diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 12e1c2171d..b22ded8a4f 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -16,6 +16,9 @@ localizationpriority: high - Windows 10, Windows Insider Program - Windows 10 Mobile, Windows Insider Program +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. @@ -26,105 +29,1003 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Group Policy settings Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations: -|Policy name|Supported versions|Description|Options| -|-------------|------------|-------------|--------| -|Allow Address bar drop-down list suggestions|Windows 10, Windows Insider Program|This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.

**Note**
Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting.

If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge.

If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type".|**Enabled or not configured (default):** Employees can see the Address bar drop-down functionality in Microsoft Edge.

**Disabled:** Employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type".| -|Allow Adobe Flash|Windows 10 or later|This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.

If you enable or don't configure this setting, employees can use Adobe Flash.

If you disable this setting, employees can't use Adobe Flash.|**Enabled or not configured (default):** Employees use Adobe Flash in Microsoft Edge.

**Disabled:** Employees can’t use Adobe Flash.| -|Allow clearing browsing data on exit|Windows 10, Windows Insider Program|This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes.

If you enable this policy setting, clearing browsing history on exit is turned on.

If you disable or don't configure this policy setting, it can be turned on and configured by the employee in the Clear browsing data options area, under Settings.|**Enabled:** Turns on the automatic clearing of browsing data when Microsoft Edge closes.

**Disabled or not configured (default):** Employees can turn on and configure whether to automatically clear browsing data when Microsoft Edge closes in the Clear browsing data options area under Settings.| -|Allow Developer Tools|Windows 10, Version 1511 or later|This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.

If you enable or don’t configure this setting, the F12 Developer Tools are available in Microsoft Edge.

If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge.|**Enabled or not configured (default):** Shows the F12 Developer Tools on Microsoft Edge.

**Disabled:** Hides the F12 Developer Tools on Microsoft Edge.| -|Allow Extensions|Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can use Edge Extensions.

If you enable or don’t configure this setting, employees can use Edge Extensions.

If you disable this setting, employees can’t use Edge Extensions.|**Enabled or not configured:** Lets employees use Edge Extensions.

**Disabled:** Stops employees from using Edge Extensions.| -|Allow InPrivate browsing|Windows 10, Version 1511 or later|This policy setting lets you decide whether employees can browse using InPrivate website browsing.

If you enable or don’t configure this setting, employees can use InPrivate website browsing.

If you disable this setting, employees can’t use InPrivate website browsing.|**Enabled or not configured (default):** Lets employees use InPrivate website browsing.

**Disabled:** Stops employees from using InPrivate website browsing.| -|Allow Microsoft Compatibility List|Windows 10, Version 1607 or later|This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat.

If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly.

If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation.|**Enabled or not configured (default):** Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly.

**Disabled:** Microsoft Edge doesn’t use the Microsoft Compatibility List during browser navigation.| -|Allow search engine customization|Windows 10, Windows Insider Program|This policy setting lets you decide whether users can change their search engine.

**Important**
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).

If you enable or don't configure this policy, users can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings.

If you disable this setting, users can't add search engines or change the default used in the address bar.|**Enabled or not configured (default):** Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings.

**Disabled:** Employees can't add search engines or change the default used in the Address bar.| -|Allow web content on New Tab page|Windows 10 or later|This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.

If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.

If you disable this setting, Microsoft Edge opens a new tab with a blank page.

If you don’t configure this setting, employees can choose how new tabs appears.|**Not configured (default):** Employees see web content on New Tab page, but can change it.

**Enabled:** Employees see web content on New Tab page.

**Disabled:** Employees always see an empty new tab.| -|Configure additional search engines|Windows 10, Windows Insider Program|This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting.

**Important**
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).

If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link(s) you wish to add:
`https://www.contoso.com/opensearch.xml`

If you disable this setting, any added search engines are removed from your employee's devices.

If you don't configure this setting, the search engine list is set to what is specified in App settings.|**Enabled:** Add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine.

**Disabled (default):** Any additional search engines are removed from your employee's devices.

**Not configured:** Search engine list is set to what is specified in App settings.| -|Configure Autofill|Windows 10 or later|This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill.

If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge.

If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge.

If you don’t configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge.|**Not configured (default):** Employees can choose to turn Autofill on or off.

**Enabled:** Employees can use Autofill to complete form fields.

**Disabled:** Employees can’t use Autofill to complete form fields.| -|Configure cookies|Windows 10 or later|This setting lets you configure how to work with cookies.

If you enable this setting, you must also decide whether to:

If you disable or don't configure this setting, all cookies are allowed from all sites.|**Enabled:** Lets you decide how your company treats cookies.
If you use this option, you must also choose whether to:

**Disabled or not configured:** All cookies are allowed from all sites.| -|Configure Do Not Track|Windows 10 or later|This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests.

If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info.

If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info.

If you don’t configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info.|**Not configured (default):** Employees can choose to send Do Not Track headers on or off.

**Enabled:** Employees can send Do Not Track requests to websites requesting tracking info.

**Disabled:** Employees can’t send Do Not Track requests to websites requesting tracking info.| -|Configure Favorites|Windows 10, Version 1511 or later|This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.

If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.

If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub.|**Enabled:** Configure the default list of Favorites for your employees. If you use this option, you must also add the URLs to the sites.

**Disabled or not configured:** Uses the Favorites list and URLs specified in the Favorites hub.| -|Configure Password Manager|Windows 10 or later|This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.

If you enable this setting, employees can use Password Manager to save their passwords locally.

If you disable this setting, employees can’t use Password Manager to save their passwords locally.

If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally.|**Not configured:** Employees can choose whether to use Password Manager.

**Enabled (default):** Employees can use Password Manager to save passwords locally.

**Disabled:** Employees can't use Password Manager to save passwords locally.| -|Configure Pop-up Blocker|Windows 10 or later|This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.

If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.

If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear.

If you don’t configure this setting, employees can choose whether to use Pop-up Blocker.|**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows.

**Disabled:** Turns off Pop-up Blocker, allowing pop-up windows.| -|Configure search suggestions in Address bar|Windows 10 or later|This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.

If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge.

If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.

If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.|**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.

**Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge.

**Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge.| -|Configure Start pages|Windows 10, Version 1511 or later|This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it.

If you enable this setting, you can configure one or more Start pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format:
``

If you disable or don’t configure this setting, your default Start page is the webpage specified in App settings.|**Enabled:** Configure your Start pages. If you use this option, you must also include site URLs.

**Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings.| -|Configure the Adobe Flash Click-to-Run setting|Windows 10, Windows Insider Program|This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.

If you enable or don’t configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.

**Important**
Sites are put on the auto-allowed list based on how frequently employees load and run the content.

If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge.|**Enabled or not configured:** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.

**Disabled:** Adobe Flash content is automatically loaded and run by Microsoft Edge.| -|Configure the Enterprise Mode Site List|Windows 10 or later|This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.

If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.

If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.

**Note**
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured.

If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.

**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.| -|Configure Windows Defender SmartScreen|Windows 10 or later|This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on.

If you enable this setting, Windows Defender SmartScreen is turned on and employees can’t turn it off.

If you disable this setting, Windows Defender SmartScreen is turned off and employees can’t turn it on.

If you don’t configure this setting, employees can choose whether to use Windows Defender SmartScreen.|**Not configured (default):** Employees can choose whether to use Windows Defender SmartScreen.

**Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.

**Disabled:** Turns off Windows Defender SmartScreen.| -|Disable lockdown of Start pages|Windows 10, Windows Insider Program|This policy setting lets you disable the lock down of Start pages, letting employees modify the Start pages when the "Configure Start pages" setting is in effect.

**Note**
This setting only applies when you're using the “Configure Start pages" setting.

**Important**
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).

If you enable this setting, you can't lock down any Start pages that are configured using the "Configure Start pages" setting, which means that employees can modify them.

If you disable or don't configure this setting, employees can't change any Start pages configured using the "Configure Start pages" setting, thereby locking down the Start pages.|**Enabled:** You’re unable to lock down any Start pages that are configured using the "Configure Start pages" setting, which means that your employees can modify them.

**Disabled or not configured (default):** Employees can't change any Start pages configured using the "Configure Start pages" setting.| -|Keep favorites in sync between Internet Explorer and Microsoft Edge|Windows 10, Windows Insider Program|This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge.

If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge.

If you disable or don't configure this setting, employees can’t sync their favorites between Internet Explorer and Microsoft Edge.|**Enabled:** Employees can sync their Favorites between Internet Explorer and Microsoft Edge.

**Disabled or not configured (default):** Employees can’t sync their Favorites between Internet Explorer and Microsoft Edge.| -|Prevent access to the about:flags page|Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.

If you enable this policy setting, employees can’t access the about:flags page.

If you disable or don’t configure this setting, employees can access the about:flags page.|**Enabled:** Stops employees from using the about:flags page.

**Disabled or not configured (default):** Lets employees use the about:flags page.| -|Prevent bypassing Windows Defender SmartScreen prompts for files|Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.

If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from downloading the unverified files.

If you disable or don’t configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process.|**Enabled:** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files.

**Disabled or not configured (default):** Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.| -|Prevent bypassing Windows Defender SmartScreen prompts for sites|Windows 10, Version 1511 or later|This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites.

If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from continuing to the site.

If you disable or don’t configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue to the site.|**Enabled:** Stops employees from ignoring the Windows Defender SmartScreen warnings about potentially malicious sites.

**Disabled or not configured (default):** Lets employees ignore the Windows Defender SmartScreen warnings about potentially malicious sites and continue to the site.| -|Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start|Windows 10, Windows Insider Program|This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.

If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu.

If you disable or don't configure this setting, Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.|**Enabled:** Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu.

**Disabled or not configured (default):** Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.| -|Prevent the First Run webpage from opening on Microsoft Edge|Windows 10, Windows Insider Program|This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time.

If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time.

If you disable or don't configure this setting, employees will see the First Run page when opening Microsoft Edge for the first time.|**Enabled:** Employees won't see the First Run page when opening Microsoft Edge for the first time.

**Disabled or not configured (default):** Employees will see the First Run page when opening Microsoft Edge for the first time.| -|Prevent using Localhost IP address for WebRTC|Windows 10, Version 1511 or later|This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.

If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol.

If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol.|**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol.

**Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol.| -|Send all intranet sites to Internet Explorer 11|Windows 10 or later|This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.

If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.

If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge.|**Enabled:** Automatically opens all intranet sites using Internet Explorer 11.

**Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge.| -|Set default search engine|Windows 10, Windows Insider Program|This policy setting lets you configure the default search engine for your employees. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes.

**Important**
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).

If you enable this setting, you can choose a default search engine for your employees. If this setting is enabled, you must also add the default engine to the “Set default search engine” setting, by adding a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link you wish to add:
`https://fabrikam.com/opensearch.xml`

**Note**
If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.

If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.

If you don't configure this setting, the default search engine is set to the one specified in App settings.|**Enabled:** You can choose a default search engine for your employees.

**Disabled:** The policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.

**Not configured (default):** The default search engine is set to the one specified in App settings.| -|Show message when opening sites in Internet Explorer|Windows 10, Version 1607 and later|This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.

If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.

If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears.|**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.

**Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.| +### Allow Address bar drop-down list suggestions +- **Supported versions:** Windows 10, Windows Insider Program + +- **Description:** This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. + + - If you enable or don't configure this setting (default), employees can see the Address bar drop-down functionality in Microsoft Edge. + + - If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type". + + > [!Note] + > Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. + +### Allow Adobe Flash +- **Supported versions:** Windows 10 or later + +- **Description:** This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. + + - If you enable or don't configure this setting (default), employees can use Adobe Flash. + + - If you disable this setting, employees can't use Adobe Flash. + +### Allow clearing browsing data on exit +- **Supported versions:** Windows 10, Windows Insider Program + +- **Description:** This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes. + + - If you enable this policy setting, clearing browsing history on exit is turned on. + + - If you disable or don't configure this policy setting (default), it can be turned on and configured by the employee in the Clear browsing data options area, under Settings. + +### Allow Developer Tools +- **Supported versions:** Windows 10, Version 1511 or later + +- **Description:** This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. + - If you enable or don’t configure this setting (default), the F12 Developer Tools are available in Microsoft Edge. + + - If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge. + +### Allow Extensions +- **Supported versions:** Windows 10, Version 1607 or later + +- **Description:** This policy setting lets you decide whether employees can use Edge Extensions. + + - If you enable or don’t configure this setting, employees can use Edge Extensions. + + - If you disable this setting, employees can’t use Edge Extensions. + +### Allow InPrivate browsing +- **Supported versions:** Windows 10, Version 1511 or later + +- **Description:** This policy setting lets you decide whether employees can browse using InPrivate website browsing. + + - If you enable or don’t configure this setting (default), employees can use InPrivate website browsing. + + - If you disable this setting, employees can’t use InPrivate website browsing. + +### Allow Microsoft Compatibility List +- **Supported versions:** Windows 10, Version 1607 or later + +- **Description:** This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. + + - If you enable or don’t configure this setting (default), Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly. + + - If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation. + +### Allow search engine customization +- **Supported versions:** Windows 10, Windows Insider Program + +- **Description:** This policy setting lets you decide whether users can change their search engine. + + >[!Important] + >This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + + - If you enable or don't configure this policy (default), users can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. + + - If you disable this setting, users can't add search engines or change the default used in the address bar. + +### Allow web content on New Tab page +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it. + + - If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + + - If you disable this setting, Microsoft Edge opens a new tab with a blank page. + + - If you don’t configure this setting (default), employees can choose how new tabs appears. + +### Configure additional search engines +- **Supported versions:** Windows 10, Windows Insider Program + +- **Description:** This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting. + + > [!Important] + > This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + + - If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine, using this format: + + https://www.contoso.com/opensearch.xml + + For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. + + - If you disable this setting (default), any added search engines are removed from your employee's devices. + + - If you don't configure this setting, the search engine list is set to what is specified in App settings. + +### Configure Autofill +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill. + + - If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge. + + - If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge. + + - If you don’t configure this setting (default), employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. + +### Configure cookies +- **Supported versions:** Windows 10 or later + +- **Description:** This setting lets you configure how to work with cookies. + + - If you enable this setting, you must also decide whether to: + - **Allow all cookies (default):** Allows all cookies from all websites. + + - **Block all cookies:** Blocks all cookies from all websites. + + - **Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites. + + - If you disable or don't configure this setting, all cookies are allowed from all sites. + +### Configure Do Not Track +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests. + + - If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info. + + - If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info. + + - If you don’t configure this setting (default), employees can choose whether to send Do Not Track requests to websites asking for tracking info. + +### Configure Favorites +- **Supported versions:** Windows 10, Version 1511 or later + +- **Description:** This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time. + + - If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed. + + - If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub. + +### Configure Password Manager +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. + + - If you enable this setting (default), employees can use Password Manager to save their passwords locally. + + - If you disable this setting, employees can’t use Password Manager to save their passwords locally. + + - If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally. + +### Configure Pop-up Blocker +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on. + + - If you enable this setting (default), Pop-up Blocker is turned on, stopping pop-up windows from appearing. + + - If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear. + + - If you don’t configure this setting, employees can choose whether to use Pop-up Blocker. + +### Configure search suggestions in Address bar +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. + + - If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge. + + - If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge. + + - If you don’t configure this setting (default), employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. + +### Configure Start pages +- **Supported versions:** Windows 10, Version 1511 or later + +- **Description:** This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it. + + - If you enable this setting, you can configure one or more Start pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format: + + + + - If you disable or don’t configure this setting (default), your default Start page is the webpage specified in App settings. + +### Configure the Adobe Flash Click-to-Run setting +- **Supported versions:** Windows 10, Windows Insider Program + +- **Description:** This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. + + >[!Important] + >Sites are put on the auto-allowed list based on how frequently employees load and run the content. + + - If you enable or don’t configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. + + - If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge. + +### Configure the Enterprise Mode Site List +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. + + - If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. If you use this option, you must also add the location to your site list in the **{URI}** box. When configured, any site on the list will always open in Internet Explorer 11. + + - If you disable or don’t configure this setting (default), Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. + + >[!Note] + >If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

+ >If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. + +### Configure Windows Defender SmartScreen +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. + + - If you enable this setting, Windows Defender SmartScreen is turned on and employees can’t turn it off. + + - If you disable this setting, Windows Defender SmartScreen is turned off and employees can’t turn it on. + + - If you don’t configure this setting (default), employees can choose whether to use Windows Defender SmartScreen. + +### Disable lockdown of Start pages +- **Supported versions:** Windows 10, Windows Insider Program + +- **Description:** This policy setting lets you disable the lock down of Start pages, letting employees modify the Start pages when the "Configure Start pages" setting is in effect. + + >[!Important] + >This setting only applies when you're using the “Configure Start pages" setting and can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + + - If you enable this setting, you can't lock down any Start pages that are configured using the "Configure Start pages" setting, which means that employees can modify them. + + - If you disable or don't configure this setting (default), employees can't change any Start pages configured using the "Configure Start pages" setting, thereby locking down the Start pages. + +### Keep favorites in sync between Internet Explorer and Microsoft Edge +- **Supported versions:** Windows 10, Windows Insider Program + +- **Description:** This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge. + + - If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge. + + - If you disable or don't configure this setting (default), employees can’t sync their favorites between Internet Explorer and Microsoft Edge. + +### Prevent access to the about:flags page +- **Supported versions:** Windows 10, Version 1607 or later + +- **Description:** This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. + + - If you enable this policy setting, employees can’t access the about:flags page. + + - If you disable or don’t configure this setting (default), employees can access the about:flags page. + +### Prevent bypassing Windows Defender SmartScreen prompts for files +- **Supported versions:** Windows 10, Version 1511 or later + +- **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. + + - If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from downloading the unverified files. + + - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue the download process. + +### Prevent bypassing Windows Defender SmartScreen prompts for sites +- **Supported versions:** Windows 10, Version 1511 or later + +- **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. + + - If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from continuing to the site. + + - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue to the site. + +### Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +- **Supported versions:** Windows 10, Windows Insider Program + +- **Description:** This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. + + - If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. + + - If you disable or don't configure this setting (default), Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu. + +### Prevent the First Run webpage from opening on Microsoft Edge +- **Supported versions:** Windows 10, Windows Insider Program + +- **Description:** This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time. + + - If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time. + + - If you disable or don't configure this setting (default), employees will see the First Run page when opening Microsoft Edge for the first time. + +### Prevent using Localhost IP address for WebRTC +- **Supported versions:** Windows 10, Version 1511 or later + +- **Description:** This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off. + + - If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol. + + - If you disable or don’t configure this setting (default), Localhost IP addresses are shown while making calls using the WebRTC protocol. + +### Send all intranet sites to Internet Explorer 11 +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. + + - If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11. + + - If you disable or don’t configure this setting (default), all websites, including intranet sites, are automatically opened using Microsoft Edge. + +### Set default search engine +- **Supported versions:** Windows 10, Windows Insider Program + +- **Description:** This policy setting lets you configure the default search engine for your employees. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. + + >[!Important] + >This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).

+ >If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. + + - If you enable this setting, you can choose a default search engine for your employees. To choose the default engine, you must add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine, using this format: + + https://fabrikam.com/opensearch.xml + + - If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.

If you don't configure this setting, the default search engine is set to the one specified in App settings. + + - If you don't configure this setting (default), the default search engine is set to the one specified in App settings. + +### Show message when opening sites in Internet Explorer +- **Supported versions:** Windows 10, Version 1607 and later + +- **Description:** This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. + + - If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. + + - If you disable or don’t configure this setting (default), the default app behavior occurs and no additional page appears. ## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page. > [!NOTE] -> The **Supports** column uses these options: +> **Supported Devices** uses these options: > - **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only. > - **Mobile.** Supports Windows 10 Mobile devices only. > - **Both.** Supports both desktop and mobile devices. All devices must be enrolled with Intune if you want to use the Windows Custom URI Policy. -|Policy name|Supported versions|Supported device|Details| -|-------------|-------------------|-----------------|--------| -|AllowAddressBarDropdown|Windows 10, Windows Insider Program|Desktop|

| -|AllowAutofill|Windows 10 or later|Desktop|| -|AllowBrowser|Windows 10 or later|Mobile|| -|AllowCookies|Windows 10 or later|Both|| -|AllowDeveloperTools|Windows 10, Version 1511 or later|Desktop|| -|AllowDoNotTrack|Windows 10 or later|Both|| -|AllowExtensions|Windows 10, Version 1607 and later|Desktop|| -|AllowFlash|Windows 10 or later|Desktop|| -|AllowFlashClickToRun|Windows 10, Windows Insider Program|Desktop|| -|AllowInPrivate|Windows 10, Version 1511 or later|Both|| -|AllowMicrosoftCompatibilityList|Windows 10, Windows Insider Program|Both|| -|AllowPasswordManager|Windows 10 or later|Both|| -|AllowPopups|Windows 10 or later|Desktop|| -|AllowSearchEngineCustomization|Windows 10, Windows Insider Program|Both|| -|AllowSearchSuggestions
inAddressBar|Windows 10 or later|Both|| -|AllowSmartScreen|Windows 10 or later|Both|| -|ClearBrowsingDataOnExit|Windows 10, Windows Insider Program|Both|| -|ConfigureAdditionalSearchEngines|Windows 10, Windows Insider Program|Both|| -|DisableLockdownOfStartPages|Windows 10, Windows Insider Program|Desktop|| -|EnterpriseModeSiteList|Windows 10 or later|Desktop|| -|Favorites|Windows 10, Version 1511 or later|Both| @@ -57,20 +57,16 @@ author: CelesteDG

Try it out: Windows 10 deployment (for education)
Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.

For the best experience, use this guide in tandem with the TechNet Virtual Lab: IT Pro Try-It-Out.

- + - ### ![Upgrade to Windows 10 for education](images/windows.png) Upgrade +### ![Upgrade to Windows 10 for education](images/windows.png) Upgrade

[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.

-<<<<<<< HEAD -
-

-======= +

->>>>>>> e04a8c5905ed4bcb1df7b6b60d48146df9095a12 -
+
## Windows 8.1 Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in an academic environment. diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index f141dfe74e..5c56cb0492 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -3,6 +3,9 @@ title: Deploy and manage a full cloud IT solution for your business description: Learn how to set up a cloud infrastructure for your business, acquire devices and apps, and configure and deploy policies to your devices. keywords: smb, full cloud IT solution, small to medium business, deploy, setup, manage, Windows, Intune, Office 365 ms.prod: w10 +ms.technology: smb-windows +ms.topic: hero-article +ms.author: celested ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: smb @@ -46,6 +49,7 @@ See Get Started with Office 365 for business. If this is the first time you're setting this up, and you'd like to see how it's done, you can follow these steps to get started: + 1. Go to the Office 365 page in the Microsoft Business site. Select **Try now** to use the Office 365 Business Premium Trial or select **Buy now** to sign up for Office 365 Business Premium. In this walkthrough, we'll select **Try now**. **Figure 1** - Try or buy Office 365 @@ -54,7 +58,9 @@ If this is the first time you're setting this up, and you'd like to see how it's 2. Fill out the sign up form and provide information about you and your company. 3. Create a user ID and password to use to sign into your account. + This step creates an onmicrosoft.com email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into https://portal.office.com (the admin portal). + 4. Select **Create my account** and then enter the phone number you used in step 2 to verify your identity. You'll be asked to enter your verification code. 5. Select **You're ready to go...** which will take you to the Office 365 portal. @@ -65,27 +71,30 @@ If this is the first time you're setting this up, and you'd like to see how it's ![Office 365 portal](images/office365_portal.png) + 6. Select the **Admin** tile to go to the Office 365 admin center. 7. In the admin center, click **Next** to see the highlights and welcome info for the admin center. When you're done, click **Go to setup** to complete the Office 365 setup. This may take up to a half hour to complete. - + **Figure 3** - Office 365 admin center ![Office 365 admin center](images/office365_admin_portal.png) + 8. Go back to the Office 365 admin center to add or buy a domain. 1. Select the **Domains** option. **Figure 4** - Option to add or buy a domain - ![Add or buy a domain in O365 admin center](images/office365_buy_domain.png) + ![Add or buy a domain in Office 365 admin center](images/office365_buy_domain.png) + 2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*. **Figure 5** - Microsoft-provided domain - ![Microsoft provided domain](images/office365_ms_provided_domain.png) + ![Microsoft-provided domain](images/office365_ms_provided_domain.png) - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain. - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order. @@ -94,7 +103,7 @@ If this is the first time you're setting this up, and you'd like to see how it's **Figure 6** - Domains - ![Verify your domains in O365 admin center](images/office365_additional_domain.png) + ![Verify your domains in Office 365 admin center](images/office365_additional_domain.png) ### 1.2 Add users and assign product licenses Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Office 365 admin center. diff --git a/smb/index.md b/smb/index.md index 2d81f94e50..b15093ddee 100644 --- a/smb/index.md +++ b/smb/index.md @@ -1,8 +1,11 @@ --- title: Windows 10 for small to midsize businesses -description: Learn how to use Windows 10 for your small to midsize business. +description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business. keywords: Windows 10, SMB, small business, midsize business, business ms.prod: w10 +ms.technology: smb-windows +ms.topic: article +ms.author: celested ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: smb diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 6eeb973c7f..38e3354323 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -51,6 +51,7 @@ ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) ## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) +## [Convert MBR partition to GPT](mbr-to-gpt.md) ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md) ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index a71d13e154..d2629f839f 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -11,6 +11,11 @@ author: greg-lindsay # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## March 2017 +| New or changed topic | Description | +|----------------------|-------------| +| [Convert MBR partition to GPT](mbr-to-gpt.md) | New | + ## February 2017 | New or changed topic | Description | |----------------------|-------------| diff --git a/windows/deploy/images/mbr2gpt-volume.PNG b/windows/deploy/images/mbr2gpt-volume.PNG new file mode 100644 index 0000000000..d69bed87fb Binary files /dev/null and b/windows/deploy/images/mbr2gpt-volume.PNG differ diff --git a/windows/deploy/images/mbr2gpt-workflow.png b/windows/deploy/images/mbr2gpt-workflow.png new file mode 100644 index 0000000000..f7741cf0c3 Binary files /dev/null and b/windows/deploy/images/mbr2gpt-workflow.png differ diff --git a/windows/deploy/index.md b/windows/deploy/index.md index 3b669c973b..6660898fad 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -24,6 +24,7 @@ Learn about deploying Windows 10 for IT professionals. |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. | |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. | |[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. | +|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | | [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Imaging and Configuration Designer (ICD) and provisioning packages to easily configure multiple devices. | diff --git a/windows/deploy/mbr-to-gpt.md b/windows/deploy/mbr-to-gpt.md new file mode 100644 index 0000000000..5775e4b633 --- /dev/null +++ b/windows/deploy/mbr-to-gpt.md @@ -0,0 +1,384 @@ +--- +title: MBR2GPT +description: How to use the MBR2GPT tool to convert MBR partitions to GPT +keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +localizationpriority: high +--- + +# MBR2GPT.EXE + +**Applies to** +- Windows 10 + +## Summary + +**MBR2GPT.EXE** converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +You can use MBR2GPT to perform the following: + +- \[Within the Windows PE environment\]: Convert any attached MBR-formatted disk to GPT, including the system disk. +- \[From within the currently running OS\]: Convert any attached MBR-formatted disk to GPT, including the system disk. + +>MBR2GPT is available in Windows 10 version 1703, also known as Windows 10 Creator's Update, and later versions. +>The tool is available in both the full OS environment and Windows PE. + +You can use MBR2GPT to convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. + +The MBR2GPT tool can convert operating system disks that have earlier versions of Windows installed, such as Windows 10 versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. + +>[!IMPORTANT] +>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
Make sure that your device supports UEFI before attempting to convert the disk. + +## Syntax + + +
MBR2GPT /validate|convert [/disk:\] [/logs:\] [/map:\=\] [/allowFullOS] +
+ +### Options + +| Option | Description | +|----|-------------| +|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. | +|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. | +|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| +|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| +|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | +|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.| + +## Examples + +### Validation example + +In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**. + +``` +X:\>mbr2gpt /validate /disk:0 +MBR2GPT: Attempting to validate disk 0 +MBR2GPT: Retrieving layout of disk +MBR2GPT: Validating layout, disk sector size is: 512 +MBR2GPT: Validation completed successfully +``` + +### Conversion example + +In the following example: + +1. The current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. +2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. +2. The MBR2GPT tool is used to convert disk 0. +3. The DISKPART tool displays that disk 0 is now using the GPT format. +4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). +5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. + +>As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. + +``` +DISKPART> list volume + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- + Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy + Volume 1 C System Rese NTFS Partition 499 MB Healthy + Volume 2 D Windows NTFS Partition 58 GB Healthy + Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden + +DISKPART> select volume 2 + +Volume 2 is the selected volume. + +DISKPART> list partition + + Partition ### Type Size Offset + ------------- ---------------- ------- ------- + Partition 1 Primary 499 MB 1024 KB +* Partition 2 Primary 58 GB 500 MB + Partition 3 Recovery 612 MB 59 GB + +DISKPART> detail partition + +Partition 2 +Type : 07 +Hidden: No +Active: No +Offset in Bytes: 524288000 + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- +* Volume 2 D Windows NTFS Partition 58 GB Healthy + +DISKPART> exit + +Leaving DiskPart... + +X:\>mbr2gpt /convert /disk:0 + +MBR2GPT will now attempt to convert disk 0. +If conversion is successful the disk can only be booted in GPT mode. +These changes cannot be undone! + +MBR2GPT: Attempting to convert disk 0 +MBR2GPT: Retrieving layout of disk +MBR2GPT: Validating layout, disk sector size is: 512 bytes +MBR2GPT: Trying to shrink the system partition +MBR2GPT: Trying to shrink the OS partition +MBR2GPT: Creating the EFI system partition +MBR2GPT: Installing the new boot files +MBR2GPT: Performing the layout conversion +MBR2GPT: Migrating default boot entry +MBR2GPT: Adding recovery boot entry +MBR2GPT: Fixing drive letter mapping +MBR2GPT: Conversion completed successfully +MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode! + +X:\>diskpart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + +DISKPART> list disk + + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 60 GB 0 B * + +DISKPART> select disk 0 + +Disk 0 is now the selected disk. + +DISKPART> list volume + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- + Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy + Volume 1 D Windows NTFS Partition 58 GB Healthy + Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden + Volume 3 FAT32 Partition 100 MB Healthy Hidden + Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden + +DISKPART> select volume 1 + +Volume 1 is the selected volume. + +DISKPART> list partition + + Partition ### Type Size Offset + ------------- ---------------- ------- ------- + Partition 1 Recovery 499 MB 1024 KB +* Partition 2 Primary 58 GB 500 MB + Partition 4 System 100 MB 59 GB + Partition 3 Recovery 612 MB 59 GB + +DISKPART> detail partition + +Partition 2 +Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 +Hidden : No +Required: No +Attrib : 0000000000000000 +Offset in Bytes: 524288000 + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- +* Volume 1 D Windows NTFS Partition 58 GB Healthy + +``` + +## Specifications + +### Disk conversion workflow + +The following steps illustrate high-level phases of the MBR-to-GPT conversion process: + +1. Disk validation is performed. +2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist. +3. UEFI boot files are installed to the ESP. +4. GPT metatdata and layout information is applied. +5. The boot configuration data (BCD) store is updated. +6. Drive letter assignments are restored. + +### Disk validation + +Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: +- The disk is currently using MBR +- There is enough space not occupied by partitions to store the primary and secondary GPTs: + - 16KB + 2 sectors at the front of the disk + - 16KB + 1 sector at the end of the disk +- There are at most 3 primary partitions in the MBR partition table +- One of the partitions is set as active and is the system partition +- The BCD store on the system partition contains a default OS entry pointing to an OS partition +- The volume IDs can retrieved for each volume which has a drive letter assigned +- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option + +If any of these checks fails, the conversion will not proceed and an error will be returned. + +### Creating an EFI system partition + +For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: + +1. The existing MBR system partition is reused if it meets these requirements: + a. It is not also the OS or Windows Recovery Environment partition + b. It is at least 100MB (or 260MB for 4K sector size disks) in size + c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition. + d. If the conversion is being performed from the full OS, the disk being converted is not the system disk. +2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32. + +If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified. + +### Partition type mapping and partition attributes + +Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules: + +1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b). +2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used. +3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac). +4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). + +In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: +- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) +- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) + +For more information about partition types, see: +- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) +- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) + + +### Persisting drive letter assignments + +The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. + +The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: + +1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. +2. If found, set the value to be the new unique ID, obtained after the layout conversion. +3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. + +## Troubleshooting + +The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). + +### Logs + +Four log files are created by the MBR2GPT tool: + +- diagerr.xml +- diagwrn.xml +- setupact.log +- setuperr.log + +These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. + +The default location for all these log files in Windows PE is **%windir%**. + +### Interactive help + +To view a list of options available when using the tool, type **mbr2gpt /?** + +The following text is displayed: + +``` + +C:\> mbr2gpt /? + +Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk. + +MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS] + +Where: + + /validate + - Validates that the selected disk can be converted + without performing the actual conversion. + + /convert + - Validates that the selected disk can be converted + and performs the actual conversion. + + /disk: + - Specifies the disk number of the disk to be processed. + If not specified, the system disk is processed. + + /logs: + - Specifies the directory for logging. By default logs + are created in the %windir% directory. + + /map:= + - Specifies the GPT partition type to be used for a + given MBR partition type not recognized by Windows. + Multiple /map switches are allowed. + + /allowFullOS + - Allows the tool to be used from the full Windows + environment. By default, this tool can only be used + from the Windows Preinstallation Environment. + +``` + +### Return codes + +MBR2GPT has the following associated return codes: + +| Return code | Description | +|----|-------------| +|0| Conversion completed successfully.| +|1| Conversion was canceled by the user.| +|2| Conversion failed due to an internal error.| +|3| Conversion failed due to an initialization error.| +|4| Conversion failed due to invalid command-line parameters. | +|5| Conversion failed due to error reading the geometry and layout of the selected disk.| +|6| Conversion failed because one or more volumes on the disk is encrypted.| +|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.| +|8| Conversion failed due to error while creating the EFI system partition.| +|9| Conversion failed due to error installing boot files.| +|10| Conversion failed due to error while applying GPT layout.| +|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.| + + +### Determining the partition type + +You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown: + + +``` +PS C:\> Get-Disk | ft -Auto + +Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style +------ ------------- ------------- ------------ ----------------- ---------- --------------- +0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR +1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT +``` + +You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: + +![Volumes](images/mbr2gpt-volume.PNG) + + +If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the diskpart tool. To determine the partition style, type **diskpart** and then type **list disk**. See the following example: + +``` +DISKPART> list disk + + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 238 GB 0 B + Disk 1 Online 931 GB 0 B * +``` + +In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. + + + + +## Related topics + +[Using MBR2GPT with Configuration Manager OSD](https://miketerrill.net/tag/mbr2gpt/) +
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deploy/provisioning-multivariant.md b/windows/deploy/provisioning-multivariant.md index 3bc7652233..d33f1206b5 100644 --- a/windows/deploy/provisioning-multivariant.md +++ b/windows/deploy/provisioning-multivariant.md @@ -1,6 +1,6 @@ --- title: Create a provisioning package with multivariant settings (Windows 10) -description: Create a provisioning package with multivariant settings to customize the provisioned settings. +description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,37 +16,31 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Multivariant provisioning packages enable you to create a single provisioning package that can work for multiple locales. -To provision multivariant settings, you must create a provisioning package with defined **Conditions** and **Settings** that are tied to these conditions. When you install this package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning. +In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese. -The following events trigger provisioning on Windows 10 devices: +To provision multivariant settings, you use Windows Imaging and Configuration Designer (ICD) to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices. -| Event | Windows 10 Mobile | Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) | -| --- | --- | --- | -| System boot | Supported | Supported | -| Operating system update | Supported | Planned | -| Package installation during device first run experience | Supported | Supported | -| Detection of SIM presence or update | Supported | Not supported | -| Package installation at runtime | Supported | Supported | -| Roaming detected | Supported | Not supported | +Let's begin by learning how to define a **Target**. -## Target, TargetState, Condition, and priorities -Targets describe keying for a variant and must be described or pre-declared before being referenced by the variant. +## Define a target -- You can define multiple **Target** child elements for each **Id** that you need for the customization setting. +In the XML file, you provide an **Id**, or friendly name, for each **Target**. Each **Target** is defined by at least one **TargetState** which contains at least one **Condition**. A **Condition** element defines the matching type between the condition and the specified value. -- Within a **Target** you can define multiple **TargetState** elements. +A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**. -- Within a **TargetState** element you can create multiple **Condition** elements. +![Target with multiple target states and conditions](images/multi-target.png) -- A **Condition** element defines the matching type between the condition and the specified value. +The following table describes the logic for the target definition. -The following table shows the conditions supported in Windows 10 provisioning: + +
When all **Condition** elements are TRUE, **TargetState** is TRUE.![Target state is true when all conditions are true](images/icd-multi-targetstate-true.png)
If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **Id** can be used for setting customizations.![Target is true if any target state is true](images/icd-multi-target-true.png)
+ +### Conditions + +The following table shows the conditions supported in Windows 10 provisioning for a **TargetState**: ->[!NOTE] ->You can use any of these supported conditions when defining your **TargetState**. | Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description | | --- | --- | --- | --- | --- | --- | @@ -57,54 +51,47 @@ The following table shows the conditions supported in Windows 10 provisioning: | GID1 | P0 | Supported | N/A | Digit string | Use to target settings based on the Group Identifier (level 1) value. | | ICCID | P0 | Supported | N/A | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | | Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | -| UICC | P0 | Supported | N/A | Enumeration | Use to specify the UICC state. Set the value to one of the following:


- 0 - Empty
- 1 - Ready
- 2 - Locked | +| UICC | P0 | Supported | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:


- 0 - Empty
- 1 - Ready
- 2 - Locked | | UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:


- 0 - Slot 0
- 1 - Slot 1 | | ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. | | ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. | -| AoAc | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. | -| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the POWER_PLATFORM_ROLE enumeration. | +| AoAc ("Always On, Always Connected") | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. | +| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](https://msdn.microsoft.com/library/windows/desktop/aa373174.aspx). | | Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. | -| Server | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. | -| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region. | -| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code. | -| ROMLANG | P1 | Supported | N/A | Digit string | Use to specify the PhoneROMLanguage that's set for DeviceTargeting. This condition is used primarily to detect variants for China. For example, you can use this condition and set the value to "0804". | +| Server | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. | +| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). | +| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). | + The matching types supported in Windows 10 are: | Matching type | Syntax | Example | | --- | --- | --- | | Straight match | Matching type is specified as-is | <Condition Name="ProcessorName" Value="Barton" /> | -| Regex match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> | +| Regular expression (Regex) match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> | | Numeric range match | Matching type is prefixed by "!Range:" | <Condition Name="MNC" Value="!Range:400, 550" /> | -- When all **Condition** elements are TRUE, **TargetState** is TRUE (**AND** logic). +### TargetState priorities -- If any of the **TargetState** elements is TRUE, **Target** is TRUE (**OR** logic), and **Id** can be used for the setting customization. +You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**. +A setting that matches a **TargetState** with a lower priority is applied before the setting that matches a **TargetState** with a higher priority. This means that a setting for the **TargetState** with the higher priority can overwrite a setting for the **TargetState** with the lower priority. -You can define more than one **TargetState** within a provisioning package to apply variant settings that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the variant settings are applied, the system assigns a priority to every **TargetState**. +Settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package. -A variant setting that matches a **TargetState** with a lower priority is applied before the variant that matches a **TargetState** with a higher priority. Variant settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package. +The **TargetState** priority is assigned based on the condition's priority (see the [Conditions table](#conditions) for priorities). The priority evaluation rules are as followed: -The **TargetState** priority is assigned based on the conditions priority and the priority evaluation rules are as followed: +1. A **TargetState** with P0 conditions is higher than a **TargetState** without P0 conditions. -1. **TargetState** with P0 conditions is higher than **TargetState** without P0 conditions. +2. A **TargetState** with both P0 and P1 conditions is higher than a **TargetState** with only P0 conditions. +2. A **TargetState** with a greater number of matched P0 conditions is higher than **TargetState** with fewer matched P0 conditions, regardless of the number of P1 conditions matched. -2. **TargetState** with P1 conditions is higher than **TargetState** without P0 and P1 conditions. +2. If the number of P0 conditions matched are equivalent, then the **TargetState** with the most matched P1 conditions has higher priority. +3. If both P0 and P1 conditions are equally matched, then the **TargetState** with the greatest total number of matched conditions has highest priority. -3. If N₁>N₂>0, the **TargetState** priority with N₁ P0 conditions is higher than the **TargetState** with N₂ P1 conditions. - - -4. For **TargetState** without P0 conditions, if N₁>N₂>0 **TargetState** with N₁ P1 conditions is higher than the **TargetState** with N₂ P1 conditions. - - -5. For **TargetState** without P0 and P1 conditions, if N₁>N₂>0 **TargetState** priority with N₁ P2 conditions is higher than the **TargetState** with N₂ P2 conditions. - - -6. For rules 3, 4, and 5, if N₁=N₂, **TargetState** priorities are considered equal. ## Create a provisioning package with multivariant settings @@ -112,17 +99,15 @@ The **TargetState** priority is assigned based on the conditions priority and th Follow these steps to create a provisioning package with multivariant capabilities. -1. Build a provisioning package and configure the customizations you need to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md). - +1. Build a provisioning package and configure the customizations you want to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md). 2. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project. - -3. Open the project folder and copy the customizations.xml file. +3. Open the project folder and copy the customizations.xml file to any local location. 4. Use an XML or text editor to open the customizations.xml file. - The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The Customizations node contains a Common section, which contains the customization settings. + The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The **Customizations** node of the file contains a **Common** section, which contains the customization settings. The following example shows the contents of a sample customizations.xml file. @@ -153,7 +138,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti ``` -4. Edit the customizations.xml file and create a **Targets** section to describe the conditions that will handle your multivariant settings. +4. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings. The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**. @@ -210,10 +195,10 @@ Follow these steps to create a provisioning package with multivariant capabiliti c. Move compliant settings from the **Common** section to the **Variant** section. - If any of the TargetRef elements matches the Target, all settings in the Variant are applied (OR logic). + If any of the **TargetRef** elements matches the **Target**, all settings in the **Variant** are applied. >[!NOTE] - >You can define multiple Variant sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event. + >You can define multiple **Variant** sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event. The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met. @@ -289,7 +274,20 @@ In this example, the **StoreFile** corresponds to the location of the settings s +## Events that trigger provisioning +When you install the multivariant provisioning package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning. + +The following events trigger provisioning on Windows 10 devices: + +| Event | Windows 10 Mobile | Windows 10 for desktop editions | +| --- | --- | --- | +| System boot | Supported | Supported | +| Operating system update | Supported | Planned | +| Package installation during device first run experience | Supported | Supported | +| Detection of SIM presence or update | Supported | Supported | +| Package installation at runtime | Supported | Supported | +| Roaming detected | Supported | Not supported | diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 4e77353f2f..82fea36b85 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -572,7 +572,7 @@ ###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) ###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md) ###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md) -###### [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) +###### [Interactive logon: Don\'t display last signed-in](interactive-logon-do-not-display-last-user-name.md) ###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md) ###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) ###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md) @@ -772,6 +772,13 @@ ##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) #### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) ##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) ###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 2e7879cd8b..858577af50 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -13,6 +13,13 @@ author: brianlic-msft This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## March 2017 +|New or changed topic |Description | +|---------------------|------------| +|[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| +|[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| + + ## January 2017 |New or changed topic |Description | |---------------------|------------| diff --git a/windows/keep-secure/code/example.ps1 b/windows/keep-secure/code/example.ps1 new file mode 100644 index 0000000000..278824d13a --- /dev/null +++ b/windows/keep-secure/code/example.ps1 @@ -0,0 +1,52 @@ +$tenantId = '{Your Tenant ID}' +$clientId = '{Your Client ID}' +$clientSecret = '{Your Client Secret}' + +$authUrl = "https://login.windows.net/{0}/oauth2/token" -f $tenantId + +$tokenPayload = @{ + "resource"='https://graph.windows.net' + "client_id" = $clientId + "client_secret" = $clientSecret + "grant_type"='client_credentials'} + +$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload +$token = $response.access_token + +$headers = @{ + "Content-Type"="application/json" + "Accept"="application/json" + "Authorization"="Bearer {0}" -f $token } + +$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" + +$alertDefinitions = + (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value + +$alertDefinitionPayload = @{ + "Name"= "The alert's name" + "Severity"= "Low" + "InternalDescription"= "An internal description of the Alert" + "Title"= "The Title" + "UxDescription"= "Description of the alerts" + "RecommendedAction"= "The alert's recommended action" + "Category"= "Trojan" + "Enabled"= "true"} + +$alertDefinition = + Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) + +$alertDefinitionId = $alertDefinition.Id + +$iocPayload = @{ + "Type"="Sha1" + "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff" + "DetectionFunction"="Equals" + "Enabled"="true" + "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } + + +$ioc = + Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) diff --git a/windows/keep-secure/code/example.py b/windows/keep-secure/code/example.py new file mode 100644 index 0000000000..7bf906738c --- /dev/null +++ b/windows/keep-secure/code/example.py @@ -0,0 +1,53 @@ +import json +import requests +from pprint import pprint + +tenant_id="{your tenant ID}" +client_id="{your client ID}" +client_secret="{your client secret}" + +auth_url = "https://login.windows.net/{0}/oauth2/token".format(tenant_id) + +payload = {"resource": "https://graph.windows.net", + "client_id": client_id, + "client_secret": client_secret, + "grant_type": "client_credentials"} + +response = requests.post(auth_url, payload) +token = json.loads(response.text)["access_token"] + +with requests.Session() as session: + session.headers = { + 'Authorization': 'Bearer {}'.format(token), + 'Content-Type': 'application/json', + 'Accept': 'application/json'} + + response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions") + pprint(json.loads(response.text)) + + alert_definition = {"Name": "The alert's name", + "Severity": "Low", + "InternalDescription": "An internal description of the alert", + "Title": "The Title", + "UxDescription": "Description of the alerts", + "RecommendedAction": "The alert's recommended action", + "Category": "Trojan", + "Enabled": True} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions", + json=alert_definition) + + alert_definition_id = json.loads(response.text)["Id"] + + ioc = {'Type': "Sha1", + 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff", + 'DetectionFunction': "Equals", + 'Enabled': True, + "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise", + json=ioc) + + pprint(json.loads(response.text)) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 7d3b48530d..5fdb54b819 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -46,6 +46,7 @@ For Credential Guard to provide protections, the computers you are protecting mu To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: - Support for Virtualization-based security (required) +- Secure boot (required) - TPM 2.0 either discrete or firmware (preferred - provides binding to hardware) - UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) @@ -85,7 +86,7 @@ Computers that meet additional qualifications can provide additional protections The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
#### Baseline protections @@ -94,7 +95,7 @@ The following tables describe baseline protections, plus protections for improve |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).

**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | -| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.

**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | +| Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)

**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md index 7c5f60b159..8c54c753a6 100644 --- a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Create custom alerts using the threat intelligence (TI) Application program interface (API) +# Create custom alerts using the threat intelligence (TI) application program interface (API) **Applies to:** @@ -23,12 +23,12 @@ localizationpriority: high [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to create specific alerts that are applicable to your organization. +You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization. ## Before you begin Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). -### Use the threat intelligence REST APIs to create custom threat intelligence alerts +### Use the threat intelligence REST API to create custom threat intelligence alerts You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource, you call and specify the resource URLs using one of the following operations: - GET @@ -347,11 +347,13 @@ These parameters are compatible with the [OData V4 query language](http://docs.o ## Code examples The following articles provide detailed code examples that demonstrate how to use the custom threat intelligence API in several programming languages: -- PowerShell code examples -- Python code examples +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) ## Related topics -- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md index 38074271e9..e62a85a083 100644 --- a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -40,6 +40,8 @@ Before you can create custom threat intelligence (TI) using REST API, you'll nee You’ll need to use the access token in the Authorization header when doing REST API calls. ## Related topics -- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/images/privacy-setting-in-sign-in-options.png b/windows/keep-secure/images/privacy-setting-in-sign-in-options.png new file mode 100644 index 0000000000..cf2e499e04 Binary files /dev/null and b/windows/keep-secure/images/privacy-setting-in-sign-in-options.png differ diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md index f82d103fb6..ddb0839afa 100644 --- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -17,31 +17,80 @@ author: brianlic-msft Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. ## Reference -When a session is locked in a Windows operating system (meaning the user at the computer pressed CTRL+ALT+DEL and the Secure Desktop is displayed), user information is displayed. By default, this information is in the form of **<user name> is logged on**. The displayed user name is the user’s full name as set on the Properties page for that user. These settings do not apply to the logon tiles, which are displayed on the desktop after using the **Switch User** feature. The information that is displayed can be changed to meet your security requirements using the following possible values. +This security setting controls whether details such as email address or domain\username appear with the username on the sign-in screen. +For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows. +However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently. -### Possible values +### Changes in Windows 10 version 1607 + +Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details. +This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. +The Privacy setting is off by default, which hides the details. + +![Privacy setting](images\privacy-setting-in-sign-in-options.png) + +The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality. + +This setting has these possible values: - **User display name, domain and user names** - If this is a local logon, the user’s full name is displayed on the Secure Desktop. If it is a domain logon, the user’s domain and user’s account name is displayed. + For a local logon, the user's full name is displayed. + If the user signed in using a Microsoft account, the user's email address is displayed. + For a domain logon, the domain\username is displayed. + This has the same effect as turning on the **Privacy** setting. - **User display name only** - The name of the user who locked the session is displayed on the Secure Desktop as the user’s full name. + The full name of the user who locked the session is displayed. + This has the same effect as turning off the **Privacy** setting. - **Do not display user information** - No names are displayed on the Secure Desktop, but user’s full names will be displayed on the **Switch user** desktop. + No names are displayed. + Beginning with Windows 10 version 1607, this option is not supported. + If this option is chosen, the full name of the user who locked the session is displayed instead. + This change makes this setting consistent with the functionality of the new **Privacy** setting. + To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**. - Blank. - Default setting. This translates to “Not defined,” but it will display the user’s full name in the same manner as the **User display name** option. When an option is set, you cannot reset this policy to blank, or not defined. + Default setting. + This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**. + When an option is set, you cannot reset this policy to blank, or not defined. + +### Hotfix for Windows 10 version 1607 + +Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off. +If the **Privacy** setting is turned on, details will show. + +The **Privacy** setting cannot be changed for clients in bulk. +Instead, apply KB 4013429 to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows. + +There are related Group Policy settings: + +- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen. +- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display last signed-in** prevents the username of the last user to sign in from being shown. +- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display username at sign-in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears. + +### Interaction with related Group Policy settings + +For all versions of Windows 10, only the user display name is shown by default. + +If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings. +Users will not be able to show details. + +If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username. +In this case, clients that run Windows 10 version 1607 need KB 4013429 applied. +Users will not be able to hide additional details. + +If **Block user from showing account details on sign-in** is not enabled and **Don’t display last signed-in** is enabled, the username will not be shown. ### Best practices -Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. +Your implementation of this policy depends on your security requirements for displayed logon information. If you run computers that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. -Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. +Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy. ### Location @@ -86,13 +135,7 @@ When a computer displays the Secure Desktop in an unsecured area, certain user i Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user. -You might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. - -### Potential impact - -If you do not enable this policy, the effect will be the same as enabling the policy and selecting the **User display name, domain and user names** option. - -If the policy is enabled and set to **Do not display user information**, an observer cannot see who is logged onto the Secure Desktop, but the logon tile is still present if the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy is not enabled. Depending on how the logon tiles are configured, they could provide visual clues as to who is logged on. In addition, if the Interactive logon: Do not display last user name policy is not enabled, then the **Switch user** feature will show user information. +You might also want to enable the [Interactive logon: Do not display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. ## Related topics diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md index 5af92d1bcf..d712d65bdd 100644 --- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md +++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md @@ -1,5 +1,5 @@ --- -title: Interactive logon Do not display last user name (Windows 10) +title: Interactive logon Don't display last signed-in (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd ms.prod: w10 @@ -9,12 +9,12 @@ ms.pagetype: security author: brianlic-msft --- -# Interactive logon: Do not display last user name +# Interactive logon: Don't display last signed-in **Applies to** - Windows 10 -Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting. +Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting. Before Windows 10 version 1703, this policy setting was named **Interactive logon:Do not display last user name.** ## Reference diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md index b06391c16d..5574319409 100644 --- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -26,88 +26,54 @@ localizationpriority: high This article provides PowerShell code examples for using the custom threat intelligence API. These code examples demonstrate the following tasks: -- [Obtain an Azure AD access token](#obtain-an-azure-ad-access-token) -- [Create headers](#create-headers) -- [Create calls to the custom threat intelligence API](#create-calls-to-the-custom-threat-intelligence-api) -- [Create a new alert definition](#create-a-new-alert-definition) -- [Create a new indicator of compromise](#create-a-new-indicator-of-compromise) +- [Obtain an Azure AD access token](#token) +- [Create headers](#headers) +- [Create calls to the custom threat intelligence API](#calls) +- [Create a new alert definition](#alert-definition) +- [Create a new indicator of compromise](#ioc) -## Obtain an Azure AD access token + +## Step 1: Obtain an Azure AD access token The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. -Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: +Replace the *tenantid*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal: -``` +[!code[CustomTIAPI](./code/example.ps1#L1-L14)] -$tenantId = '{Your Tenant ID} -$clientId = '{Your Client ID}' -$clientSecret = '{Your Client Secret}' + +## Step 2: Create headers used for the requests with the API +Use the following code to create the headers used for the requests with the API: -$authUrl = "https://login.windows.net/{0}/oauth2/token" -f $tenantId +[!code[CustomTIAPI](./code/example.ps1#L16-L19)] -$tokenPayload = @{ - "resource"='https://graph.windows.net' - "client_id" = $clientId - "client_secret" = $clientSecret - "grant_type"='client_credentials'} + +## Step 3: Create calls to the custom threat intelligence API +After creating the headers, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities: -$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload -$token = $response.access_token +[!code[CustomTIAPI](./code/example.ps1#L21-L24)] -``` +The response is empty on initial use of the API. -## Create headers -The following example demonstrates how to create headers used for the requests with the API. + +## Step 4: Create a new alert definition +The following example demonstrates how you to create a new alert definition. -``` -$headers = @{} -$headers.Add("Content-Type", "application/json") -$headers.Add("Accept", "application/json") -$headers.Add("Authorization", "Bearer {0}" -f $token) +[!code[CustomTIAPI](./code/example.ps1#L26-L39)] -``` + +## Step 5: Create a new indicator of compromise +You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. -## Create calls to the custom threat intelligence API -The following example demonstrates how to view all alert definition entities by creating a call to the API. +[!code[CustomTIAPI](./code/example.ps1#L43-L53)] -``` -$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" -$alertDefinitions = - (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value -``` +## Complete code +You can use the complete code to create calls to the API. -If this is the first time to use the API, the response is empty. +[!code[CustomTIAPI](./code/example.ps1#L1-L53)] -## Create a new alert definition -The following example shows how to create a new alert definition. - -``` -$alertDefinitionPayload = @{ - "Name"= "The Alert's Name" - "Severity"= "Low" - "InternalDescription"= "An internal description of the Alert" - "Title"= "The Title" - "UxDescription"= "Description of the alerts" - "RecommendedAction"= "The alert's recommended action" - "Category"= "Trojan" - "Enabled"= "true"} - - -$alertDefinition = - Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) -``` - -## Create a new indicator of compromise -The following example shows how to use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. - -``` -$iocPayload = @{ - "Type"="Sha1" - "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff" - "DetectionFunction"="Equals" - "Enabled"="true" - "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } - - -$ioc = Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) -``` +## Related topics +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md index e4a19d51d6..3a89c15e0b 100644 --- a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md @@ -47,5 +47,7 @@ The following features are included in the preview release: - [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. - [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +- [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) - Create custom threat intelligence alerts using the threat intelligence API to generate alerts that are applicable to your organization. + >[!NOTE] > All response actions require machines to be on the latest Windows 10 Insider Preview build. diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md index 4b482cc066..6e63d9f1b5 100644 --- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md @@ -27,95 +27,55 @@ localizationpriority: high You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library. These code examples demonstrate the following tasks: -- [Obtain an Azure AD access token](#obtain-an-azure-ad-access-token) -- [Create request session object](#create-a-request's-session-object) -- [Create calls to the custom threat intelligence API](#create-calls-to-the-custom-threat-intelligence-api) -- [Create a new alert definition](#create-a-new-alert-definition) -- [Create a new indicator of compromise](#create-a-new-indicator-of-compromise) +- [Obtain an Azure AD access token](#token) +- [Create request session object](#session-object) +- [Create calls to the custom threat intelligence API](#calls) +- [Create a new alert definition](#alert-definition) +- [Create a new indicator of compromise](#ioc) -## Obtain an Azure AD access token + +## Step 1: Obtain an Azure AD access token The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: -``` - -import json -import requests -from pprint import pprint - -tenant_id="{your tenant ID}" -client_id="{your client ID" -client_secret="{your client secret}" - -full_auth_url = r"https://login.windows.net/{0}/oauth2/token".format(tenant_id) - -payload = {"resource": "https://graph.windows.net", - "client_id": client_id, - "client_secret": client_secret, - "grant_type": "client_credentials"} +[!code[CustomTIAPI](./code/example.py#L1-L17)] -response = requests.post(full_auth_url, payload) -token = json.loads(response.text)["access_token"] -``` - -## Create request session object + +## Step 2: Create request session object Add HTTP headers to the session object, including the Authorization header with the token that was obtained. -``` -with requests.Session() as session: - session.headers = { - 'Authorization': 'Bearer {}'.format(token), - 'Content-Type': 'application/json', - 'Accept': 'application/json'} -``` +[!code[CustomTIAPI](./code/example.py#L19-L23)] -## Create calls to the custom threat intelligence API -The following example shows how to view all of the alert definition entities by creating a call to the API. + +## Step 3: Create calls to the custom threat intelligence API +After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities: ->[!NOTE] -> All code is still within the ```with``` statement with the same indention level. +[!code[CustomTIAPI](./code/example.py#L25-L26)] -```json +The response is empty on initial use of the API. -response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions") -pprint(json.loads(response.text)) -``` + +## Step 4: Create a new alert definition +The following example demonstrates how you to create a new alert definition. -If this is the first time to use the API, the response is empty. +[!code[CustomTIAPI](./code/example.py#L28-L39)] -## Create a new alert definition -The following example shows how to create a new alert definition. + +## Step 5: Create a new indicator of compromise +You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. -``` +[!code[CustomTIAPI](./code/example.py#L41-L51)] -alert_definition = {"Name": "The Alert's Name", - "Severity": "Low", - "InternalDescription": "An internal description of the Alert", - "Title": "The Title", - "UxDescription": "Description of the alerts", - "RecommendedAction": "The alert's recommended action", - "Category": "Trojan", - "Enabled": True} +## Complete code +You can use the complete code to create calls to the API. -response = session.post( - "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions", - json=alert_definition) -``` +[!code[CustomTIAPI](./code/example.py#L1-L53)] -## Create a new indicator of compromise -The following example shows how to use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. - -``` -alert_definition_id = json.loads(response.text)["Id"] - ioc = {'Type': "Sha1", - 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff", - 'DetectionFunction': "Equals", - 'Enabled': True, - "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)} - - response = session.post( - "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise", - json=ioc) -``` +## Related topics +- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index a1a1738dad..2d68063ec7 100644 --- a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -38,6 +38,7 @@ For encrypting Remote Desktop Services network communication, this policy settin For BitLocker, this policy setting needs to be enabled before any encryption key is generated. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 and later when this policy is enabled are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; BitLocker will prevent the creation or use of recovery passwords on these systems, so recovery keys should be used instead. +Additionally, if a data drive is password-protected, it can be accessed by a FIPS-compliant computer after the password is supplied, but the drive will be read-only. ### Possible values diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index 32dc72d7fd..be6cfe9d8e 100644 --- a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Understand threat indicators +# Understand threat intelligence concepts **Applies to:** @@ -47,7 +47,9 @@ Here is an example of an IOC: IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. -## Related topic +## Related topics - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create custom threat indicators using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index 5448e0e2f5..d63bd1bf4c 100644 --- a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -44,3 +44,11 @@ If your client secret expires or if you've misplaced the copy provided when you 6. Click **Save**. The key value is displayed. 7. Copy the value and save it in a safe place. + + +## Related topics +- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..0757a26702 --- /dev/null +++ b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -0,0 +1,39 @@ +--- +title: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts +description: Use the custom threat intelligence API to create custom alerts for your organization. +keywords: threat intelligence, alert definitions, indicators of compromise +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Use the threat intelligence API to create custom alerts + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization. + +You can use the code examples to guide you in creating calls to the custom threat intelligence API. + +## In this section + +Topic | Description +:---|:--- +[Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization. +[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through the Windows Defender ATP portal so that you can create custom threat intelligence (TI) using REST API. +[Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization. +[PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API. +[Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API. +[Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) | Learn how to address possible issues you might encounter while using the threat intelligence API. diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index a7f9bbef7e..0b4b7ec69f 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -98,17 +98,17 @@ Windows telemetry also helps Microsoft better understand how customers use (or d ### Insights into your own organization -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Windows 10 Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md). +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md). -#### Windows 10 Upgrade Analytics +#### Upgrade Readiness Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. -To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. +To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. -Use Upgrade Analytics to get: +Use Upgrade Readiness to get: - A visual workflow that guides you from pilot to production - Detailed computer, driver, and application inventory @@ -118,7 +118,7 @@ Use Upgrade Analytics to get: - Application usage information, allowing targeted validation; workflow to track validation progress and decisions - Data export to commonly used software deployment tools -The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. ## How is telemetry data handled by Microsoft? @@ -179,7 +179,7 @@ The levels are cumulative and are illustrated in the following diagram. Also, th ### Security level -The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions. +The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. > [!NOTE] > If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 8f9e0d54cd..120818bbe1 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -99,6 +99,8 @@ Download mode dictates which download sources clients are allowed to use when do By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. >[!NOTE] +>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) +> >This configuration is optional and not required for most implementations of Delivery Optimization. ### Max Cache Age diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md index 773814c884..e8a17a2b8b 100644 --- a/windows/manage/waas-optimize-windows-10-updates.md +++ b/windows/manage/waas-optimize-windows-10-updates.md @@ -61,7 +61,7 @@ For OS updates that support Express, there are two versions of the file payload 1. **Full-file version** - essentially replacing the local versions of the update binaries. 2. **Express version** - containing the deltas needed to patch the existing binaries on the device. -Both the full-file version and the Express version are referenced in the udpate's metadata, which has been downloaded to the client as part of the scan phase. +Both the full-file version and the Express version are referenced in the update's metadata, which has been downloaded to the client as part of the scan phase. **Express download works as follows:** diff --git a/windows/manage/windows-libraries.md b/windows/manage/windows-libraries.md index 1608798dce..f8937e7a43 100644 --- a/windows/manage/windows-libraries.md +++ b/windows/manage/windows-libraries.md @@ -10,10 +10,10 @@ author: jasongerend ms.date: 2/6/2017 description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. --- -> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 - # Windows Libraries +> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 + Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. ## Features for Users