo da Bahia | Samsung | Teclast | +| Thirdwave | Tongfang | Toshiba | +| Trekstor | Trigem | Vaio | +| Wortmann | Yifang | | > [!NOTE] > If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future. diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index ad1e1eb9e2..46f5b99026 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -3,7 +3,6 @@ title: Use Set up School PCs app description: Learn how to use the Set up School PCs app and apply the provisioning package. keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 77282ce61d..d37d3c1d20 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -3,7 +3,6 @@ title: Windows 10 editions for education customers description: Provides an overview of the two Windows 10 editions that are designed for the needs of K-12 institutions. keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -21,7 +20,7 @@ ms.date: 10/13/2017 Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). -Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](http://www.windows.com/). +Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments. diff --git a/mdop/mbam-v25/mbam-25-security-considerations.md b/mdop/mbam-v25/mbam-25-security-considerations.md index 76a6a6c45c..37c627b035 100644 --- a/mdop/mbam-v25/mbam-25-security-considerations.md +++ b/mdop/mbam-v25/mbam-25-security-considerations.md @@ -32,7 +32,7 @@ This topic contains the following information about how to secure Microsoft BitL ## Configure MBAM to escrow the TPM and store OwnerAuth passwords -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. Depending on its configuration, the Trusted Platform Module (TPM) will lock itself in certain situations ─ such as when too many incorrect passwords are entered ─ and can remain locked for a period of time. During TPM lockout, BitLocker cannot access the encryption keys to perform unlock or decryption operations, requiring the user to enter their BitLocker recovery key to access the operating system drive. To reset TPM lockout, you must provide the TPM OwnerAuth password. @@ -40,7 +40,7 @@ MBAM can store the TPM OwnerAuth password in the MBAM database if it owns the TP ### Escrowing TPM OwnerAuth in Windows 8 and higher -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. In Windows 8 or higher, MBAM no longer must own the TPM to store the OwnerAuth password, as long as the OwnerAuth is available on the local machine. diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index 4d805de5fe..f27666d0fd 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -36,7 +36,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "justinha", - "ms.date": "04/05/2017", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-access-protection" diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 7d3ae2dae2..5c20bbd8a7 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -36,7 +36,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "elizapo", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 4fc5382798..eab3b9f62e 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -35,8 +35,6 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "dongill", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 5d145ddd7f..07e2cb8f96 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -6,7 +6,7 @@ ### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) ### [Federated authentication device enrollment](federated-authentication-device-enrollment.md) ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +### [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md) ## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md) ## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md) ## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index 4649e684c3..6431b3c083 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -1,6 +1,6 @@ --- -title: On-premise authentication device enrollment -description: This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. +title: On-premises authentication device enrollment +description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. ms.assetid: 626AC8B4-7575-4C41-8D59-185D607E3A47 ms.author: maricia ms.topic: article @@ -10,16 +10,17 @@ author: MariciaAlforque ms.date: 06/26/2017 --- -# On-premise authentication device enrollment +# On-premises authentication device enrollment - -This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). ## In this topic -- [Discovery service](#discovery-service) -- [Enrollment policy web service](#enrollment-policy-web-service) -- [Enrollment web service](#enrollment-web-service) +- [On-premises authentication device enrollment](#on-premises-authentication-device-enrollment) + - [In this topic](#in-this-topic) + - [Discovery service](#discovery-service) + - [Enrollment policy web service](#enrollment-policy-web-service) + - [Enrollment web service](#enrollment-web-service) For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). @@ -27,9 +28,9 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only). -> **Note**  The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +>[!NOTE] +>The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. -  The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc The first request is a standard HTTP GET request. @@ -126,9 +127,9 @@ The discovery response is in the XML format and includes the following fields: - Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. - Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. -> **Note**  The HTTP server response must not be chunked; it must be sent as one message. +>[!NOTE] +>The HTTP server response must not be chunked; it must be sent as one message. -  The following example shows a response received from the discovery web service for OnPremise authentication: ``` syntax @@ -211,9 +212,9 @@ After the user is authenticated, the web service retrieves the certificate templ MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. We will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms. -> **Note**  The HTTP server response must not be chunked; it must be sent as one message. +>[!NOTE] +>The HTTP server response must not be chunked; it must be sent as one message. -  The following snippet shows the policy web service response. ``` syntax @@ -303,9 +304,9 @@ The RequestSecurityToken will use a custom TokenType (http://schema The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. -> **Note**  The policy service and the enrollment service must be on the same server; that is, they must have the same host name. +>[!NOTE] +>The policy service and the enrollment service must be on the same server; that is, they must have the same host name. -  The following example shows the enrollment web service request for OnPremise authentication. ``` syntax @@ -514,12 +515,4 @@ The following example shows the encoded provisioning XML. -``` - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 1c06c38801..c936dbc5db 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1046,7 +1046,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 7578533727..5d622c650d 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -497,6 +497,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index c9fdf5ff82..dfad46a493 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -498,7 +498,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 47f25fad53..23c0950c12 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -2760,7 +2760,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 7c7ed13b63..95e6d74539 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1566,7 +1566,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index fe2a79ede1..248f11d3fd 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -289,7 +289,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 702252a71e..97176bf5d7 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -6,7 +6,6 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 12/01/2018 --- # Policy CSP - DeviceInstallation @@ -86,11 +85,8 @@ If you enable this policy setting, Windows is allowed to install or update any d If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. -For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu: - -![Hardware IDs](images/hardware-ids.png) > [!TIP] @@ -142,7 +138,7 @@ To enable this policy, use the following SyncML. This example allows Windows to ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -200,11 +196,8 @@ This setting allows device installation based on the serial number of a removabl If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. -For a list of Class and ClassGUID entries for device setup classes, see [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -To get the ClassGUID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Class GUID** from the **Property** menu: - -![Class GUIDs](images/class-guids.png) > [!TIP] @@ -262,7 +255,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt @@ -345,6 +338,8 @@ ADMX Info: + +
    @@ -417,6 +412,37 @@ ADMX Info: +To enable this policy, use the following SyncML. This example prevents Windows from installing devices that are not specifically described by any other policy setting. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` +
    @@ -461,15 +487,7 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. -For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). - -You can get the hardware ID in Device Manager. For example, USB drives are listed under Disk drives: - -![Disk drives](images/device-manager-disk-drives.png) - -Right-click the name of the device, click **Properties** > **Details** and select **Hardware Ids** as the **Property**: - -![Hardware IDs](images/disk-drive-hardware-id.png) +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] @@ -513,7 +531,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -564,12 +582,7 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. -For a list of Class and ClassGUID entries for device setup classes, see [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). - -To get the ClassGUID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Class GUID** from the **Property** menu: - -![Class GUIDs](images/class-guids.png) - +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] @@ -618,7 +631,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -634,6 +647,7 @@ Footnote: - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 2960d7874f..9c1747dae9 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/29/2018 +ms.date: 12/17/2018 --- # Policy CSP - DmaGuard @@ -65,7 +65,11 @@ ms.date: 06/29/2018 -This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. +This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. + +Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. + +This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. > [!Note] > This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. @@ -105,7 +109,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index abd44c2998..c267e4587c 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1577,7 +1577,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 8ff97003f8..276d6b2c9e 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -420,7 +420,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index c536cc66a5..b1594d5d38 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -3588,7 +3588,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 652e5979f3..bccb2e581b 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -4859,7 +4859,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index fb505e937f..15119bff73 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -747,7 +747,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index e889b3c61a..bbbecfc8b2 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1846,7 +1846,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 52a90d0d51..b254d03c7e 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -660,4 +660,7 @@ Footnote: - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. \ No newline at end of file +- 6 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 8e9dd3ce58..25a2c66a62 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1437,7 +1437,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 7001fe088f..e806cf4108 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -93,7 +93,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index e96eb5340c..a6403f3b61 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1334,7 +1334,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 17ee63877e..d1447a5e6c 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -3576,6 +3576,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 25ff1652b7..d8a9e0a74b 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1430,7 +1430,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 07a7954820..e75a0cf6de 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -286,7 +286,7 @@ ADMX Info: -Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. +Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 1ec7b52b6a..1ab9a027c6 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -8,7 +8,7 @@ ms.topic: troubleshooting author: kaushika-msft ms.localizationpriority: medium ms.author: kaushika -ms.date: 11/30/2018 +ms.date: 12/19/2018 --- # Advanced troubleshooting for Stop error or blue screen error issue @@ -101,8 +101,7 @@ The memory dump file is saved at the following locations. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video: ->[!video https://www.youtube.com/watch?v=xN7tOfgNKag&feature=youtu.be] - +>[!video https://www.youtube.com/embed/xN7tOfgNKag] More information on how to use Dumpchk.exe to check your dump files: diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index abe019f76c..e66228ba49 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -35,9 +35,8 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "jdecker", - "ms.date": "04/05/2017", - "feedback_system": "GitHub", + "ms.author": "jdecker", + "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 8f2904b128..da6e2cdceb 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jdeckerms -ms.date: 07/30/2018 +ms.date: 01/09/2019 --- # Configure kiosks and digital signs on Windows desktop editions @@ -30,6 +30,9 @@ There are several kiosk configuration methods that you can choose from, dependin ![icon that represents Windows](images/windows.png) | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. ![icon that represents a user account](images/user.png) | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. + +>[!IMPORTANT] +>Single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. ## Methods for a single-app kiosk running a UWP app diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 986da71577..4cef49132c 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 01/09/2019 --- # Prepare a device for kiosk configuration @@ -23,6 +23,11 @@ ms.date: 10/02/2018 > >Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. +>[!IMPORTANT] +>[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. +> +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 4af964b132..7c3e7243b9 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 10/09/2018 +ms.date: 01/09/2019 --- # Set up a single-app kiosk @@ -24,6 +24,11 @@ ms.date: 10/09/2018 --- | --- A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.

    When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | ![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) +>[!IMPORTANT] +>[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. +> +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + You have several options for configuring your single-app kiosk. Method | Description diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 232a0d1e60..caa9d860ab 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 01/09/2019 ms.author: jdecker ms.topic: article --- @@ -39,6 +39,9 @@ New features and improvements | In update You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). + + + ## Configure a kiosk in Microsoft Intune @@ -399,7 +402,7 @@ Before applying the multi-app configuration, make sure the specified user accoun Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience. -- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. +- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group will not have the kiosk settings applied. ```xml @@ -416,7 +419,7 @@ Group accounts are specified using ``. Nested groups are not supporte ``` -- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. +- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in. ```xml diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md index d724cae559..0ffbada35e 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/multi-app-kiosk-troubleshoot.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 10/09/2018 ms.author: jdecker ms.topic: article --- @@ -21,6 +20,11 @@ ms.topic: article - Windows 10 +## Sign-in issues + +1. Verify that User Account Control (UAC) is turned on. +2. Check the Event Viewer logs for sign-in issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. + ## Unexpected results For example: diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 301f4a7b07..de3fecb42b 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -47,7 +47,7 @@ You’ll need to deploy a settings storage location, a standard network share wh **Create a network share** -1. Create a new security group and add UE-V users to it. +1. Create a new security group and add UE-V users to the group. 2. Create a new folder on the centrally located computer that stores the UE-V settings packages, and then grant the UE-V users access with group permissions to the folder. The administrator who supports UE-V must have permissions to this shared folder. @@ -80,7 +80,7 @@ For evaluation purposes, enable the service on at least two devices that belong The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location. Before enabling the UE-V service, you'll need to register the UE-V templates for first use. In a PowerShell window, type `Register-UevTemplate [TemplateName]` where **TemplateName** is the name of the UE-V template you want to register, and press ENTER. For instance, to register all built-in UE-V templates, use the following PowerShell Command: -'Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {Register-UevTemplate $_.Fullname}' +`Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {Register-UevTemplate $_.Fullname}` A storage path must be configured on the client-side to tell where the personalized settings are stored. diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md index d3dbe83cdf..e2bdada785 100644 --- a/windows/configuration/wcd/wcd-hotspot.md +++ b/windows/configuration/wcd/wcd-hotspot.md @@ -8,121 +8,10 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 12/18/2018 --- # HotSpot (Windows Configuration Designer reference) -Use HotSpot settings to configure Internet sharing. - -## Applies to - -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | X | | | | - ->[!NOTE] ->Although the HotSpot settings are available in advanced editing for multiple editions, the settings are only supported on devices running Windows 10 Mobile. - -## DedicatedConnections - -(Optional) Set DedicatedConnections to a semicolon-separated list of connections. - -Specifies the list of Connection Manager cellular connections that Internet sharing will use as public connections. - -By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections. - -Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections. - -The mapping policy will also include the connection specified in the TetheringNAIConnection value as well. - - If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share. - - - -## Enabled - -Specify **True** to enable Internet sharing on the device or **False** to disable Internet sharing. - -If Enabled is initially set to **True**, the feature is turned off and the internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible. - -When Enabled is set to **False**, the internet sharing screen is added to Settings, although sharing is turned off by default until the user turns it on. - -## EntitlementDll - -Enter the path to the entitlement DLL used to make entitlement checks that verify that the device is entitled to use the Internet sharing service on a mobile operator's network. - -## EntitlementInterval - -Enter the time interval, in seconds, between entitlement checks. - -## EntitlementRequired - -Specify whether the device requires an entitlement check to determine if Internet sharing should be enabled. - -## MaxBluetoothUsers - -(Optional) Specify the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. Set MaxBluetoothUsers to an integer value between 1 and 7 inclusive. The default value is 7. - - -## MaxUsers - -(Optional) Specify the maximum number of simultaneous users that can be connected to a device while sharing. Set MaxUsers to an integer value between 1 and 8 inclusive. The default value is 5. - - -## MOAppLink - -(Optional) Enter an application link that points to a pre-installed application, provided by the mobile operator. that will help a user to subscribe to the mobile operator's Internet sharing service when Internet sharing is not provisioned or entitlement fails. - -Set MOAppLink to a valid app ID. The general format for the link is *app://MOappGUID*. For example, if your app ID is `12345678-9012-3456-7890-123456789012`, you must set the value to `app://12345678-9012-3456-7890-123456789012`. - - -## MOHelpMessage - -(Optional) Enter a reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form: - -``` -@,- -``` - -Where `` is the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](https://msdn.microsoft.com/library/windows/desktop/dd374120.aspx). - -## MOHelpNumber - -(Optional) Enter a mobile operator–specified phone number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help. - - - -## MOInfoLink - -(Optional) Enter a mobile operator–specified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature. - -## PeerlessTimeout - -(Optional) Enter the time-out period, in minutes, after which Internet sharing should automatically turn off if there are no active clients. - -Set PeerlessTimeout to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes. - -## PublicConnectionTimeout - -(Optional) Enter the time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available. - -Set PublicConnectionTimeout to any value between 1 and 60 inclusive. The default value is 20 minutes. A value of 0 is not supported. - - -## TetheringNAIConnection - -(Optional) Specify the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection. Set TetheringNAIConnection to the CDMA TetheringNAI Connection Manager cellular connection. - -If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must configure a TetheringNAI connection and then specify the connection in this node. - -Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.The mapping policy will also include the connection specified in the TetheringNAIConnection value as well. - -If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share. - ->[!NOTE] ->CDMA phones are limited to one active data connection at a time. This means any application or service (such as e-mail or MMS) that is bound to another connection may not work while Internet sharing is turned on. - - - +Do not use. Enterprise admins who want to configure settings for mobile hotspots should use [Policies > Wifi](#wcd-policies.md#wifi). Mobile operators should use the [Country and Operator Settings Asset (COSA) format](https://docs.microsoft.com/windows-hardware/drivers/mobilebroadband/cosa-overview). diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 6ddc8bd462..c3a9c02907 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -45,7 +45,7 @@ This section describes the settings that you can configure in [provisioning pack | [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X | | [FirstExperience](wcd-firstexperience.md) | | | | X | | | [Folders](wcd-folders.md) |X | X | X | X | | -| [HotSpot](wcd-hotspot.md) | X | X | X | X | X | +| [HotSpot](wcd-hotspot.md) | | | | | | | [InitialSetup](wcd-initialsetup.md) | | X | | | | | [InternetExplorer](wcd-internetexplorer.md) | | X | | | | | [KioskBrowser](wcd-kioskbrowser.md) | | | | | X | diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 4e9ee7e411..e7d62d3cd1 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 12/07/2018 +ms.date: 12/18/2018 author: greg-lindsay --- @@ -23,6 +23,10 @@ This topic provides an overview of new solutions and online content related to d - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index). - For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). +## Recent additions to this page + +[SetupDiag](#setupdiag) 1.4 is released. + ## The Modern Desktop Deployment Center The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. @@ -56,6 +60,12 @@ Windows Autopilot streamlines and automates the process of setting up and config Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md). +### SetupDiag + +[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. + +SetupDiag version 1.4 was released on 12/18/2018. + ### Upgrade Readiness The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. @@ -145,5 +155,3 @@ The following topics provide a change history for Windows 10 ITPro TechNet libra
    [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
    [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
    [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) - - \ No newline at end of file diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index e722db5465..0b6ae0597d 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -37,7 +37,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "greglin", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 51f0ecee10..4c54a99d29 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -38,7 +38,7 @@ Windows 10 in S mode is built for [modern management](https://docs.microsoft.com ## Keep line of business apps functioning with Desktop Bridge -Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of buisness apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. +Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. ## Repackage Win32 apps into the MSIX format diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md new file mode 100644 index 0000000000..a8a889c72c --- /dev/null +++ b/windows/deployment/update/waas-morenews.md @@ -0,0 +1,19 @@ +--- +title: Windows as a service +ms.prod: w10 +ms.topic: article +ms.manager: elizapo +author: lizap +ms.author: elizapo +ms.date: 12/19/2018 +ms.localizationpriority: high +--- +# Windows as a service - More news + +Here's more news about [Windows as a service](windows-as-a-service.md): + + \ No newline at end of file diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 1ea7a5532f..eda470b750 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -1,14 +1,14 @@ --- title: Enrolling devices in Windows Analytics (Windows 10) description: Enroll devices to enable use of Update Compliance, Upgrade Readiness, and Device Health in Windows Analytics. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, azure portal ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 11/01/2018 +ms.date: 01/09/2019 ms.localizationpriority: medium --- @@ -51,7 +51,7 @@ To enable data sharing, configure your proxy server to whitelist the following e | `https://eaus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | | `https://weus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | | `https://weus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | -| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with devices runningrunning Windows 10, version 1703 or later **that also have the 2018-09 Cumulative Update (KB4458469, KB4457136, KB4457141) or later installed** | +| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with devices running Windows 10, version 1803 or later **that also have the 2018-09 Cumulative Update (KB4458469, KB4457136, KB4457141) or later installed** | | `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803 *without* the 2018-09 Cumulative Update installed | | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier | | `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 | diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 2864e9cf63..de4b23511b 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -6,7 +6,7 @@ ms.topic: landing-page ms.manager: elizapo author: lizap ms.author: elizapo -ms.date: 12/12/2018 +ms.date: 12/19/2018 ms.localizationpriority: high --- # Windows as a service @@ -25,6 +25,8 @@ Windows 10 is the most secure version of Windows yet. Learn what updates we rele The latest news: +
  • Windows Update for Business - Enhancements, diagnostics, configuration - June 7, 2018 -[See more news](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog) +[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). ## IT pro champs corner Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. @@ -134,4 +134,4 @@ Looking to learn more? These informative session replays from Microsoft Ignite 2 [THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) -[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) \ No newline at end of file +[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index dee55745d3..53856948d2 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 08/16/2018 +ms.date: 12/18/2018 ms.localizationpriority: medium --- @@ -24,7 +24,7 @@ ms.localizationpriority: medium ## About SetupDiag -Current version of SetupDiag: 1.3.1.0 +Current version of SetupDiag: 1.4.0.0 SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. @@ -61,11 +61,14 @@ The [Release notes](#release-notes) section at the bottom of this topic has info | --- | --- | | /? |
    • Displays interactive help
    | | /Output:\ |
    • This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine. Only text format output is supported. UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, you must enclose the entire path in double quotes (see the example section below).
    • Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same directory where SetupDiag.exe is run.
    | -| /Mode:\ |
    • This optional parameter allows you to specify the mode in which SetupDiag will operate: Offline or Online.
    • Offline: tells SetupDiag to run against a set of log files already captured from a failed system. In this mode you can run anywhere you have access to the log files. This mode does not require SetupDiag to be run on the computer that failed to update. When you specify offline mode, you must also specify the /LogsPath: parameter.
    • Online: tells SetupDiag that it is being run on the computer that failed to update. SetupDiag will attempt find log files and resources in standard Windows locations, such as the **%SystemDrive%\$Windows.~bt** directory for setup log files.
    • Log file search paths are configurable in the SetupDiag.exe.config file, under the SearchPath key. Search paths are comma separated. Note: A large number of search paths will extend the time required for SetupDiag to return results.
    • Default: If not specified, SetupDiag will run in Online mode.
    | -| /LogsPath:\ |
    • This optional parameter is required only when **/Mode:Offline** is specified. This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.
    | +| /LogsPath:\ |
    • This optional parameter tells SetupDiag.exe where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories.
    | | /ZipLogs:\ |
    • This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
    • Default: If not specified, a value of 'true' is used.
    | -| /Verbose |
    • This optional parameter will output much more data to the log file produced by SetupDiag.exe. By default SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.
    | +| /Verbose |
    • This optional parameter will output much more data to a log file. By default, SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce an additional log file with debugging details. These details can be useful when reporting a problem with SetupDiag.
    | | /Format:\ |
    • This optional parameter can be used to output log files in xml or JSON format. If this parameter is not specified, text format is used by default.
    | +| /NoTel |
    • This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.
    | + +Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag. +- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0 when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed. ### Examples: @@ -75,10 +78,10 @@ In the following example, SetupDiag is run with default parameters (online mode, SetupDiag.exe ``` -In the following example, SetupDiag is specified to run in Online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified. +In the following example, SetupDiag is run in online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified. ``` -SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Online +SetupDiag.exe /Output:C:\SetupDiag\Results.log ``` The following example uses the /Output parameter to save results to a path name that contains a space: @@ -90,7 +93,7 @@ SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log" The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**. ``` -SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:D:\Temp\Logs\LogSet1 +SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1 ``` ## Log files @@ -111,7 +114,7 @@ When Microsoft Windows encounters a condition that compromises safe system opera If crash dumps [are enabled](https://docs.microsoft.com/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup related minidumps. To debug a setup related bug check, you must: -- Specify the **/Mode:Offline** and **/LogsPath** parameters. You cannot debug memory dumps in online mode. +- Specify the **/LogsPath** parameter. You cannot debug memory dumps in online mode. - Gather the setup memory dump file (setupmem.dmp) from the failing system. - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs. - Install the [Windows Debugging Tools](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag. @@ -119,7 +122,7 @@ To debug a setup related bug check, you must: In the following example, the **setupmem.dmp** file is copied to the **D:\Dump** directory and the Windows Debugging Tools are installed prior to running SetupDiag: ``` -SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump +SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump ``` ## Known issues @@ -135,10 +138,10 @@ The following is an example where SetupDiag is run in offline mode. In this exam The output also provides an error code 0xC1900208 - 0x4000C which corresponds to a compatibility issue as documented in the [Upgrade error codes](upgrade-error-codes.md#result-codes) and [Resolution procedures](resolution-procedures.md#modern-setup-errors) topics in this article. ``` -C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:C:\Temp\BobMacNeill +C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:C:\Temp\BobMacNeill -SetupDiag v1.01 -Copyright (c) Microsoft Corporation. All rights reserved +SetupDiag v1.4.0.0 +Copyright (c) Microsoft Corporation. All rights reserved. Searching for setup logs, this can take a minute or more depending on the number and size of the logs...please wait. Found 4 setupact.logs. @@ -365,16 +368,42 @@ Each rule name and its associated unique rule identifier are listed with a descr 40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2 - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code. 41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636 - - Matches any plug in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. + - Matches any plug-in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. 42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. 43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9 - - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug in name, plug in action and error code. + - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug-in name, plug-in action and error code. 44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code. +45. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960 + - Detects all compat blocks from Server compliance plug-ins. Outputs the block information and remediation. +46. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71 + - Triggers on advanced installer failures in a generic sense, outputting the application called, phase, mode, component and error code. +47. FindMigGatherApplyFailure - A9964E6C-A2A8-45FF-B6B5-25E0BD71428E + - Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration +48. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78 + - Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. Outputs the package name and error code. +49. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6 + - Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. +50. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317 + - Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. +51. DISMproviderFailure - D76EF86F-B3F8-433F-9EBF-B4411F8141F4 + - Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. +52. SysPrepLaunchModuleFailure - 7905655C-F295-45F7-8873-81D6F9149BFD + - Indicates a sysPrep plug-in has failed in a critical operation. Indicates the plug-in name, operation name and error code. +53. UserProvidedDriverInjectionFailure - 2247C48A-7EE3-4037-AFAB-95B92DE1D980 + - A driver provided to setup (via command line input) has failed in some way. Outputs the driver install function and error code. ## Release notes +12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center. + - This release includes major improvements in rule processing performance: ~3x faster rule processing performance! + - The FindDownlevelFailure rule is up to 10x faster. + - New rules have been added to analyze failures upgrading to Windows 10 version 1809. + - A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure. + - Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode. + - Some functional and output improvements were made for several rules. + 07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center. - This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed. diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index df329861e8..0cf15ed303 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -9,16 +9,16 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 01/03/2018 --- # Overview of Windows Autopilot **Applies to** -- Windows 10 +- Windows 10 -Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.
    +Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices.
    This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. @@ -34,121 +34,41 @@ Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intu The following video shows the process of setting up Windows Autopilot:
    - + + ## Benefits of Windows Autopilot -Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach. +Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach. -From the users' perspective, it only takes a few simple operations to make their device ready to use. +From the user's perspective, it only takes a few simple operations to make their device ready to use. -From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated. +From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything past that is automated. + +## Requirements + +Windows 10 version 1703 or higher is required to use Windows Autopilot. The following editions are supported: +- Pro +- Pro Education +- Pro for Workstations +- Enterprise +- Education + +See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on configuration, network, and licensing requirements. ## Windows Autopilot Scenarios -### Cloud-Driven +Windows Autopilot enables you to pre-register devices to your organization so that they will be fully configured with no additional intervention required by the user. -The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. +Windows Autopilot enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)). +* Restrict the Administrator account creation. +* Create and auto-assign devices to configuration groups based on a device's profile. +* Customize OOBE content specific to the organization. -#### The Windows Autopilot Deployment Program experience +See [Windows Autopilot scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-scenarios) for more information about scenarios for using Windows Autopilot. -The Windows Autopilot Deployment Program enables you to: -* Automatically join devices to Azure Active Directory (Azure AD) -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) -* Restrict the Administrator account creation -* Create and auto-assign devices to configuration groups based on a device's profile -* Customize OOBE content specific to the organization - -##### Prerequisites - ->[!NOTE] ->Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. - -* [Devices must be registered to the organization](#device-registration-and-oobe-customization) -* [Company branding needs to be configured](#configure-company-branding-for-oobe) -* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements) -* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later -* Devices must have access to the internet -* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) -* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal) -* Microsoft Intune or other MDM services to manage your devices - -The end-user unboxes and turns on a new device. What follows are a few simple configuration steps: -* Select a language and keyboard layout -* Connect to the network -* Provide email address (the email address of the user's Azure AD account) and password - -Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). - -MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. - -
    - - -#### Device registration and OOBE customization - -To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. - -If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID. - -Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703: -* Skipping Work or Home usage selection (*Automatic*) -* Skipping OEM registration, OneDrive and Cortana (*Automatic*) -* Skipping privacy settings -* Skipping EULA (*starting with Windows 10, version 1709*) -* Preventing the account used to set-up the device from getting local administrator permissions - -For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options: -* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) -* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) -* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) - -##### Configure company branding for OOBE - -In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. - -See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. - -##### Configure MDM auto-enrollment in Microsoft Intune - -In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. - ->[!NOTE] ->MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. - -#### Network connectivity requirements - -The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. - -To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: - -* https://go.microsoft.com -* https://login.microsoftonline.com -* https://login.live.com -* https://account.live.com -* https://signup.live.com -* https://licensing.mp.microsoft.com -* https://licensing.md.mp.microsoft.com -* ctldl.windowsupdate.com -* download.windowsupdate.com - ->[!NOTE] ->Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. - ->[!TIP] ->If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). - -### IT-Driven - -If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). - - -### Self-Deploying - -Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying). - - -### Teacher-Driven - -If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. +## Related topics +[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot) \ No newline at end of file diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index c7c10965fd..f50049e9bc 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -32,14 +32,18 @@ You must have administrative privilege on the device in order to use this PowerS You must install the module before you can use the Diagnostic Data Viewer for PowerShell. +### Opening an Elevated PowerShell session + +Using the Diagnostic Data Viewer for PowerShell requires administrative (elevated) privilege. There are two ways to open an elevated PowerShell prompt. You can use either method. +- Go to **Start** > **Windows PowerShell** > **Run as administrator** +- Go to **Start** > **Command prompt** > **Run as administrator**, and run the command `C:\> powershell.exe` + ### Install the Diagnostic Data Viewer for PowerShell >[!IMPORTANT] >It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/en-us/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. -To install the newest version of the Diagnostic Data Viewer PowerShell module: -1. From an elevated Command Prompt, start a PowerShell session by running `C:\> powershell.exe`. -2. Install the module by name +To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: ```powershell PS C:\> Install-Module -Name Microsoft.DiagnosticDataViewer ``` @@ -60,10 +64,7 @@ Note that this setting does not control whether your device sends diagnostic dat **To turn on data viewing through PowerShell** -1. Install the Diagnostic Data Viewer for PowerShell module. -2. Run the Command prompt **as administrator**. -3. Start a PowerShell session by running `C:\> powershell.exe`. -4. Run the following commands in the PowerShell session: +Run the following command within an elevated PowerShell session: ```powershell PS C:\> Enable-DiagnosticDataViewing @@ -74,22 +75,6 @@ Once data viewing is enabled, your Windows machine will begin saving a history o >[!IMPORTANT] >Turning on data viewing can use up to 1GB (default setting) of disk space on your system drive. We recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. -### Start the Diagnostic Data Viewer -You must start this app from the **Settings** panel. - -**To start the Diagnostic Data Viewer** -1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - -2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. - - ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)

    -OR-

    - - Go to **Start** and search for _Diagnostic Data Viewer_. - -3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data. - - >[!IMPORTANT] - >Turning on data viewing can use up to 1GB of disk space on your system drive. We strongly recommend that your turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. ### Getting Started with Diagnostic Data Viewer for PowerShell To see how to use the cmdlet, the parameters it accepts, and examples, run the following command from an elevated PowerShell session: @@ -149,9 +134,7 @@ When you're done reviewing your diagnostic data, we recommend turning off data v **To turn off data viewing through PowerShell** -1. Run the Command prompt **as administrator**. -2. Start a PowerShell session by running `C:\> powershell.exe`. -3. Run the following commands in the PowerShell session: +Within an elevated PowerShell session, run the following command: ```powershell PS C:\> Disable-DiagnosticDataViewing diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index d581476641..35561d07af 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -22,4 +22,5 @@ ### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) ### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +### [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 01f681caf7..79ef8ac888 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 12/13/2018 +ms.date: 12/27/2018 --- @@ -20,7 +20,7 @@ ms.date: 12/13/2018 - Windows 10, version 1703 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -1810,47 +1810,46 @@ This event sends data about boot IDs for which a normal clean shutdown was not o The following fields are available: - **AbnormalShutdownBootId** Retrieves the Boot ID for which the abnormal shutdown was observed. -- **CrashDumpEnabled** OS configuration of the type of crash dump enabled; 0 = not enabled -- **CumulativeCrashCount** Cumulative count of OS crashes since the BootId reset -- **CurrentBootId** Retrieves the current boot ID. +- **CrashDumpEnabled** Indicates whether crash dumps are enabled. +- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. +- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. - **FirmwareResetReasonEmbeddedController** Firmware-supplied reason for the reset. - **FirmwareResetReasonEmbeddedControllerAdditional** Additional data related to the reset reason provided by the firmware. - **FirmwareResetReasonPch** Hardware-supplied reason for the reset. - **FirmwareResetReasonPchAdditional** Additional data related to the reset reason provided by the hardware. - **FirmwareResetReasonSupplied** Indicates whether the firmware supplied any reset reason. -- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType +- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. - **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. - **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. -- **LastBugCheckBootId** "bootId of the captured Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does not correlate with the rest of the information""""ootId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does not correlate with the """"otId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does n""""tId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check inf""""Id of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or th""""d of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId"""" of the captured ""Last Bug Check""; important to match Abno""""of the captured ""Last Bug Check""; import""""f the captured ""Last Bu"""" the ca""" -- **LastBugCheckCode** Bug Check code indicating the type of error; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) -- **LastBugCheckContextFlags** Additional crashdump settings; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) -- **LastBugCheckOriginalDumpType** Type of crashdump the system intended to save; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) -- **LastBugCheckOtherSettings** Other crashdump settings; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) -- **LastBugCheckParameter1** First Bug Check parameter with additional info on the type of the error; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) -- **LastBugCheckProgress** Progress towards writing out the last crashdump; non-zero value indicates an attempt; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled .> 0) -- **LastSuccessfullyShutdownBootId** Retrieves the last successfully/cleanly shutdown boot ID. -- **PowerButtonCumulativePressCount** "Number of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonLastPressBootId""umber of times the Power Button was detected to have been pressed ("pressed" not to be confused wit""mber of times the Power Button """umber of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonLastPressBootId""umber of times the Power Button was detected to have been ""mber of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonL""ber of times the Power Button was detected to have been pressed (pressed" not""er o" -- **PowerButtonCumulativeReleaseCount** "Number of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLastReleaseBootId""umber of times the Power Button was detected to have been released ("released" not to be confused wit""mber of times the Power Button w"""umber of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLastReleaseBootId""umber of times the Power Button was detected to have been r""mber of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLa""ber of times the Power Button was detected to have been released (released" n""er" -- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g. due to a failure to lock/update the bootstat file) -- **PowerButtonLastPressBootId** "BootId of the last time the Power Button was detected to have been pressed (pressed" not to be confused with "released")""ootId of the last time the Power Button was """ootId of the last time the Power Button was detected to have been pressed (pressed"""" -- **PowerButtonLastPressTime** "Date/time of the last time the Power Button was detected to have been pressed (pressed" not to be confused with "released")""ate/time of the last time the Power Button w"""ate/time of the last time the Power Button was detected to have been pressed (press" -- **PowerButtonLastReleaseBootId** "BootId of the last time the Power Button was detected to have been released (released" not to be confused with "pressed")""ootId of the last time the Power Button was """ootId of the last time the Power Button was detected to have been released (releas" -- **PowerButtonLastReleaseTime** "Date/time of the last time the Power Button was detected to have been released (released" not to be confused with "pressed")""ate/time of the last time the Power Button w"""ate/time of the last time the Power Button was detected to have been released (rel" +- **LastBugCheckBootId** The Boot ID of the last captured crash. +- **LastBugCheckCode** Code that indicates the type of error. +- **LastBugCheckContextFlags** Additional crash dump settings. +- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. +- **LastBugCheckOtherSettings** Other crash dump settings. +- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. +- **LastSuccessfullyShutdownBootId** The Boot ID of the last fully successful shutdown. +- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released"). +- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed"). +- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g.: due to a failure to lock/update the bootstat file). +- **PowerButtonLastPressBootId** The Boot ID of the last time the Power Button was detected to have been pressed ("pressed" not to be confused with "released"). +- **PowerButtonLastPressTime** The date and time the Power Button was most recently pressed ("pressed" not to be confused with "released"). +- **PowerButtonLastReleaseBootId** The Boot ID of the last time the Power Button was released ("released" not to be confused with "pressed"). +- **PowerButtonLastReleaseTime** The date and time the Power Button was most recently released ("released" not to be confused with "pressed"). - **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. -- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the Power Button was pressed -- **PowerButtonPressLastPowerWatchdogStage** Progress while monitor/display is being turned on; ranges from 0 (no progress) to 0x50 (completion); if PowerButtonPressPowerWatchdogArmed == TRUE (armed), the value represents the current stage whereas if PowerButtonPressPowerWatchdogArmed == FALSE (not armed),the value represents the last completed stage at the time of the last Power Button press, -- **PowerButtonPressPowerWatchdogArmed** Inidicates whether or not the watchdog for the monitor/display was active at the time of the last Power Button press -- **TransitionInfoBootId** "BootId of the captured Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does not correlate with the rest of the information""""ootId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does not correlate with the """"otId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does n""""tId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Inf""""Id of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis o""""d of the captured ""Transition Info""; important to match AbnormalShutdownBo"""" of the captured ""Transition Info""; important to match """"of the captured ""Transition Info""; im""""f the captured ""Tran"""" the""" -- **TransitionInfoCSCount** "Total number of times the system transitioned from Connected Standby mode to on" at the time the last marker was saved""otal number of times the system transitio"""otal number of times the system transitioned from Connected Standby mode to on" at""tal" -- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode -- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode -- **TransitionInfoCSInProgress** At the time the last marker was saved,the system was in or entering Connected Standby mode -- **TransitionInfoLastReferenceTimeChecksum** Checksum of TransitionInfoLastReferenceTimestamp -- **TransitionInfoLastReferenceTimestamp** Date/time the marker was last saved -- **TransitionInfoPowerButtonTimestamp** Date/time of the last time the Power Button was detected to have been pressed (collected via a different mechanism than PowerButtonLastPressTime) -- **TransitionInfoSleepInProgress** At the time the last marker was saved,the system was in or entering Sleep mode -- **TransitionInfoSleepTranstionsToOn** "Total number of times the system transitioned from Sleep mode to on" at the time the last marker was saved""otal number of times the system transitio"""otal number of times the system transitioned from Sleep mode to on" at the time th""tal number of t" -- **TransitionInfoSystemRunning** At the time the last marker was saved,the system was running +- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the Power Button was pressed. +- **PowerButtonPressLastPowerWatchdogStage** The last stage completed when the Power Button was most recently pressed. +- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. +- **TransitionInfoBootId** The Boot ID of the captured transition information. +- **TransitionInfoCSCount** The total number of times the system transitioned from "Connected Standby" mode to "On" when the last marker was saved. +- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited"). +- **TransitionInfoCSExitReason** Indicates the reason the device last exited "Connected Standby" mode ("exited" not to be confused with "entered"). +- **TransitionInfoCSInProgress** Indicates whether the system was in or entering Connected Standby mode when the last marker was saved. +- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp. +- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. +- **TransitionInfoPowerButtonTimestamp** The most recent date and time when the Power Button was pressed (collected via a different mechanism than PowerButtonLastPressTime). +- **TransitionInfoSleepInProgress** Indicates whether the system was in or entering Sleep mode when the last marker was saved. +- **TransitionInfoSleepTranstionsToOn** The total number of times the system transitioned from Sleep mode to on, when the last marker was saved. +- **TransitionInfoSystemRunning** Indicates whether the system was running when the last marker was saved. - **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. - **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. - **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. @@ -3008,8 +3007,8 @@ The following fields are available: - **ServiceHealthPlugin** The nae of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. - **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. @@ -3927,7 +3926,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -3963,7 +3962,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update -- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store. +- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **UpdateId** Unique Update ID @@ -4165,7 +4164,7 @@ The following fields are available: - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. - **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4209,7 +4208,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4866,11 +4865,11 @@ The following fields are available: - **RebootReason** Reason for the reboot. -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.Partner.ReportApplication -Report application event for Windows Store client. +Report application event for Microsoft Store client. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index bd9b834375..63376e03ed 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -20,7 +20,7 @@ ms.date: 12/13/2018 - Windows 10, version 1709 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -3185,8 +3185,8 @@ The following fields are available: - **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **uninstallActive** TRUE if previous uninstall has occurred for current OS - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. @@ -3642,7 +3642,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. @@ -3659,7 +3659,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **RebootRequired** Indicates if a reboot was required to complete the action. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3674,7 +3674,7 @@ The following fields are available: - **CachedEngineVersion** The engine DLL version that is being used. - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3690,7 +3690,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **Service** The service that is being stopped/started. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StateChange** The service operation (stop/start) is being attempted. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. @@ -3708,7 +3708,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **FailedParseActions** The list of actions that were not successfully parsed. - **ParsedActions** The list of actions that were successfully parsed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3784,7 +3784,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -3854,7 +3854,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -3920,7 +3920,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one - **ResumeCount** Number of times this active download has resumed from a suspended state - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SuspendCount** Number of times this active download has entered a suspended state - **SuspendReason** Last reason for why this active download entered a suspended state @@ -3980,7 +3980,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4007,7 +4007,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4028,7 +4028,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. @@ -4941,11 +4941,11 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.Partner.ReportApplication -Report application event for Windows Store client. +Report application event for Microsoft Store client. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index af938824ba..c8a8b09e66 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -20,7 +20,7 @@ ms.date: 12/13/2018 - Windows 10, version 1803 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -4148,8 +4148,8 @@ The following fields are available: - **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **uninstallActive** TRUE if previous uninstall has occurred for current OS - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. @@ -4493,7 +4493,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. - **IsExecutingAction** If the action is presently being executed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **SihclientVersion** The client version that is being used. - **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). @@ -4515,7 +4515,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **FailedParseActions** The list of actions that were not successfully parsed. - **ParsedActions** The list of actions that were successfully parsed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **SihclientVersion** The client version that is being used. - **WuapiVersion** The Windows Update API version that is currently installed. - **WuaucltVersion** The Windows Update client version that is currently installed. @@ -4595,7 +4595,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -4631,7 +4631,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -4694,7 +4694,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -4815,7 +4815,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4841,7 +4841,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4863,7 +4863,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. @@ -5675,7 +5675,7 @@ The following fields are available: - **PertProb** Constant used in algorithm for randomization. -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.StoreActivating diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 0d1c11c6b4..639c8005ed 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -20,7 +20,7 @@ ms.date: 12/13/2018 - Windows 10, version 1809 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -4631,7 +4631,7 @@ The following fields are available: - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -4667,7 +4667,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -4743,7 +4743,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. @@ -4873,7 +4873,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4924,7 +4924,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -4945,7 +4945,7 @@ The following fields are available: - **CmdLineArgs** Command line arguments passed in by the caller. - **EventInstanceID** A globally unique identifier for the event instance. - **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **WUDeviceID** Unique device ID controlled by the software distribution client. @@ -4984,7 +4984,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -5005,7 +5005,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -5027,7 +5027,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob @@ -5754,7 +5754,7 @@ The following fields are available: - **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.StoreActivating diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 801539efd6..98296c6b76 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -36,8 +36,6 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "daniha", - "ms.date": "05/10/2018", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app" diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md index 92c2dfc96e..2e754c9ad3 100644 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -34,7 +34,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md index 5cbbfcd3d1..f508978478 100644 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -34,7 +34,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index dd3a50a2fe..54dc118d49 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -34,7 +34,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md index 72a79162f0..89c04ebc76 100644 --- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md @@ -26,7 +26,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md index ea2c517a4f..39343b19d9 100644 --- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md @@ -26,7 +26,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -48,13 +49,14 @@ We used the following methodology to derive these network endpoints: | cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | | cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | | displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -|dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | | fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. | | g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | | licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. | | location-inference-westus.cloudapp.net | HTTPS | Used for location data. | @@ -63,21 +65,24 @@ We used the following methodology to derive these network endpoints: | ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | | ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | +| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry | | query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | | ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | | settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. | | settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  | +| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | | sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. | | storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | | storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | | tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic | | watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic | ## Windows 10 Pro - | **Destination** | **Protocol** | **Description** | | --- | --- | --- | | *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | @@ -92,11 +97,13 @@ We used the following methodology to derive these network endpoints: | cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | | dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| flightingservicewus.cloudapp.net | HTTPS | Insider Program | | g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | | location-inference-westus.cloudapp.net | HTTPS | Used for location data. | | modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | | ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | | ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | @@ -118,6 +125,7 @@ We used the following methodology to derive these network endpoints: | au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | | cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | | client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store | config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | | ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | | cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | @@ -129,6 +137,7 @@ We used the following methodology to derive these network endpoints: | fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| flightingservicewus.cloudapp.net | HTTPS | Insider Program | | g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | | g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | @@ -138,11 +147,14 @@ We used the following methodology to derive these network endpoints: | ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | | ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry | | settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | | sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | | storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | | tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | | vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | | watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic | +| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md new file mode 100644 index 0000000000..222b37d0e2 --- /dev/null +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -0,0 +1,159 @@ +--- +title: Windows 10, version 1809, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Windows 10, version 1809, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1809 +- Windows 10 Professional, version 1809 +- Windows 10 Education, version 1809 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +|*.aria.microsoft.com* | HTTPS | Office Telemetry +|*.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. +|*.download.windowsupdate.com* | HTTP | Used to download operating system patches and updates. +|*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. +|*.msn.com* |TLSv1.2/HTTPS | Windows Spotlight related traffic +|*.Skype.com | HTTP/HTTPS | Skype related traffic +|*.smartscreen.microsoft.com* | HTTPS | Windows Defender Smartscreen related traffic +|*.telecommand.telemetry.microsoft.com* | HTTPS | Used by Windows Error Reporting. +|*cdn.onenote.net* | HTTP | OneNote related traffic +|*displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|*emdl.ws.microsoft.com* | HTTP | Windows Update related traffic +|*geo-prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. +|*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +|*maps.windows.com* | HTTPS | Related to Maps application. +|*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. +|*nexusrules.officeapps.live.com* | HTTPS | Office Telemetry +|*photos.microsoft.com* | HTTPS | Photos App related traffic +|*prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. +|*wac.phicdn.net* | HTTP | Windows Update related traffic +|*windowsupdate.com* | HTTP | Windows Update related traffic +|*wns.windows.com* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). +|*wpc.v0cdn.net* | | Windows Telemetry related traffic +|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related +|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +|fe2.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe3.*.mp.microsoft.com.* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fs.microsoft.com | | Font Streaming (in ENT traffic) +|g.live.com* | HTTPS | Used by OneDrive +|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry +|mscrl.micorosoft.com | | Certificate Revocation List related traffic. +|ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. +|officeclient.microsoft.com | HTTPS | Office related traffic. +|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. +|purchase.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. +|ris.api.iris.microsoft.com* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. +|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager +|settings.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. +|settings-win.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. +|sls.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|store*.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. +|store-images.s-microsoft.com* | HTTP | Used to get images that are used for Microsoft Store suggestions. +|tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. +|tsfe.trafficshaping.dsp.mp.microsoft.com* |TLSv1.2 | Used for content regulation. +|v10.events.data.microsoft.com | HTTPS | Diagnostic Data +|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. +|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles. + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | +| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | +| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | +| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | +| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 50c63fd31c..529d064913 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: aadake -ms.date: 12/08/2018 +ms.date: 12/20/2018 --- # Kernel DMA Protection for Thunderbolt™ 3 @@ -38,17 +38,17 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and ## How Windows protects against DMA drive-by attacks -Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping). -Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. -Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. +Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). +Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. +By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. ## User experience ![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png) -A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked. -Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged. -The devices will continue to function normally if the user locks the screen or logs out of the system. +A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. +Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. +The peripheral will continue to function normally if the user locks the screen or logs out of the system. ## System compatibility @@ -88,7 +88,7 @@ For systems that do not support Kernel DMA Protection, please refer to the [BitL ## Frequently asked questions ### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? -In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. +In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot? No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. @@ -108,10 +108,13 @@ In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Co ### Do drivers for non-PCI devices need to be compatible with DMA-remapping? No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping. -### How can an enterprise enable the “External device enumeration” policy? -The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM): +### How can an enterprise enable the External device enumeration policy? +The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). + +The policy can be enabled by using: + - Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection -- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) +- Mobile Device Management (MDM): [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) ## Related topics diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 9b287bed8c..3d34861247 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -17,6 +17,7 @@ ms.date: 11/29/2018 **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2019 This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. @@ -38,7 +39,7 @@ Different versions of the TPM are defined in specifications by the Trusted Compu ### Automatic initialization of the TPM with Windows 10 -Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). +Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](https://docs.microsoft.com/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809. In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects. @@ -69,18 +70,18 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. +> Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation -| TPM version | Windows 10 | Windows Server 2016 | -|-------------|-------------|---------------------| -| TPM 1.2 | >= ver 1607 | >= ver 1607 | -| TPM 2.0 | X | X | +| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 | +|-------------|-------------|---------------------|---------------------| +| TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes | +| TPM 2.0 | Yes | Yes | Yes | ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 9dce29791b..2c82639fdb 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.author: justinha -ms.date: 05/30/2018 +ms.date: 12/18/2018 ms.localizationpriority: medium --- @@ -104,7 +104,7 @@ This table provides info about the most common problems you might encounter whil
  • SavedGames
    • - WIP isn’t turned on for employees in your organization. + WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager. Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index e31ecb598c..baac7dff4d 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 12/20/2018 --- # 4672(S): Special privileges assigned to new logon. @@ -18,7 +18,7 @@ ms.date: 04/19/2017 Event 4672 illustration - +
    ***Subcategory:*** [Audit Special Logon](audit-special-logon.md) ***Event Description:*** @@ -125,7 +125,7 @@ You typically will see many of these events in the event log, because every logo | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | | SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
    When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
    With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
    With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | | SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
    With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
    The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | | SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | | SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
    With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 6629438e93..1f94b66e1c 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -8,56 +8,57 @@ ms.pagetype: security ms.localizationpriority: medium ms.author: justinha author: justinha -ms.date: 11/15/2018 +ms.date: 12/20/2018 --- -# How to control USB devices and other removable media using Intune +# How to control USB devices and other removable media using Windows Defender ATP **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +Windows Defender ATP provides multiple monitoring and control features for USB peripherals to help prevent threats in unauthorized peripherals from compromising your devices: -You can configure Intune settings to reduce threats from removable storage such as USB devices, including: +1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: + - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware. + - The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB. + - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in. + +2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events) + - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). -- [Block unwanted removeable storage](#block-unwanted-removable-storage) -- [Protect allowed removable storage](#protect-allowed-removable-storage) +3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral: + - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. + - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. -Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). -We recommend enabling real-time protection for improved scanning performance, especially for large storage devices. -If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. -You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted. +>[!NOTE] +>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. -> [!NOTE] -> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device. +For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). -## Block unwanted removeable storage +## Prevent threats from removable storage + +Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals. -1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). -2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. +### Enable Windows Defender Antivirus Scanning - ![Create device configuration profile](images/create-device-configuration-profile.png) +Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans. -3. Use the following settings: +- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices. +- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting. - - Name: Windows 10 Device Configuration - - Description: Block removeable storage and USB connections - - Platform: Windows 10 and later - - Profile type: Device restrictions +>[!NOTE] +>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**. - ![Create profile](images/create-profile.png) + -4. Click **Configure** > **General**. +### Block untrusted and unsigned processes on USB peripherals -5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. - - ![General settings](images/general-settings.png) - -6. Click **OK** to close **General** settings and **Device restrictions**. - -7. Click **Create** to save the profile. - -Alternatively, you can create a custom profile in Intune and configure [DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) policies. - -## Protect allowed removable storage +End-users might plug in removable devices that are infected with malware. +To prevent infections, a company can block USB files that are unsigned or untrusted. +Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral. +This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively. +With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards. +Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files. These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). @@ -73,7 +74,7 @@ These settings require [enabling real-time protection](https://docs.microsoft.co - Platform: Windows 10 or later - Profile type: Endpoint protection - ![Create enpoint protection profile](images/create-endpoint-protection-profile.png) + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) 4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. @@ -83,4 +84,104 @@ These settings require [enabling real-time protection](https://docs.microsoft.co 6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**. -7. Click **Create** to save the profile. \ No newline at end of file +7. Click **Create** to save the profile. + +### Protect against Direct Memory Access (DMA) attacks + +DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks: + +1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users. + + Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. + + Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). + +2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can: + + - [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) + - [Block all connections via the Thunderbolt ports (including USB devices)](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) + + +## Detect plug and play connected events + +You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. +For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). +Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). + +## Respond to threats + +Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. + +>[!Note] +>Always test and refine these settings with a pilot group of users and devices first before applying them in production. + +The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals. +For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). + +| Control | Description | +|----------|-------------| +| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage | +| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware | +| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware | + +>[!Note] +>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. + +### Block installation and usage of removable storage + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + + ![Create device configuration profile](images/create-device-configuration-profile.png) + +3. Use the following settings: + + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 and later + - Profile type: Device restrictions + + ![Create profile](images/create-profile.png) + +4. Click **Configure** > **General**. + +5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, where **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only. + + ![General settings](images/general-settings.png) + +6. Click **OK** to close **General** settings and **Device restrictions**. + +7. Click **Create** to save the profile. + +### Only allow installation and usage of specifically approved peripherals + +Windows Defender ATP allows installation and usage of only specifically approved peripherals by creating a custom profile in Intune and configuring [DeviceInstallation policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation). +For example, this custom profile allows installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0". + +![Custom profile](images/custom-profile-allow-device-ids.png) + +Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + +For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses). +Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings). + +### Prevent installation of specifically prohibited peripherals + +Windows Defender ATP also blocks installation and usage of prohibited peripherals with a custom profile in Intune. +For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0", and applies to USB devices with matching hardware IDs that are already installed. + +![Custom profile](images/custom-profile-prevent-device-ids.png) + +For a SyncML example that prevents installation of specific device IDs, see [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids). To prevent specific device classes, see [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). + +## Related topics + +- [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) +- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) +- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) +- [Perform a custom scan of a removable device](https://aka.ms/scanusb) +- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) +- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) + + + diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png index 1e0f0587a3..1b6d4aa708 100644 Binary files a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png and b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png new file mode 100644 index 0000000000..95ac48ec54 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png differ diff --git a/windows/security/threat-protection/device-control/images/custom-profile-prevent-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-prevent-device-ids.png new file mode 100644 index 0000000000..d949232d44 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/custom-profile-prevent-device-ids.png differ diff --git a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png new file mode 100644 index 0000000000..44be977537 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png differ diff --git a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png new file mode 100644 index 0000000000..cf8399acf4 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png differ diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 5dc552c190..b4f4ff5cc4 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -13,9 +13,9 @@ ms.date: 08/01/2018 # Microsoft Safety Scanner Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats. -- [Download 32-bit](https://go.microsoft.com/fwlink/?LinkId=212733) +- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733) -- [Download 64-bit](https://go.microsoft.com/fwlink/?LinkId=212732) +- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732) Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan. diff --git a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md new file mode 100644 index 0000000000..f8676a335b --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md @@ -0,0 +1,8 @@ +--- +author: jasongerend +ms.author: jgerend +ms.date: 1/4/2019 +ms.topic: include +ms.prod: w10 +--- +Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles. \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index 988d211159..78a93d1dc7 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network client: Digitally sign communications (always) @@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: - [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 16cffebd8d..74f1f7f04d 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network client: Digitally sign communications (if server agrees) @@ -29,7 +29,7 @@ If server-side SMB signing is required, a client computer will not be able to es If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index 8e2cdd2740..9661827e2a 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/201 +ms.date: 01/04/2019 --- # SMB v1 Microsoft network server: Digitally sign communications (always) @@ -33,7 +33,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 654a737d1a..7443f0f9de 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network server: Digitally sign communications (if client agrees) @@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 27e5ec8d90..b5c590602d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jsuther1974 -ms.date: 11/28/2018 +ms.date: 01/08/2019 --- # Windows Defender Application Control @@ -38,7 +38,7 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs ## WDAC System Requirements WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016. -They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune. +They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. Group Policy or Intune can be used to distribute WDAC policies. ## New and changed functionality diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index b3d5cbfb91..6dfed8dd52 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/16/2017 +ms.date: 12/20/2018 --- # Configure HP ArcSight to pull Windows Defender ATP alerts @@ -51,10 +51,10 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. -## Install and configure HP ArcSight SmartConnector +## Install and configure HP ArcSight FlexConnector The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). -1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.

    You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. +1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

    You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. 2. Follow the installation wizard through the following tasks: - Introduction @@ -66,7 +66,7 @@ The following steps assume that you have completed all the required steps in [Be You can keep the default values for each of these tasks or modify the selection to suit your requirements. -3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example: +3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example: - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 557b83c494..2b00cbb179 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/27/2018 +ms.date: 12/19/2018 --- # Customize attack surface reduction rules @@ -47,7 +47,7 @@ Rule description | GUID -|:-:|- Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index 6c8ae105ee..1655e466e9 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -4,6 +4,4 @@ ## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) ## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) ## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) -## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) - - +## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) \ No newline at end of file diff --git a/windows/whats-new/images/Defender.png b/windows/whats-new/images/Defender.png index a99f5992a0..1d14812242 100644 Binary files a/windows/whats-new/images/Defender.png and b/windows/whats-new/images/Defender.png differ diff --git a/windows/whats-new/images/WebSignIn.png b/windows/whats-new/images/WebSignIn.png index 4afa324aec..1a2c0ed270 100644 Binary files a/windows/whats-new/images/WebSignIn.png and b/windows/whats-new/images/WebSignIn.png differ diff --git a/windows/whats-new/images/virus-and-threat-protection.png b/windows/whats-new/images/virus-and-threat-protection.png index 8fd800dcfa..f5fd5287bc 100644 Binary files a/windows/whats-new/images/virus-and-threat-protection.png and b/windows/whats-new/images/virus-and-threat-protection.png differ diff --git a/windows/whats-new/images/wdatp.png b/windows/whats-new/images/wdatp.png new file mode 100644 index 0000000000..79410f493f Binary files /dev/null and b/windows/whats-new/images/wdatp.png differ diff --git a/windows/whats-new/images/windows-defender-atp.png b/windows/whats-new/images/windows-defender-atp.png new file mode 100644 index 0000000000..938ac2c72d Binary files /dev/null and b/windows/whats-new/images/windows-defender-atp.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 12fae68091..47357b364c 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -35,7 +35,9 @@ Windows 10 provides IT professionals with advanced protection against modern sec - [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485) +## See also +[Windows 10 Enterprise LTSC](ltsc/index.md)     diff --git a/windows/whats-new/ltsc/TOC.md b/windows/whats-new/ltsc/TOC.md new file mode 100644 index 0000000000..6dfee34a97 --- /dev/null +++ b/windows/whats-new/ltsc/TOC.md @@ -0,0 +1,4 @@ +# [Windows 10 Enterprise LTSC](index.md) +## [What's new in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md) +## [What's new in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md) +## [What's new in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) \ No newline at end of file diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md new file mode 100644 index 0000000000..0cb35c6223 --- /dev/null +++ b/windows/whats-new/ltsc/index.md @@ -0,0 +1,51 @@ +--- +title: Windows 10 Enterprise LTSC +description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.date: 12/27/2018 +ms.localizationpriority: low +--- + +# Windows 10 Enterprise LTSC + +**Applies to** +- Windows 10 Enterprise LTSC + +## In this topic + +This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. + +[What's New in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
    +[What's New in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
    +[What's New in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) + +## The Long Term Servicing Channel (LTSC) + +The following table summarizes equivalent feature update versions of Windows 10 LTSC and semi-annual channel (SAC) releases. + +| LTSC release | Equivalent SAC release | Availability date | +| --- | --- | --- | +| Windows 10 Enterprise 2015 LTSC | Windows 10, Version 1507 | 7/29/2015 | +| Windows 10 Enterprise 2016 LTSC | Windows 10, Version 1607 | 8/2/2016 | +| Windows 10 Enterprise 2019 LTSC | Windows 10, Version 1809 | 11/13/2018 | + +>[!NOTE] +>The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. + +The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. + +With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. + +>[!IMPORTANT] +>The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. + +For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview.md). + +## See Also + +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
    +[Windows 10 - Release information](https://docs.microsoft.com/en-us/windows/windows-10/release-information): Windows 10 current versions by servicing option. \ No newline at end of file diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md new file mode 100644 index 0000000000..cc7f3c8058 --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -0,0 +1,307 @@ +--- +title: What's new in Windows 10 Enterprise 2015 LTSC +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +--- + +# What's new in Windows 10 Enterprise 2015 LTSC + +**Applies to** +- Windows 10 Enterprise 2015 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). + +## Deployment + +### Provisioning devices using Windows Imaging and Configuration Designer (ICD) + +With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + +[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages) + +## Security + +### Applocker + +Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. + +Enhancements to Applocker in Windows 10 include: + +- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. +- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. +- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). + +[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). + +### Bitlocker + +Enhancements to Applocker in Windows 10 include: + +- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. +- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. +- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." + +[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview). + +### Certificate management + +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) + +### Microsoft Passport + +In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. + +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. + +### Security auditing + +In Windows 10, security auditing has added some improvements: +- [New audit subcategories](#bkmk-auditsubcat) +- [More info added to existing audit events](#bkmk-moreinfo) + +#### New audit subcategories + +In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: +- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. + When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. +- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. + Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. + +#### More info added to existing audit events + +With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: +- [Changed the kernel default audit policy](#bkmk-kdal) +- [Added a default process SACL to LSASS.exe](#bkmk-lsass) +- [Added new fields in the logon event](#bkmk-logon) +- [Added new fields in the process creation event](#bkmk-logon) +- [Added new Security Account Manager events](#bkmk-sam) +- [Added new BCD events](#bkmk-bcd) +- [Added new PNP events](#bkmk-pnp) + +#### Changed the kernel default audit policy + +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. + +#### Added a default process SACL to LSASS.exe + +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +This can help identify attacks that steal credentials from the memory of a process. + +#### New fields in the logon event + +The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: +1. **MachineLogon** String: yes or no + If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. +2. **ElevatedToken** String: yes or no + If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. +3. **TargetOutboundUserName** String + **TargetOutboundUserDomain** String + The username and domain of the identity that was created by the LogonUser method for outbound traffic. +4. **VirtualAccount** String: yes or no + If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. +5. **GroupMembership** String + A list of all of the groups in the user's token. +6. **RestrictedAdminMode** String: yes or no + If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. + For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). + +#### New fields in the process creation event + +The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: +1. **TargetUserSid** String + The SID of the target principal. +2. **TargetUserName** String + The account name of the target user. +3. **TargetDomainName** String + The domain of the target user.. +4. **TargetLogonId** String + The logon ID of the target user. +5. **ParentProcessName** String + The name of the creator process. +6. **ParentProcessId** String + A pointer to the actual parent process if it's different from the creator process. + +#### New Security Account Manager events + +In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: +- SamrEnumerateGroupsInDomain +- SamrEnumerateUsersInDomain +- SamrEnumerateAliasesInDomain +- SamrGetAliasMembership +- SamrLookupNamesInDomain +- SamrLookupIdsInDomain +- SamrQueryInformationUser +- SamrQueryInformationGroup +- SamrQueryInformationUserAlias +- SamrGetMembersInGroup +- SamrGetMembersInAlias +- SamrGetUserDomainPasswordInformation + +#### New BCD events + +Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): +- DEP/NEX settings +- Test signing +- PCAT SB simulation +- Debug +- Boot debug +- Integrity Services +- Disable Winload debugging menu + +#### New PNP events + +Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. + +[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview). + +### Trusted Platform Module + +#### New TPM features in Windows 10 + +The following sections describe the new and changed functionality in the TPM for Windows 10: +- [Device health attestation](#bkmk-dha) +- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support +- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support +- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support + +### Device health attestation + +Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. +Some things that you can check on the device are: +- Is Data Execution Prevention supported and enabled? +- Is BitLocker Drive Encryption supported and enabled? +- Is SecureBoot supported and enabled? + +> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. + +[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). + +### User Account Control + +User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. + +You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. + +For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). + +In Windows 10, User Account Control has added some improvements: + +- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. + +[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview). + +### VPN profile options + +Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: + +- Always-on auto connection behavior +- App=triggered VPN +- VPN traffic filters +- Lock down VPN +- Integration with Microsoft Passport for Work + +[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) + + +## Management + +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. + +### MDM support + +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. + +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. + +Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172) + +### Unenrollment + +When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. + +When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. + +### Infrastructure + +Enterprises have the following identity and management choices. + +| Area | Choices | +|---|---| +| Identity | Active Directory; Azure AD | +| Grouping | Domain join; Workgroup; Azure AD join | +| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | + + > **Note**   +With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). + +  +### Device lockdown + + +Do you need a computer that can only do one thing? For example: + +- A device in the lobby that customers can use to view your product catalog. +- A portable device that drivers can use to check a route on a map. +- A device that a temporary worker uses to enter data. + +You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. + +You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. + +Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). + +### Customized Start layout + +A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). + +Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). + +## Updates + +Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. + +By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: + +- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). + +- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. + +- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). + +Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). + + +Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). + +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). + +## Microsoft Edge + +Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. + +- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages. +- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing. +- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage. +- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls. + +### Enterprise guidance + +Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). + +We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. + +[Learn more about using Microsoft Edge in the enterprise](https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11) + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md new file mode 100644 index 0000000000..06db4b735f --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -0,0 +1,172 @@ +--- +title: What's new in Windows 10 Enterprise 2016 LTSC +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.date: 01/08/2019 +ms.localizationpriority: low +--- + +# What's new in Windows 10 Enterprise 2016 LTSC + +**Applies to** +- Windows 10 Enterprise 2016 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607. + +## Deployment + +### Windows Imaging and Configuration Designer (ICD) + +In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) + +Windows ICD now includes simplified workflows for creating provisioning packages: + +- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) +- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) +- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) + +[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) + +### Windows Upgrade Readiness + +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. + +[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +## Security + +### Credential Guard and Device Guard + +Isolated User Mode is now included with Hyper-V so you don't have to install it separately. + +### Windows Hello for Business + +When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. + +Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: + +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. +- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. +- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. + + +[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) + +### Bitlocker + +#### New Bitlocker features + +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. + It provides the following benefits: + - The algorithm is FIPS-compliant. + - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. + >**Note:**  Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. + +### Security auditing + +#### New Security auditing features + +- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. + +### Trusted Platform Module + +#### New TPM features + +- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). + +### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) + +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. + +Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. + +- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) +- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) + +[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) + +### Windows Defender + +Several new features and management options have been added to Windows Defender in this version of Windows 10. + +- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. + +### Windows Defender Advanced Threat Protection (ATP) + +With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. + +[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +### VPN security + +- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. +- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. +- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) +- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. + +## Management + +### Use Remote Desktop Connection for PCs joined to Azure Active Directory + +From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc) + +### Taskbar configuration + +Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies) + +### Mobile device management and configuration service providers (CSPs) + +Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). + +### Shared PC mode + +This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc) + +### Application Virtualization (App-V) for Windows 10 + +Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. + +With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. + +[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) + +### User Experience Virtualization (UE-V) for Windows 10 + +Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. + +With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. + +With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. + +[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md new file mode 100644 index 0000000000..d9c630f7f0 --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -0,0 +1,712 @@ +--- +title: What's new in Windows 10 Enterprise 2019 LTSC +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +--- + +# What's new in Windows 10 Enterprise 2019 LTSC + +**Applies to** +- Windows 10 Enterprise 2019 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. + +Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: + - Advanced protection against modern security threats + - Full flexibility of OS deployment + - Updating and support options + - Comprehensive device and app management and control capabilities + +The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. + +## Security + +This version of Window 10 includes security improvements for threat protection, information protection, and identity protection. + +### Threat protection + +#### Windows Defender ATP + +The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. + +![Windows Defender ATP](../images/wdatp.png) + +##### Attack surface reduction + +Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). + - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. + - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. + +###### Windows Defender Firewall + +Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead). + +###### Windows Defender Application Guard + +Windows Defender Application Guard hardens a favorite attacker entry-point by isolating malware and other threats away from your data, apps, and infrastructure. For more information, see [Windows Defender Application Guard overview](https://docs.microsoft.com/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview). + +Windows Defender Application Guard has support for Edge and has extensions for Chrome and Firefox. For more information, see [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements) + +Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security Center. + +Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For more information, see [Windows Defender Application Guard inside Windows Security App](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). + +To try this: + +1. Go to **Windows Security** and select **App & browser control**. +2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device. +3. Select **Change Application Guard** settings. +4. Configure or check Application Guard settings. + +See the following example: + +![Security at a glance](../images/1_AppBrowser.png "app and browser control") +![Isolated browser](../images/2_InstallWDAG.png "isolated browsing") +![change WDAG settings](../images/3_ChangeSettings.png "change settings") +![view WDAG settings](../images/4_ViewSettings.jpg "view settings") + +##### Windows Defender Device Guard + +[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: +- Software-based protection provided by code integrity policies +- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) + +But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). + +### Next-gen protection + +#### Office 365 Ransomware Detection + +For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) + +### Endpoint detection and response + +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. + + Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). + + We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: + - [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) + - [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) + - [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) + - [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) + - [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) + + Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). + + New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: + - [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) + - [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) + - [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) + + We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + + **Endpoint detection and response** is also enhanced. New **detection** capabilities include: + - [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. + - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. + - Upgraded detections of ransomware and other advanced attacks. + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. + + **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: + - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. + +Additional capabilities have been added to help you gain a holistic view on **investigations** include: + - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) + - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) + - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. + - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. + - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. + +Other enhanced security features include: +- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. +- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) + +We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. + +We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. + +This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). + +You can read more about ransomware mitigations and detection capability at: +- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) +- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) +- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) + +Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) + +Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). + +### Information protection + +Improvements have been added to Windows Information Protection and BitLocker. + +#### Windows Information Protection + +Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). + +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). + +You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). + +This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). + +### BitLocker + +The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). + +#### Delivering BitLocker policy to AutoPilot devices during OOBE + +You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins. + +For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. + +#### Silent enforcement on fixed drives + +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. + +This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. + +This feature will soon be enabled on Olympia Corp as an optional feature. + +### Identity protection + +Improvements have been added are to Windows Hello for Business and Credential Guard. + +#### Windows Hello for Business + +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. + +New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude: +- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). +- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. +- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). + +[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. +- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). +- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. +- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). + +For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) + +#### Windows Defender Credential Guard + +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. + +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. + +For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). + +### Other security improvments + +#### Windows security baselines + +Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. + +#### SMBLoris vulnerability + +An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. + +#### Windows Security Center + +Windows Defender Security Center is now called **Windows Security Center**. + +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. + +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. + +WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. + +![alt text](../images/defender.png "Windows Security Center") + +#### Group Policy Security Options + +The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. + +A new security policy setting +[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. + +#### Windows 10 in S mode + +We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: + +![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") + +## Sign-in + +### Faster sign-in to a Windows 10 shared pc + +If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc.md) in a flash! + +**To enable fast sign-in:** +1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. +2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. +3. Sign-in to a shared PC with your account. You'll notice the difference! + + ![fast sign-in](../images/fastsignin.png "fast sign-in") + +### Web sign-in to Windows 10 + +Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). + +**To try out web sign-in:** +1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). +2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. +3. On the lock screen, select web sign-in under sign-in options. +4. Click the “Sign in” button to continue. + +![Web sign-in](../images/websignin.png "web sign-in") + +## Deployment + +### MBR2GPT.EXE + +MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. + +Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. + +For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). + +### Windows Autopilot + +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. + +Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information. + +Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. + +You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). + +#### Windows Autopilot self-deploying mode + +Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. + +This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. + +You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. + +To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). + + +#### Autopilot Reset + +IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset). + +### DISM + +The following new DISM commands have been added to manage feature updates: + + DISM /Online /Initiate-OSUninstall + – Initiates a OS uninstall to take the computer back to the previous installation of windows. + DISM /Online /Remove-OSUninstall + – Removes the OS uninstall capability from the computer. + DISM /Online /Get-OSUninstallWindow + – Displays the number of days after upgrade during which uninstall can be performed. + DISM /Online /Set-OSUninstallWindow + – Sets the number of days after upgrade during which uninstall can be performed. + +For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). + +### Windows Setup + +You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. + +Prerequisites: +- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later. +- Windows 10 Enterprise or Pro + +For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). + +It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. + + /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) + +New command-line switches are also available to control BitLocker: + + Setup.exe /BitLocker AlwaysSuspend + – Always suspend bitlocker during upgrade. + Setup.exe /BitLocker TryKeepActive + – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. + Setup.exe /BitLocker ForceKeepActive + – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) + +### Feature update improvements + +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). + +### SetupDiag + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. + +SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +## Windows Analytics + +### Upgrade Readiness + +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. + +The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. + +For more information about Upgrade Readiness, see the following topics: + +- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) +- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +### Update Compliance + +Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. + +Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. + +For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). + +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). + +### Device Health + +Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). + +## Accessibility and Privacy + +### Accessibility + +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. + +### Privacy + +In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app. + +## Configuration + +### Co-management + +Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. + +For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) + +### OS uninstall period + +The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. + +### Windows Configuration Designer + +Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). + +Windows Configuration Designer in Windows 10 Enterprise 2019 LTSC includes several new wizards to make it easier to create provisioning packages. + +![wizards for desktop, mobile, kiosk, Surface Hub](../images/wcd-options.png) + +Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp). + +![remove pre-installed software option](../images/wcd-cleanpc.png) + +[Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages) + +### Azure Active Directory join in bulk + +Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. + +![get bulk token action in wizard](../images/bulk-token.png) + +### Windows Spotlight + +The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: + +- **Turn off the Windows Spotlight on Action Center** +- **Do not use diagnostic data for tailored experiences** +- **Turn off the Windows Welcome Experience** + +[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) + +### Start and taskbar layout + +Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). + +[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: + +- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) +- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) +- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). + + +### Cortana at work + +Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. + +Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. + +For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) + +## Microsoft Edge + +iOS and Android versions of Edge are now available. For more information, see [Microsoft Edge Tips](https://microsoftedgetips.microsoft.com/en-us?source=firstrunwip). + +Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved. + +#### Microsoft Edge Group Policies + +We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](https://aka.ms/new-microsoft-edge-group-policies). + +## Windows Update + +### Windows Update for Business + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +### Windows Insider for Business + +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). + +You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). + + +### Optimize update delivery + +With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. + +>[!NOTE] +> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. + +Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. + +Added policies include: +- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) + +To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) + +### Uninstalled in-box apps no longer automatically reinstall + +Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. + +Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC. + +## Management + +### New MDM capabilities + +Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). + +Some of the other new CSPs are: + +- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. + +- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. + +- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. + +- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. + +- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). + +- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. + +IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. + +[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) + +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). + +Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). + +### Mobile application management support for Windows 10 + +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC. + +For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). + +### MDM diagnostics + +In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. + +### Application Virtualization for Windows (App-V) + +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +For more info, see the following topics: +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) +- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) + +### Windows diagnostic data + +Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. + +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) + +### Group Policy spreadsheet + +Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC. + +- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) + +### Mixed Reality Apps + +This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality). + + +## Configuration + +### Kiosk Configuration + +We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. + +To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. + +![set up a kiosk](../images/kiosk-mode.png "set up a kiosk") + +Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. + +1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode. +2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. + +![single app assigned access](../images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") + +Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. + +>[!NOTE] +>The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. + +1. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. + +![multi-app assigned access](../images/Multi-app_kiosk_inFrame.png "multi-app assigned access") + +2. **Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. + +![normal mode](../images/Normal_inFrame.png "normal mode") + +Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). + +The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). + +### Windows 10 kiosk and Kiosk Browser + +With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios. This includes the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below. + +- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons. +- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies +- Support for multiple screens for digital signage use cases. +- The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page. +- The ability to configure and run Shell Launcher in addition to existing UWP Store apps. +- A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases. +- For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups. +- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues. + +For more information, see: +- [Making IT simpler with a modern workplace](https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/) +- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691) + +## Networking + +### Network stack + +Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). + +### Miracast over Infrastructure + +In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). + +How it works: + +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. + +Miracast over Infrastructure offers a number of benefits: + +- Windows automatically detects when sending the video stream over this path is applicable. +- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. +- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- No changes to current wireless drivers or PC hardware are required. +- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. +- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. + +Enabling Miracast over Infrastructure: + +If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: + +- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS. +- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. + +It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. + +## Registry editor improvements + +We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. + +![Registry editor dropdown](../images/regeditor.png "Registry editor dropdown") + +## Remote Desktop with Biometrics + +Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. + +- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. +- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. + +See the following example: + +![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. \ No newline at end of file diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 64fcbb7821..04956b3138 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -5,8 +5,7 @@ keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Up ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dawnwood -ms.date: 10/02/2018 +author: greg-lindsay ms.localizationpriority: high --- @@ -20,32 +19,11 @@ The following 3-minute video summarizes some of the new features that are availa   - - - > [!video https://www.youtube.com/embed/hAva4B-wsVA] -## Your Phone app +## Deployment -Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. - -For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. - -![your phone](images/your-phone.png "your phone") - -The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. - -## Wireless projection experience - -One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes: - -* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible -* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly -* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. - -![wireless projection banner](images/beaming.png "wireless projection banner") - -## Windows Autopilot self-deploying mode +### Windows Autopilot self-deploying mode Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. @@ -55,64 +33,15 @@ You can utilize Windows Autopilot self-deploying mode to register the device to To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). -## Kiosk setup experience +### SetupDiag -We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. +[SetupDiag](/windows/deployment/upgrade/setupdiag.md) version 1.4 is released. SetupDiag is a standalone diagnostic tool that can be used to troubleshoot issues when a Windows 10 upgrade is unsuccessful. -To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. - -![set up a kiosk](images/kiosk-mode.png "set up a kiosk") - -Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. - -1.__Digital / Interactive signage__ that displays a specific website full-screen and runs InPrivate mode. -2.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. - -![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") - -Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. - ->[!NOTE] ->The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. - -1.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. - -![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") - -2.__Normal mode__ runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. - -![normal mode](images/Normal_inFrame.png "normal mode") - -Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). - -## Registry editor improvements - -We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. - -![Registry editor dropdown](images/regeditor.png "Registry editor dropdown") - -## Remote Desktop with Biometrics - -Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. - -![Enter your credentials](images/RDPwBioTime.png "Windows Hello") - -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click __Connect__. - -Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click __More choices__ to choose alternate credentials. - -![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") - -In this example, Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. - -![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") - -## Security Improvements +## Security We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") - + ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. @@ -124,8 +53,6 @@ We’re continuing to work on how other security apps you’ve installed show up This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). -
    HKLM\SOFTWARE\Microsoft\Security Center\Feature DisableAvCheck (DWORD) = 1
    - ### BitLocker #### Silent enforcement on fixed drives @@ -146,16 +73,20 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings. -Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For detailed information, click [here](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). +Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For more information, see [Windows Defender Application Guard inside Windows Security App](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). + +To try this: -To try this, 1. Go to**Windows Security** and select **App & browser control**. -![Security at a glance](images/1_AppBrowser.png "app and browser control") 2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device. -![Isolated browser](images/2_InstallWDAG.png "isolated browsing") 3. Select **Change Application Guard** settings. -![change WDAG settings](images/3_ChangeSettings.png "change settings") 4. Configure or check Application Guard settings. + +See the following example: + +![Security at a glance](images/1_AppBrowser.png "app and browser control") +![Isolated browser](images/2_InstallWDAG.png "isolated browsing") +![change WDAG settings](images/3_ChangeSettings.png "change settings") ![view WDAG settings](images/4_ViewSettings.jpg "view settings") ### Windows Security Center @@ -215,6 +146,42 @@ Windows Defender ATP now adds support for Windows Server 2019. You'll be able to - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
    Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor +## Kiosk setup experience + +We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. + +To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. + +![set up a kiosk](images/kiosk-mode.png "set up a kiosk") + +Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. + +1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode. +2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. + +![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") + +Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. + +>[!NOTE] +>The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. + +**Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. + +![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") + +**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. + +![normal mode](images/Normal_inFrame.png "normal mode") + +Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). + +## Registry editor improvements + +We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. + +![Registry editor dropdown](images/regeditor.png "Registry editor dropdown") + ## Faster sign-in to a Windows 10 shared pc Do you have shared devices deployed in your work place? **Fast sign-in** enables users to sign in to a shared Windows 10 PC in a flash! @@ -224,7 +191,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables 2. Set the Policy CSP, and the Authentication and EnableFastFirstSignIn policies to enable fast sign-in. 3. Sign-in to a shared PC with your account. You'll notice the difference! -![fast sign-in](images/fastsignin.png "fast sign-in") + ![fast sign-in](images/fastsignin.png "fast sign-in") ## Web sign-in to Windows 10 @@ -236,4 +203,36 @@ Until now, Windows logon only supported the use of identities federated to ADFS 3. On the lock screen, select web sign-in under sign-in options. 4. Click the “Sign in” button to continue. -![Web sign-in](images/websignin.png "web sign-in") + ![Web sign-in](images/websignin.png "web sign-in") + +## Your Phone app + +Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. + +For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. + +![your phone](images/your-phone.png "your phone") + +The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. + +## Wireless projection experience + +One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes: + +* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible +* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly +* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. + +![wireless projection banner](images/beaming.png "wireless projection banner") + +## Remote Desktop with Biometrics + +Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. + +See the following example: + +![Enter your credentials](images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") \ No newline at end of file