diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 85b9e8d303..50e104e045 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,91 @@ { "redirections": [ { +"source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md", +"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-add", +"redirect_document_id": true +}, +{ +"source_path": "windows/deployment/update/waas-windows-insider-for-business-faq.md", +"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-get-started", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md", +"redirect_url": "/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/encrypted-hard-drive.md", +"redirect_url": "/windows/security/information-protection/encrypted-hard-drive", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/secure-the-windows-10-boot-process.md", +"redirect_url": "/windows/security/information-protection/secure-the-windows-10-boot-process", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md", +"redirect_url": "/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md", +"redirect_url": "/windows/security/information-protection/tpm/change-the-tpm-owner-password", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md", +"redirect_url": "/windows/security/information-protection/tpm/how-windows-uses-the-tpm", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md", +"redirect_url": "/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/manage-tpm-commands.md", +"redirect_url": "/windows/security/information-protection/tpm/manage-tpm-commands", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/manage-tpm-lockout.md", +"redirect_url": "/windows/security/information-protection/tpm/manage-tpm-lockout", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md", +"redirect_url": "/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/tpm-fundamentals.md", +"redirect_url": "/windows/security/information-protection/tpm/tpm-fundamentals", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/tpm-recommendations.md", +"redirect_url": "/windows/security/information-protection/tpm/tpm-recommendations", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-overview.md", +"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md", +"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md", +"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-top-node", +"redirect_document_id": true +}, +{ "source_path": "windows/deployment/update/waas-windows-insider-for-business.md", "redirect_url": "/windows-insider/at-work-pro/wip-4-biz-get-started", "redirect_document_id": true @@ -6556,6 +6641,21 @@ "redirect_document_id": true }, { +"source_path": "windows/configuration/kiosk-shared-pc.md", +"redirect_url": "/windows/configuration/kiosk-methods", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/setup-kiosk-digital-signage.md", +"redirect_url": "/windows/configuration/kiosk-single-app", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/multi-app-kiosk-xml.md", +"redirect_url": "/windows/configuration/kiosk-xml", +"redirect_document_id": true +}, +{ "source_path": "windows/configure/lock-down-windows-10-to-specific-apps.md", "redirect_url": "/windows/configuration/lock-down-windows-10-to-specific-apps", "redirect_document_id": true @@ -6676,11 +6776,6 @@ "redirect_document_id": true }, { -"source_path": "windows/configuration/multi-app-kiosk-xml.md", -"redirect_url": "windows/configuration/kiosk-xml.md", -"redirect_document_id": true -}, -{ "source_path": "windows/configure/provisioning-uninstall-package.md", "redirect_url": "/windows/configuration/provisioning-packages/provisioning-uninstall-package", "redirect_document_id": true @@ -13491,11 +13586,6 @@ "redirect_document_id": true }, { -"source_path": "windows/update/waas-windows-insider-for-business-faq.md", -"redirect_url": "/windows/deployment/update/waas-windows-insider-for-business-faq", -"redirect_document_id": true -}, -{ "source_path": "windows/update/waas-windows-insider-for-business.md", "redirect_url": "/windows/deployment/update/waas-windows-insider-for-business", "redirect_document_id": true diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md deleted file mode 100644 index 214a02e1d0..0000000000 --- a/browsers/edge/Index.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. -ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb -author: shortpatti -ms.prod: edge -ms.mktglfcycl: general -ms.sitesec: library -title: Microsoft Edge - Deployment Guide for IT Pros (Microsoft Edge for IT Pros) -ms.localizationpriority: high -ms.date: 10/16/2017 ---- - -# Microsoft Edge - Deployment Guide for IT Pros - -**Applies to:** - -- Windows 10 -- Windows 10 Mobile - ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). - -Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities. - -Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. - ->[!Note] ->For more information about the potential impact of using Microsoft Edge in a large organization, refer to the [Measuring the impact of Microsoft Edge](https://www.microsoft.com/itpro/microsoft-edge/technical-benefits) topic on the Microsoft Edge IT Center. - ->If you are looking for Internet Explorer 11 content, please visit the [Internet Explorer 11 (IE11)](https://docs.microsoft.com/en-us/internet-explorer/) area. - -## In this section - -| Topic | Description | -| -----------------------| ----------------------------------- | -|[Change history for Microsoft Edge](change-history-for-microsoft-edge.md) |Lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile. | -|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Guidance about how to use both Microsoft Edge and Internet Explorer 11 in your enterprise.| -| [Microsoft Edge requirements and language support](hardware-and-software-requirements.md) |Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.| -| [Available policies for Microsoft Edge](available-policies.md) |Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.

Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. | -| [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.

Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. | -| [Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. | -|[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)|Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems. - -## Interoperability goals and enterprise guidance - -Our primary goal is that your modern websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. - -However, if you're running web apps that continue to use: - -* ActiveX controls - -* x-ua-compatible headers - -* <meta> tags - -* Enterprise mode or compatibility view to address compatibility issues - -* legacy document modes - -You'll need to keep running them using IE11. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md). - -## Related topics - -- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=55956) - -- [Total Economic Impact of Microsoft Edge: Forrester Study](https://www.microsoft.com/download/details.aspx?id=55847) - -- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) - -- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760644) - -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) - diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index 9a9115a9ac..817f1bb1d4 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -1,9 +1,39 @@ -#[Microsoft Edge - Deployment Guide for IT Pros](index.md) -##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md) -##[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) -##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md) -##[Available policies for Microsoft Edge](available-policies.md) -##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) -##[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) -##[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) +# [Microsoft Edge deployment for IT Pros](index.yml) + +## [(Preview) New Microsoft Edge Group Policies and MDM settings](new-policies.md) + +## [(Preview) Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md) + +## [Group policies & configuration options](group-policies/index.yml) +### [All group policies](available-policies.md) +### [Address bar settings](group-policies/address-bar-settings-gp.md) +### [Adobe settings](group-policies/adobe-settings-gp.md) +### [Books Library management](group-policies/books-library-management-gp.md) +### [Browser settings management](group-policies/browser-settings-management-gp.md) +### [Developer settings](group-policies/developer-settings-gp.md) +### [Extensions management](group-policies/extensions-management-gp.md) +### [Favorites management](group-policies/favorites-management-gp.md) +### [Home button settings](group-policies/home-button-gp.md) +### [Interoperability and enterprise guidance](group-policies/interoperability-enterprise-guidance-gp.md) +### [New tab page settings](group-policies/new-tab-page-settings-gp.md) +### [Prelaunch Microsoft Edge and preload tabs](group-policies/prelaunch-preload-gp.md) +### [Search engine customization](group-policies/search-engine-customization-gp.md) +### [Security and privacy management](group-policies/security-privacy-management-gp.md) +### [Start pages settings](group-policies/start-pages-gp.md) +### [Sync browser settings](group-policies/sync-browser-settings-gp.md) +### [Telemetry and data collection](group-policies/telemetry-management-gp.md) + + + +## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md) + +## [System requirements](about-microsoft-edge.md#minimum-system-requirements) + +## [Supported languages](about-microsoft-edge.md#supported-languages) + + +## [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) + +## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) + diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md new file mode 100644 index 0000000000..16b748b6ed --- /dev/null +++ b/browsers/edge/about-microsoft-edge.md @@ -0,0 +1,159 @@ +--- +description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. +ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb +author: shortpatti +ms.prod: edge +ms.mktglfcycl: general +ms.sitesec: library +title: Microsoft Edge for IT Pros +ms.localizationpriority: medium +ms.date: 07/29/2018 +--- + +# Microsoft Edge deployment for IT Pros +>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + +Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. + + +>[!IMPORTANT] +>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. + + + +## Minimum system requirements +Some of the components might also need additional system resources. Check the component's documentation for more information. + + +| Item | Minimum requirements | +| ------------------ | -------------------------------------------- | +| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | +| Operating system |

**Note**
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | +| Memory |

| +| Hard drive space | | +| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | +| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | +| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | +| Peripherals | Internet connection and a compatible pointing device | + +  + +## Supported languages + + +Microsoft Edge supports all of the same languages as Windows 10, including: + + +| Language | Country/Region | Code | +| ------------------------ | -------------- | ------ | +| Afrikaans (South Africa) | South Africa | af-ZA | +| Albanian (Albania) | Albania | sq-AL | +| Amharic | Ethiopia | am-ET | +| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA | +| Armenian | Armenia | hy-AM | +| Assamese | India | as-IN | +| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ | +| Bangla (Bangladesh) | Bangladesh | bn-BD | +| Bangla (India) | India | bn-IN | +| Basque (Basque) | Spain | eu-ES | +| Belarusian (Belarus) | Belarus | be-BY | +| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA | +| Bulgarian (Bulgaria) | Bulgaria | bg-BG | +| Catalan (Catalan) | Spain | ca-ES | +| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ | +| Cherokee (Cherokee) | United States | chr-Cher-US | +| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK | +| Chinese (Simplified, China) | People's Republic of China | zh-CN | +| Chinese (Traditional, Taiwan) | Taiwan | zh-TW | +| Croatian (Croatia) | Croatia | hr-HR | +| Czech (Czech Republic) | Czech Republic | cs-CZ | +| Danish (Denmark) | Denmark | da-DK | +| Dari | Afghanistan | prs-AF | +| Dutch (Netherlands) | Netherlands | nl-NL | +| English (United Kingdom) | United Kingdom | en-GB | +| English (United States) | United States | en-US | +| Estonian (Estonia) | Estonia | et-EE | +| Filipino (Philippines) | Philippines | fil-PH | +| Finnish (Finland) | Finland | fi_FI | +| French (Canada) | Canada | fr-CA | +| French (France) | France | fr-FR | +| Galician (Galician) | Spain | gl-ES | +| Georgian | Georgia | ka-GE | +| German (Germany) | Germany | de-DE | +| Greek (Greece) | Greece | el-GR | +| Gujarati | India | gu-IN | +| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG | +| Hebrew (Israel) | Israel | he-IL | +| Hindi (India) | India | hi-IN | +| Hungarian (Hungary) | Hungary | hu-HU | +| Icelandic | Iceland | is-IS | +| Igbo | Nigeria | ig-NG | +| Indonesian (Indonesia) | Indonesia | id-ID | +| Irish | Ireland | ga-IE | +| isiXhosa | South Africa | xh-ZA | +| isiZulu | South Africa | zu-ZA | +| Italian (Italy) | Italy | it-IT | +| Japanese (Japan) | Japan | ja-JP | +| Kannada | India | kn-IN | +| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ | +| Khmer (Cambodia) | Cambodia | km-KH | +| K'iche' | Guatemala | quc-Latn-GT | +| Kinyarwanda | Rwanda | rw-RW | +| KiSwahili | Kenya, Tanzania | sw-KE | +| Konkani | India | kok-IN | +| Korean (Korea) | Korea | ko-KR | +| Kyrgyz | Kyrgyzstan | ky-KG | +| Lao (Laos) | Lao P.D.R. | lo-LA | +| Latvian (Latvia) | Latvia | lv-LV | +| Lithuanian (Lithuania) | Lithuania | lt-LT | +| Luxembourgish (Luxembourg) | Luxembourg | lb-LU | +| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK | +| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY | +| Malayalam | India | ml-IN | +| Maltese | Malta | mt-MT | +| Maori | New Zealand | mi-NZ | +| Marathi | India | mr-IN | +| Mongolian (Cyrillic) | Mongolia | mn-MN | +| Nepali | Federal Democratic Republic of Nepal | ne-NP | +| Norwegian (Nynorsk) | Norway | nn-NO | +| Norwegian, Bokmål (Norway) | Norway | nb-NO | +| Odia | India | or-IN | +| Polish (Poland) | Poland | pl-PL | +| Portuguese (Brazil) | Brazil | pt-BR | +| Portuguese (Portugal) | Portugal | pt-PT | +| Punjabi | India | pa-IN | +| Punjabi (Arabic) | Pakistan | pa-Arab-PK | +| Quechua | Peru | quz-PE | +| Romanian (Romania) | Romania | ro-RO | +| Russian (Russia) | Russia | ru-RU | +| Scottish Gaelic | United Kingdom | gd-GB | +| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA | +| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS | +| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS | +| Sesotho sa Leboa | South Africa | nso-ZA | +| Setswana (South Africa) | South Africa and Botswana | tn-ZA | +| Sindhi (Arabic) | Pakistan | sd-Arab-PK | +| Sinhala | Sri Lanka | si-LK | +| Slovak (Slovakia) | Slovakia | sk-SK | +| Slovenian (Slovenia) | Slovenia | sl-SL | +| Spanish (Mexico) | Mexico | es-MX | +| Spanish (Spain, International Sort) | Spain | en-ES | +| Swedish (Sweden) | Sweden | sv-SE | +| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ | +| Tamil (India) | India and Sri Lanka | ta-IN | +| Tatar | Russia | tt-RU | +| Telugu | India | te-IN | +| Thai (Thailand) | Thailand | th-TH | +| Tigrinya (Ethiopia) | Ethiopia | ti-ET | +| Turkish (Turkey) | Turkey | tr-TR | +| Turkmen | Turkmenistan | tk-TM | +| Ukrainian (Ukraine) | Ukraine | uk-UA | +| Urdu | Pakistan | ur-PK | +| Uyghur | People's Republic of China | ug-CN | +| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ | +| Valencian | Spain | ca-ES-valencia | +| Vietnamese | Vietnam | vi-VN | +| Welsh | United Kingdom | cy-GB | +| Wolof | Senegal | wo-SN | +| Yoruba | Nigeria | yo-NG | +--- \ No newline at end of file diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 7c3c8a5909..f21ac4a827 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -9,13 +9,17 @@ ms.mktglfcycl: explore ms.sitesec: library title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) ms.localizationpriority: medium -ms.date: 4/30/2018 +ms.date: 07/20/2018 --- # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge > Applies to: Windows 10, Windows 10 Mobile +Set up a policy setting once and then copy that setting onto many computers. + + + Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that is linked to a domain, and then apply all of those settings to every computer in the domain. @@ -24,633 +28,136 @@ By using Group Policy and Intune, you can set up a policy setting once, and then > For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). -Microsoft Edge works with the following Group Policy settings to help you manage your company's web browser configurations. The Group Policy settings are found in the Group Policy Editor in the following location: -Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\ +>*You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:* +> +>      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* +

## Allow a shared books folder ->*Supported versions: Windows 10, version 1803*
->*Default setting: None* - -You can configure Microsoft Edge to store books from the Books Library to a default, shared folder for Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads book files automatically to a common, shared folder, and prevents users from removing the book from the library. For this policy to work properly, users must be signed in with a school or work account. - -If you disable or don’t configure this policy, Microsoft Edge does not use a shared folder but downloads book files to a per-user folder for each user. - - - -**MDM settings in Microsoft Intune** -| | | -|---|---| -|MDM name |Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks | -|Data type |Integer | -|Allowed values |

| - +[!INCLUDE [allow-shared-folder-books-include.md](includes/allow-shared-folder-books-include.md)] ## Allow Address bar drop-down list suggestions ->*Supported versions: Windows 10, version 1703 or later* +[!INCLUDE [allow-address-bar-suggestions-include.md](includes/allow-address-bar-suggestions-include.md)] -By default, Microsoft Edge shows the Address bar drop-down list and makes it available. If you want to minimize network connections from Microsoft Edge to Microsoft service, we recommend disabling this policy. Disabling this policy turns off the Address bar drop-down list functionality. - -When disabled, Microsoft Edge also disables the user-defined policy Show search and site suggestions as I type. Because the drop-down shows the search suggestions, this policy takes precedence over the [Configure search suggestions in Address bar](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies#configure-search-suggestions-in-address-bar) policy. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |Browser/[AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | -|Supported devices |Desktop | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown | -|Data type | Integer | -|Allowed values | | - - -## Allow Adobe Flash ->*Supported version: Windows 10* - -Adobe Flash is integrated with Microsoft Edge and updated via Windows Update. With this policy, you can configure Microsoft Edge to run Adobe Flash content or prevent Adobe Flash from running. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | -|Supported devices |Desktop | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash | -|Data type | Integer | -|Allowed values | | +## Allow Adobe Flash +[!INCLUDE [allow-adobe-flash-include.md](includes/allow-adobe-flash-include.md)] ## Allow clearing browsing data on exit ->*Supported versions: Windows 10, version 1703* - -By default, Microsoft Edge does not clear the browsing data on exit, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. Enable this policy if you want to clear the browsing data automatically each time Microsoft Edge closes. - - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | -|Supported devices |Desktop | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit | -|Data type | Integer | -|Allowed values | | - +[!INCLUDE [allow-clearing-browsing-data-include.md](includes/allow-clearing-browsing-data-include.md)] ## Allow configuration updates for the Books Library ->*Supported versions: Windows 10, version 1803*
->*Default setting: Enabled or not configured* - -Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or -not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data. - -**MDM settings in Microsoft Intune** -| | | -|---|---| -|MDM name |Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary | -|Data type |Integer | -|Allowed values | | - +[!INCLUDE [allow-config-updates-books-include.md](includes/allow-config-updates-books-include.md)] ## Allow Cortana ->*Supported versions: Windows 10, version 1607 or later* - -Cortana is integrated with Microsoft Edge, and when enabled, Cortana allows you to use the voice assistant on your device. If disabled, Cortana is not available for use, but you can search to find items on your device. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | -|Supported devices |Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCortana | -|Location |Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortana | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-cortana-include.md](includes/allow-cortana-include.md)] ## Allow Developer Tools ->*Supported versions: Windows 10, version 1511 or later* - -F12 developer tools is a suite of tools to help you build and debug your webpage. By default, this policy is enabled making the F12 Developer Tools available to use. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-dev-tools-include.md](includes/allow-dev-tools-include.md)] ## Allow extended telemetry for the Books tab ->*Supported versions: Windows 10, version 1803*
->*Default setting: Disabled or not configured* - -If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are -reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic -diagnostic data, depending on your device configuration, is sent to Microsoft. - -**MDM settings in Microsoft Intune** -| | | -|---|---| -|MDM name |Browser/[EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry | -|Data type |Integer | -|Allowed values | | - +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](includes/allow-ext-telemetry-books-tab-include.md)] ## Allow Extensions ->*Supported versions: Windows 10, version 1607 or later* - -If you enable this policy, you can personalize and add new features to Microsoft Edge with extensions. By default, this policy is enabled. If you want to prevent others from installing unwanted extensions, disable this policy. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowExtensions | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-extensions-include.md](includes/allow-extensions-include.md)] ## Allow InPrivate browsing ->*Supported versions: Windows 10, version 1511 or later* - -InPrivate browsing, when enabled, prevents your browsing data is not saved on your device. Microsoft Edge deletes temporary data from your device after all your InPrivate tabs are closed. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-inprivate-browsing-include.md](includes/allow-inprivate-browsing-include.md)] ## Allow Microsoft Compatibility List ->*Supported versions: Windows 10, version 1703 or later* - -Microsoft Edge uses the compatibility list that helps websites with known compatibility issues display properly. When enabled, Microsoft Edge checks the list to determine if the website has compatibility issues during browser navigation. By default, this policy is enabled allowing periodic downloads and installation of updates. Visiting any site on the Microsoft compatibility list prompts the employee to use Internet Explorer 11, where the site renders as though it is in whatever version of IE is necessary for it to appear properly. If disabled, the compatibility list is not used. - - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-microsoft-compatibility-list-include.md](includes/allow-microsoft-compatibility-list-include.md)] ## Allow search engine customization ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting allows search engine customization for domain-joined or MDM-enrolled devices only. For example, you can change the default search engine or add a new search engine. By default, this setting is enabled allowing you to add new search engines and change the default under Settings. If disabled, you cannot add search engines or change the default. - -For more information, see [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-search-engine-customization-include.md](includes/allow-search-engine-customization-include.md)] ## Allow web content on New Tab page ->*Supported versions: Windows 10* - -This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - +[!INCLUDE [allow-web-content-new-tab-page-include.md](includes/allow-web-content-new-tab-page-include.md)] ## Always show the Books Library in Microsoft Edge ->*Supported versions: Windows 10, version 1709 or later* - -This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | -|Supported devices |Desktop
Mobile | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [always-enable-book-library-include.md](includes/always-enable-book-library-include.md)] ## Configure additional search engines ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting, when enabled, lets you add up to five additional search engines. Employees cannot remove these search engines, but they can set any one as the default. By default, this setting is not configured and does not allow additional search engines to be added. If disabled, the search engines added are deleted. - -For each additional search engine, you add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). - -This setting does not set the default search engine. For that, you must use the "Set default search engine" setting. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-additional-search-engines-include.md](includes/configure-additional-search-engines-include.md)] ## Configure Autofill ->*Supported versions: Windows 10* - -This policy setting specifies whether AutoFill on websites is allowed. By default, this setting is not configured allowing you to choose whether or not to use AutoFill. If enabled, AutoFill is used. If disabled, AutoFill is not used. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowAutofill | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-autofill-include.md](includes/configure-autofill-include.md)] ## Configure cookies ->*Supported versions: Windows 10* - -This policy setting specifies whether cookies are allowed. By default, this setting is enabled with the Block all cookies and Block only 3rd-party cookies options available. If disabled or not configured, all cookies are allowed from all sites. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCookies | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-cookies-include.md](includes/configure-cookies-include.md)] ## Configure Do Not Track ->*Supported versions: Windows 10* - -This policy setting specifies whether Do Not Track requests to websites is allowed. By default, this setting is not configured allowing you to choose if to send tracking information. If enabled, Do Not Track requests are always sent to websites asking for tracking information. If disabled, Do Not Track requests are never sent. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack | -|Data type | Integer | -|Allowed values | | - +[!INCLUDE [configure-do-not-track-include.md](includes/configure-do-not-track-include.md)] ## Configure Favorites ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later* -This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their favorites by adding or removing items at any time. - -If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed. - -If you disable or don't configure this setting, employees will see the Favorites that they set in the Favorites hub. - +[!INCLUDE [configure-favorites-include.md](includes/configure-favorites-include.md)] ## Configure Password Manager ->*Supported versions: Windows 10* - -This policy setting specifies whether saving and managing passwords locally on the device is allowed. By default, this setting is enabled allowing you to save their passwords locally. If not configured, you can choose if to save and manage passwords locally. If disabled, saving and managing passwords locally is turned off. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-password-manager-include.md](includes/configure-password-manager-include.md)] ## Configure Pop-up Blocker ->*Supported versions: Windows 10* - -This policy setting specifies whether pop-up blocker is allowed or enabled. By default, pop-up blocker is turned on. If not configured, you can choose whether to turn on or turn off pop-up blocker. If disabled, pop-up blocker is turned off. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowPopups | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-pop-up-blocker-include.md](includes/configure-pop-up-blocker-include.md)] ## Configure search suggestions in Address bar ->*Supported versions: Windows 10* - -This policy setting specifies whether search suggestions are allowed in the address bar. By default, this setting is not configured allowing you to choose whether search suggestions appear in the address bar. If enabled, search suggestions appear. If disabled, search suggestions do not appear. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-search-suggestions-address-bar-include.md](includes/configure-search-suggestions-address-bar-include.md)] ## Configure Start pages ->*Supported versions: Windows 10, version 1511 or later* - -This policy setting specifies your Start pages for domain-joined or MDM-enrolled devices. By default, this setting is disabled or not configured. Therefore, the Start page is the webpages specified in App settings. If enabled, you can configure one or more corporate Start pages. If enabling this setting, you must include URLs separating multiple pages by using XML-escaped characters < and >, for example, **<\support.contoso.com><\support.microsoft.com>**. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/HomePages | -|Data type |String | -|Allowed values |Configure the Start page (previously known as Home page) URLs for your you. | +[!INCLUDE [configure-start-pages-include.md](includes/configure-start-pages-include.md)] ## Configure the Adobe Flash Click-to-Run setting ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting specifies whether you must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. By default, this setting is enabled. When the setting is enabled, you must click the content, Click-to-Run button, or have the site appear on an auto-allow list before the Adobe Flash content loads. If disabled, Adobe Flash loads and runs automatically. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-adobe-flash-click-to-run-include.md](includes/configure-adobe-flash-click-to-run-include.md)] ## Configure the Enterprise Mode Site List ->*Supported versions: Windows 10* - -This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. By default, this setting is disabled or not configured, which means the Enterprise Mode Site List is not used. In this case, you might experience compatibility problems while using legacy apps. If enabled, you must add the location to your site list in the **{URI}** box. when enabled, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. - ->[!Note] ->If there is a .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server has a different version number than the version in the cache container, the server file is used and stored in the cache container.

->If you already use a site list, enterprise mode continues to work during the 65-second wait; it just uses the existing site list instead of the new one. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList | -|Data type | String | -|Allowed values | | +[!INCLUDE [configure-enterprise-mode-site-list-include.md](includes/configure-enterprise-mode-site-list-include.md)] ## Configure Windows Defender SmartScreen ->*Supported versions: Windows 10* - -This policy setting specifies whether Windows Defender SmartScreen is allowed. By default, this setting is enabled or turned on, and you cannot turn it off. If disabled, Windows Defender SmartScreen is turned off, and you cannot turn it on. If not configured, you can choose whether to use Windows Defender SmartScreen. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-windows-defender-smartscreen-include.md](includes/configure-windows-defender-smartscreen-include.md)] ## Disable lockdown of Start pages ->*Supported versions: Windows 10, version 1703 or later* +[!INCLUDE [disable-lockdown-of-start-pages-include.md](includes/disable-lockdown-of-start-pages-include.md)] -This policy setting specifies whether the lockdown on the Start pages is disabled on domain-joined or MDM-enrolled devices. By default, this policy is enabled locking down the Start pages according to the settings specified in the Browser/HomePages policy. When enabled, users cannot change the Start pages. If disabled, users can modify the Start pages. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages | -|Data type | Integer | -|Allowed values | | - - ## Do not sync ->*Supported versions: Windows 10* - -This policy setting specifies whether you can use the Sync your Settings option to sync their settings to and from their device. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting you pick what can sync on their device. If enabled, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on the option to turn the feature off by default, but to let the employee change this setting. For information about what settings are synced, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings | -|Location |Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [do-not-sync-include.md](includes/do-not-sync-include.md)] ## Do not sync browser settings ->*Supported versions: Windows 10* - -This policy setting specifies whether a browser group can use the Sync your Settings options to sync their information to and from their device. Settings include information like History and Favorites. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. If enabled, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting. - -**MDM settings in Microsoft Intune** -| | | -|---|---| -|MDM name |Experience/DoNotSynBrowserSettings | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Experience/DoNotSynBrowserSettings | -|Data type |Integer | -|Allowed values | | +[!INCLUDE [do-not-sync-browser-settings-include.md](includes/do-not-sync-browser-settings-include.md)] ## Keep favorites in sync between Internet Explorer and Microsoft Edge ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including additions, deletions, modifications, and ordering. By default, this setting is disabled or not configured. When disabled or not configured, you cannot sync their favorites. If enabled, you can sync their favorites and stops Microsoft Edge favorites from syncing between connected Windows 10 devices. This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [keep-fav-sync-ie-edge-include.md](includes/keep-fav-sync-ie-edge-include.md)] ## Prevent access to the about:flags page ->*Supported versions: Windows 10, version 1607 or later* - -This policy setting specifies whether you can access the about:flags page, which is used to change developer settings and to enable experimental features. By default, this setting is disabled or not configured, which means you can access the about:flags page. If enabled, you cannot access the about:flags page. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-access-about-flag-include.md](includes/prevent-access-about-flag-include.md)] ## Prevent bypassing Windows Defender SmartScreen prompts for files ->*Supported versions: Windows 10, version 1511 or later* - -This policy setting specifies whether you can override the Windows Defender SmartScreen warnings about downloading unverified files. By default, this setting is disabled or not configured (turned off), which means you can ignore the warnings and can continue the download process. If enabled (turned on), you cannot ignore the warnings and blocks them from downloading unverified files. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | -|Supported devices |Desktop
Mobile | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-bypassing-win-defender-files-include.md](includes/prevent-bypassing-win-defender-files-include.md)] ## Prevent bypassing Windows Defender SmartScreen prompts for sites ->*Supported versions: Windows 10, version 1511 or later* - -This policy setting specifies whether you can override the Windows Defender SmartScreen warnings about potentially malicious websites. By default, this setting is disabled or not configured (turned off), which means you can ignore the warnings and allows them to continue to the site. If enabled (turned on), you cannot ignore the warnings and blocks them from continuing to the site. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventSmartScreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-bypassing-win-defender-sites-include.md](includes/prevent-bypassing-win-defender-sites-include.md)] ## Prevent changes to Favorites on Microsoft Edge ->*Supported versions: Windows 10, version 1709* - -This policy setting specifies whether you can add, import, sort, or edit the Favorites list in Microsoft Edge. By default, this setting is disabled or not configured (turned on), which means the Favorites list is not locked down and you can make changes to the Favorites list. If enabled, you cannot make changes to the Favorites list. Also, the Save a Favorite, Import settings, and the context menu items, such as Create a new folder, are turned off. - ->[!Important] ->Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-changes-to-favorites-include.md](includes/prevent-changes-to-favorites-include.md)] ## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. By default, this setting is disabled or not configured (turned off), which means Microsoft servers are contacted if a site is pinned. If enabled (turned on), Microsoft servers are not contacted if a site is pinned. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection | -|Data type | Integer | -|Allowed values | | - +[!INCLUDE [prevent-live-tile-pinning-start-include](includes/prevent-live-tile-pinning-start-include.md)] ## Prevent the First Run webpage from opening on Microsoft Edge ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, the First Run webpage hosted on microsoft.com opens automatically. This policy allows enterprises, such as those enrolled in a zero-emissions configuration, to prevent this page from opening. By default, this setting is disabled or not configured (turned off), which means you see the First Run page. If enabled (turned on), the you do not see the First Run page. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | -|Supported devices |Desktop
Mobile | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-first-run-webpage-open-include.md](includes/prevent-first-run-webpage-open-include.md)] ## Prevent using Localhost IP address for WebRTC ->*Supported versions: Windows 10, version 1511 or later* - - -This policy setting specifies whether localhost IP address is visible or hidden while making phone calls to the WebRTC protocol. By default, this setting is disabled or not configured (turned off), which means the localhost IP address is visible. If enabled (turned on), localhost IP addresses are hidden. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-localhost-address-for-webrtc-include.md](includes/prevent-localhost-address-for-webrtc-include.md)] ## Provision Favorites ->*Supported versions: Windows 10, version 1709* - -You can configure a default list of favorites that appear for your users in Microsoft Edge. - -If disabled or not configured, a default list of favorites is not defined in Microsoft Edge. In this case, users can customize the Favorites list, such as adding folders for organizing, adding, or removing favorites. - -If enabled, a default list of favorites is defined for users in Microsoft Edge. Users are not allowed to add, import, or change the Favorites list. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off. - -To define a default list of favorites, you can export favorites from Microsoft Edge and use the HTML file for provisioning user machines. In HTML format, specify the URL which points to the file that has all the data for provisioning favorites. - -URL can be specified as: -- HTTP location: "SiteList"="http://localhost:8080/URLs.html" -- Local network: "SiteList"="\network\shares\URLs.html" -- Local file: "SiteList"="file:///c:\Users\\Documents\URLs.html" - ->[!Important] ->You can only enable either this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy, but not both. Enabling both stops you from syncing favorites between Internet Explorer and Microsoft Edge. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites | -|Data type | String | - +[!INCLUDE [provision-favorites-include](includes/provision-favorites-include.md)] ## Send all intranet sites to Internet Explorer 11 ->*Supported versions: Windows 10* - - -This policy setting specifies whether to send intranet traffic to Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. By default, this setting is disabled or not configured (turned off), which means all websites, including intranet sites, open in Microsoft Edge. If enabled, all intranet sites are opened in Internet Explorer 11 automatically. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [send-all-intranet-sites-ie-include.md](includes/send-all-intranet-sites-ie-include.md)] ## Set default search engine ->*Supported versions: Windows 10, version 1703 or later* - - -This policy setting allows you to configure the default search engine for domain-joined or MDM-enrolled devices. By default, this setting is not configured, which means the default search engine is specified in App settings. In this case, you can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. If enabled, you can configure a default search engine for you. When enabled, you cannot change the default search engine. If disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -To set the default search engine, you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see Search provider discovery. If you'd like your you to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your you to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [set-default-search-engine-include.md](includes/set-default-search-engine-include.md)] ## Show message when opening sites in Internet Explorer ->*Supported versions: Windows 10, version 1607 and later* +[!INCLUDE [show-message-opening-sites-ie-include.md](includes/show-message-opening-sites-ie-include.md)] -This policy setting specifies whether you see an additional page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. By default, this policy is disabled, which means no additional page’s display. If enabled, you see an additional page. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer | -|Data type | Integer | -|Allowed values | | ## Related topics * [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885) diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index ea57180317..2af18fcf6f 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -11,9 +11,12 @@ author: shortpatti --- # Change history for Microsoft Edge -This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile. +Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. -For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/). + + + +# [2017](#tab/2017) ## September 2017 |New or changed topic | Description | @@ -25,23 +28,22 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th |----------------------|-------------| |[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. | + +# [2016](#tab/2016) + ## November 2016 |New or changed topic | Description | |----------------------|-------------| |[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added the infographic image and a download link.| |[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |Added a note about the 65 second wait before checking for a newer version of the site list .XML file. | |[Available policies for Microsoft Edge](available-policies.md) |Added notes to the Configure the Enterprise Mode Site List Group Policy and the EnterpriseModeSiteList MDM policy about the 65 second wait before checking for a newer version of the site list .XML file. | -|[Microsoft Edge - Deployment Guide for IT Pros](index.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | +|Microsoft Edge - Deployment Guide for IT Pros |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | |[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | ## July 2016 |New or changed topic | Description | |----------------------|-------------| |[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). | - -## July 2016 -|New or changed topic | Description | -|----------------------|-------------| |[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. | |[Available policies for Microsoft Edge](available-policies.md) |Updated | @@ -56,3 +58,5 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th |New or changed topic | Description | |----------------------|-------------| |[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. | + +--- \ No newline at end of file diff --git a/browsers/edge/group-policies/address-bar-settings-gp.md b/browsers/edge/group-policies/address-bar-settings-gp.md new file mode 100644 index 0000000000..39cc4f17f8 --- /dev/null +++ b/browsers/edge/group-policies/address-bar-settings-gp.md @@ -0,0 +1,23 @@ +--- +title: Microsoft Edge - Address bar settings +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/29/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Address bar settings + + + +## Allow Address bar drop-down list suggestions +[!INCLUDE [allow-address-bar-suggestions-include.md](../includes/allow-address-bar-suggestions-include.md)] + +## Configure search suggestions in Address bar +[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/adobe-settings-gp.md b/browsers/edge/group-policies/adobe-settings-gp.md new file mode 100644 index 0000000000..36461a27fe --- /dev/null +++ b/browsers/edge/group-policies/adobe-settings-gp.md @@ -0,0 +1,25 @@ +--- +title: Microsoft Edge - Adobe settings +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Adobe settings + + + +## Allow Adobe Flash +[!INCLUDE [allow-adobe-flash-include.md](../includes/allow-adobe-flash-include.md)] + + +## Configure the Adobe Flash Click-to-Run setting +[!INCLUDE [configure-adobe-flash-click-to-run-include.md](../includes/configure-adobe-flash-click-to-run-include.md)] + diff --git a/browsers/edge/group-policies/books-library-management-gp.md b/browsers/edge/group-policies/books-library-management-gp.md new file mode 100644 index 0000000000..2851dafc5b --- /dev/null +++ b/browsers/edge/group-policies/books-library-management-gp.md @@ -0,0 +1,30 @@ +--- +title: Microsoft Edge - Books Library management +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Books Library management + + + + +## Allow a shared books folder +[!INCLUDE [allow-shared-folder-books-include.md](../includes/allow-shared-folder-books-include.md)] + +## Allow configuration updates for the Books Library +[!INCLUDE [allow-config-updates-books-include.md](../includes/allow-config-updates-books-include.md)] + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] + +## Always show the Books Library in Microsoft Edge +[!INCLUDE [always-enable-book-library-include.md](../includes/always-enable-book-library-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/browser-settings-management-gp.md b/browsers/edge/group-policies/browser-settings-management-gp.md new file mode 100644 index 0000000000..213c901cfb --- /dev/null +++ b/browsers/edge/group-policies/browser-settings-management-gp.md @@ -0,0 +1,45 @@ +--- +title: Microsoft Edge - Browser settings management +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Browser settings management + + + + +## Allow clearing browsing data on exit +[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include](../includes/allow-saving-history-include.md)] + +## Configure Autofill +[!INCLUDE [configure-autofill-include](../includes/configure-autofill-include.md)] + +## Configure Pop-up Blocker +[!INCLUDE [configure-pop-up-blocker-include](../includes/configure-pop-up-blocker-include.md)] + +## Do not sync +[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)] + +## Do not sync browser settings +[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] + + + diff --git a/browsers/edge/group-policies/developer-settings-gp.md b/browsers/edge/group-policies/developer-settings-gp.md new file mode 100644 index 0000000000..9108424f87 --- /dev/null +++ b/browsers/edge/group-policies/developer-settings-gp.md @@ -0,0 +1,24 @@ +--- +title: Microsoft Edge - Developer settings +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Developer settings + + + + +## Allow Developer Tools +[!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)] + +## Prevent access to the about:flags page +[!INCLUDE [prevent-access-about-flag-include](../includes/prevent-access-about-flag-include.md)] diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md new file mode 100644 index 0000000000..4f12302469 --- /dev/null +++ b/browsers/edge/group-policies/extensions-management-gp.md @@ -0,0 +1,26 @@ +--- +title: Microsoft Edge - Extensions management +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Extensions management + + + +## Allow Extensions +[!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)] + +## Allow sideloading of extensions +[!INCLUDE [allow-sideloading-extensions-include](../includes/allow-sideloading-extensions-include.md)] + +## Prevent turning off required extensions +[!INCLUDE [prevent-turning-off-required-extensions-include](../includes/prevent-turning-off-required-extensions-include.md)] diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md new file mode 100644 index 0000000000..e488c71611 --- /dev/null +++ b/browsers/edge/group-policies/favorites-management-gp.md @@ -0,0 +1,29 @@ +--- +title: Microsoft Edge - Favorites management +description: +services: +keywords: +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Favorites management + + + +## Configure Favorites Bar +[!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] + +## Keep favorites in sync between Internet Explorer and Microsoft Edge +[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] + +## Prevent changes to Favorites on Microsoft Edge +[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] + +## Provision Favorites +[!INCLUDE [provision-favorites-include](../includes/provision-favorites-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/home-button-gp.md b/browsers/edge/group-policies/home-button-gp.md new file mode 100644 index 0000000000..86203ab818 --- /dev/null +++ b/browsers/edge/group-policies/home-button-gp.md @@ -0,0 +1,41 @@ +--- +title: Microsoft Edge - Home button configuration options +description: Microsoft Edge shows the home button and by clicking it the Start page loads by default. +ms.author: pashort +author: shortpatti +ms.date: 07/23/2018 +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Home button configuration options +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + +Microsoft Edge shows the home button and by clicking it the Start page loads by default. You can configure the Home button to load the New tab page or a URL defined in the Set Home button URL policy. You can also configure Microsoft Edge to hide the home button. + +## Relevant group policies + +- [Configure Home button](#configure-home-button) +- [Set Home button URL](#set-home-button-url) +- [Unlock Home button](#unlock-home-button) + + +## Configuration options + +![Show home button and load Start page or New tab page](../images/home-button-start-new-tab-page-v4-sm.png) + +![Show home button and load custom URL](../images/home-buttom-custom-url-v4-sm.png) + +![Hide home button](../images/home-button-hide-v4-sm.png) + + +## Configure Home button +[!INCLUDE [configure-home-button-include.md](../includes/configure-home-button-include.md)] + +## Set Home button URL +[!INCLUDE [set-home-button-url-include](../includes/set-home-button-url-include.md)] + +## Unlock Home button +[!INCLUDE [unlock-home-button-include.md](../includes/unlock-home-button-include.md)] + diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml new file mode 100644 index 0000000000..1918d89136 --- /dev/null +++ b/browsers/edge/group-policies/index.yml @@ -0,0 +1,231 @@ +### YamlMime:YamlDocument + +documentType: LandingData + +title: Microsoft Edge group policies + +metadata: + + document_id: + + title: Microsoft Edge group policies + + description: Learn how to configure group policies in Microsoft Edge on Windows 10. + + text: Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + + keywords: Microsoft Edge, Windows 10, Windows 10 Mobile + + ms.localizationpriority: medium + + author: shortpatti + + ms.author: pashort + + ms.date: 07/26/2018 + + ms.topic: article + + ms.devlang: na + +sections: + +- title: + +- items: + + - type: markdown + + text: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. + +- items: + + - type: list + + style: cards + + className: cardsE + + columns: 3 + + items: + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies + + html:

View all available group policies for Microsoft Edge on Windows 10.

+ + image: + + src: https://docs.microsoft.com/media/common/i_policy.svg + + title: All group policies + + - href: address-bar-settings-gp + + html:

Learn how you can configure Microsoft Edge to show search suggestions in the address bar.

+ + image: + + src: https://docs.microsoft.com/media/common/i_http.svg + + title: Address bar settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/adobe-settings-gp + + html:

Learn how you can configure Microsoft Edge to load Adobe Flash content automatically.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Adobe Flash settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/books-library-management-gp + + html:

Learn how you can set up and use the books library, such as using a shared books folder for students and teachers.

+ + image: + + src: https://docs.microsoft.com/media/common/i_library.svg + + title: Books library management + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/browser-settings-management-gp + + html:

Learn how you can customize the browser settings, such as printing and saving browsing history, plus more.

+ + image: + + src: https://docs.microsoft.com/media/common/i_management.svg + + title: Browser settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy + + html:

Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.

+ + image: + + src: https://docs.microsoft.com/media/common/i_categorize.svg + + title: Deploy Microsoft Edge kiosk mode + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/developer-settings-gp + + html:

Learn how configure Microsoft Edge for development and testing.

+ + image: + + src: https://docs.microsoft.com/media/common/i_config-tools.svg + + title: Developer tools & settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp + + html:

Learn how you use Microsoft Edge and Internet Explorer together for a full browsing experience.

+ + image: + + src: https://docs.microsoft.com/media/common/i_management.svg + + title: Enterprise mode + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/extensions-management-gp + + html:

Learn how you can configure Microsoft Edge to either prevent or allow users to install and run unverified extensions.

+ + image: + + src: https://docs.microsoft.com/media/common/i_extensions.svg + + title: Extensions management + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/favorites-management-gp + + html:

Learn how you can provision a standard favorites list as well as keep the favorites lists in sync between IE11 and Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_link.svg + + title: Favorites management + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/home-button-gp + + html:

Learn how you can customize the home button or hide it.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Home button settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/new-tab-page-settings-gp + + html:

Learn how to configure the New tab page in Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: New tab page settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/prelaunch-preload-gp + + html:

Learn how pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Prelaunch Microsoft Edge and preload tabs + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/search-engine-customization-gp + + html:

Learn how you can set the default search engine and configure additional ones.

+ + image: + + src: https://docs.microsoft.com/media/common/i_search.svg + + title: Search engine management + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp + + html:

Learn how you can keep your environment and users safe from attacks.

+ + image: + + src: https://docs.microsoft.com/media/common/i_security-management.svg + + title: Security & privacy management + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/start-pages-gp + + html:

Learn how to configure the Start pages in Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Start page settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/sync-browser-settings-gp + + html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the the Sync your Settings toggle.

+ + image: + + src: https://docs.microsoft.com/media/common/i_sync.svg + + title: Sync browser settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp + + html:

Learn how you can configure Microsoft Edge to collect certain data.

+ + image: + + src: https://docs.microsoft.com/media/common/i_data-collection.svg + + title: Telemetry and data collection diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md new file mode 100644 index 0000000000..9168988d09 --- /dev/null +++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md @@ -0,0 +1,58 @@ +--- +title: Microsoft Edge - Interoperability and enterprise guidance +description: +ms.author: pashort +author: shortpatti +ms.date: 07/23/2018 +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Interoperability and enterprise guidance +>*Supported versions: Microsoft Edge on Windows 10* + + +Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. + + +>[!TIP] +> If you are running an earlier version of Internet Explorer, then we recommend upgrading to IE11, so any legacy apps continue to work correctly. + +**Technology not supported by Microsoft Edge** +- ActiveX controls +- x-ua-compatible headers +- <meta> tags +- Legacy document modes + + + +>[!TIP] +>You can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](../emie-to-improve-compatibility.md). + + +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. + +Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. + +## Relevant group policies + +1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) +2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) +3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) +4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) + + +![Use Enterprise Mode with Microsoft Edge to improve compatibility](../images/use-enterprise-mode-with-microsoft-edge-sm.png) + +## Configure the Enterprise Mode Site List +[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] + +## Send all intranet sites to Internet Explorer 11 +[!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)] + +## Show message when opening sites in Internet Explorer +[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] + +## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge +[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/new-tab-page-settings-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md new file mode 100644 index 0000000000..bc6f5d500d --- /dev/null +++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md @@ -0,0 +1,20 @@ +--- +title: Microsoft Edge - New tab page +description: Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it. +ms.author: pashort +author: shortpatti +ms.date: 07/25/2018 +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + + +# New tab page + + +Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. + + +## Set New Tab page URL +[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/prelaunch-preload-gp.md b/browsers/edge/group-policies/prelaunch-preload-gp.md new file mode 100644 index 0000000000..e5558942b9 --- /dev/null +++ b/browsers/edge/group-policies/prelaunch-preload-gp.md @@ -0,0 +1,38 @@ +--- +title: Microsoft Edge - Prelaunch and tab preload configuration options +description: Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. +ms.author: pashort +author: shortpatti +ms.date: 07/25/2018 +--- + +# Prelaunch Microsoft Edge and preload tabs in the background + + + +Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching. + +Additionally, Microsoft Edge preloads the Start and New tab pages during Windows sign in, which minimizes the amount of time required to start Microsoft Edge and load a new tab. You can also configure Microsoft Edge to prevent preloading of tabs. + + +## Relevant group policies + +- [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) +- [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) + + +## Configuration options + +![Only preload the Start and New tab pages during Windows startup](../images/preload-tabs-only-sm.png) + +![Prelauch Microsoft Edge and preload Start and New tab pages](../images/prelaunch-edge-and-preload-tabs-sm.png) + +![Only prelaunch Microsoft Edge during Windows startup](../images/prelaunch-edge-only-sm.png) + + + +## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +[!INCLUDE [allow-prelaunch-include](../includes/allow-prelaunch-include.md)] + +## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed +[!INCLUDE [allow-tab-preloading-include](../includes/allow-tab-preloading-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/search-engine-customization-gp.md b/browsers/edge/group-policies/search-engine-customization-gp.md new file mode 100644 index 0000000000..1ce3437a76 --- /dev/null +++ b/browsers/edge/group-policies/search-engine-customization-gp.md @@ -0,0 +1,31 @@ +--- +title: Microsoft Edge - Search engine customization +description: By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file. +ms.author: pashort +author: shortpatti +ms.date: 07/25/2018 +--- + +# Search engine customization + +By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file. You can also prevent users from making changes to the search engine settings. + +## Relevant group policies + +- [Set default search engine](#set-default-search-engine) +- [Allow search engine customization](#allow-search-engine-customization) +- [Configure additional search engines](#configure-additional-search-engines) + + +![Set default search engine configurations](../images/set-default-search-engine-v4-sm.png) + + +## Set default search engine +[!INCLUDE [set-default-search-engine-include](../includes/set-default-search-engine-include.md)] + +## Allow search engine customization +[!INCLUDE [allow-search-engine-customization-include](../includes/allow-search-engine-customization-include.md)] + +## Configure additional search engines +[!INCLUDE [configure-additional-search-engines-include](../includes/configure-additional-search-engines-include.md)] + diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md new file mode 100644 index 0000000000..2af6f28da2 --- /dev/null +++ b/browsers/edge/group-policies/security-privacy-management-gp.md @@ -0,0 +1,51 @@ +--- +title: Microsoft Edge - Security and privacy management +description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. +ms.author: pashort +author: shortpatti +ms.date: 07/27/2018 +--- + +# Security and privacy management + +Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes. + +Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. + +The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components. + + + +## Configure cookies +[!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)] + +## Configure Password Manager +[!INCLUDE [configure-password-manager-include](../includes/configure-password-manager-include.md)] + +## Configure Windows Defender SmartScreen +[!INCLUDE [configure-windows-defender-smartscreen-include](../includes/configure-windows-defender-smartscreen-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for files +[!INCLUDE [prevent-bypassing-win-defender-files-include](../includes/prevent-bypassing-win-defender-files-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for sites +[!INCLUDE [prevent-bypassing-win-defender-sites-include](../includes/prevent-bypassing-win-defender-sites-include.md)] + +## Prevent certificate error overrides +[!INCLUDE [prevent-certificate-error-overrides-include](../includes/prevent-certificate-error-overrides-include.md)] + +## Prevent using Localhost IP address for WebRTC +[!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)] + + + +| | | +|---|---| +| **[Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Authenticates the user and the website with asymmetric cryptography technology. Microsoft Edge natively supports Windows Hello as a more personal, seamless, and secure way to authenticate on the web, powered by an early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/). | +| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any site that is thought to be a phishing site. SmartScreen also helps to defend against installing malicious software or file downloads, even from trusted sites. | +| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically. | +| **Microsoft EdgeHTML** | Defends against hacking through the following security standards features: | +| **Code integrity and image loading restrictions** | Prevents malicious DLLs from loading or injecting into the content processes. Only signed images are allowed to load in Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can't load. | +| **Memory corruption mitigations** | Defends against memory corruption weaknesses and vulnerabilities with the use of [CWE-416: Use After Free](http://cwe.mitre.org/data/definitions/416.html) (UAF). | +| **Memory Garbage Collector (MemGC) mitigation** | Replaces Memory Protector and helps to defend the browser from UAF vulnerabilities by freeing memory from the programmer and automating it, only freeing memory when the automation detects that there are no more references left pointing to a given block of memory. | +| **Control Flow Guard** | Compiles checks around code that performs indirect jumps based on a pointer, restricting those jumps to only going to function entry points with known addresses. Control Flow Guard is a Microsoft Visual Studio technology. | \ No newline at end of file diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md new file mode 100644 index 0000000000..ddb428bcc4 --- /dev/null +++ b/browsers/edge/group-policies/start-pages-gp.md @@ -0,0 +1,49 @@ +--- +title: Microsoft Edge - Start pages +description: Configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. +ms.author: pashort +author: shortpatti +ms.date: 07/25/2018 +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Start pages configuration options +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +Microsoft Edge loads the pages specified in App settings as the default Start pages. You can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. + +## Relevant group policies + +- [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) +- [Configure Start Pages](#configure-start-pages) +- [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages) + + +![Load URLs defined in Configure Start Pages](../images/load-urls-defined-in-configure-open-edge-with-main-sm.png) + + +## Configure Open Microsoft Edge With +[!INCLUDE [configure-open-edge-with-include](../includes/configure-open-edge-with-include.md)] + +## Configure Start Pages +[!INCLUDE [configure-start-pages-include](../includes/configure-start-pages-include.md)] + +## Disable Lockdown of Start pages +[!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)] + + +### Configuration options + +| **Configure Open Microsoft Edge With** | **Configure Start Pages** | **Disabled Lockdown of Start Pages** | **Outcome** | +| --- | --- | --- | --- | +| Enabled (applies to all options) | Enabled – String | Enabled (all configured start pages are editable) | Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to make changes. | +| Disabled or not configured | Enabled – String | Enabled (any Start page configured in the Configured Start Pages policy) | Load any start page and let users make changes .| +| Enabled (Start page) | Enabled – String | Blank or not configured | Load Start page(s) and prevent users from making changes. | +| Enabled (New tab page) | Enabled – String | Blank or not configured | Load New tab page and prevent users from making changes. | +| Enabled (Previous pages) | Enabled – String | Blank or not configured | Load previously opened pages and prevent users from making changes. | +| Enabled (A specific page or pages) | Enabled – String | Blank or not configured | Load a specific page or pages and prevent users from making changes. | +| Enabled (A specific page or pages) | Enabled – String | Enabled (any Start page configured in Configure Start Pages policy) | Load a specific page or pages and let users make changes. | +--- \ No newline at end of file diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md new file mode 100644 index 0000000000..957e790520 --- /dev/null +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -0,0 +1,38 @@ +--- +title: Microsoft Edge - Sync browser settings options +description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. +ms.author: pashort +author: shortpatti +ms.date: 08/06/2018 +--- + +# Sync browser settings options + + +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. + + +## Relevant policies +- [Do not sync browser settings](#do-not-sync-browser-settings) +- [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing) + + +## Configuration options + +![Sync browser settings automatically](../images/sync-browser-settings-automatically-sm.png) + +![Prevent syncing of browser settings](../images/prevent-syncing-browser-settings-sm.png) + + +## Verify the configuration +To verify if syncing is turned on or off: +1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). +2. Click **Settings**. +3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) + + +## Do not sync browser settings +[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/telemetry-management-gp.md b/browsers/edge/group-policies/telemetry-management-gp.md new file mode 100644 index 0000000000..242ecf0298 --- /dev/null +++ b/browsers/edge/group-policies/telemetry-management-gp.md @@ -0,0 +1,26 @@ +--- +title: Microsoft Edge - Telemetry and data collection +description: +ms.author: pashort +author: shortpatti +ms.date: 07/29/2018 +--- + +# Telemetry and data collection + + + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] + +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](../includes/configure-browser-telemetry-for-m365-analytics-include.md)] + + + +## Configure Do Not Track +[!INCLUDE [configure-do-not-track-include.md](../includes/configure-do-not-track-include.md)] + + +## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +[!INCLUDE [prevent-live-tile-pinning-start-include](../includes/prevent-live-tile-pinning-start-include.md)] \ No newline at end of file diff --git a/browsers/edge/images/148766.png b/browsers/edge/images/148766.png new file mode 100644 index 0000000000..cf568656a7 Binary files /dev/null and b/browsers/edge/images/148766.png differ diff --git a/browsers/edge/images/148767.png b/browsers/edge/images/148767.png new file mode 100644 index 0000000000..7f8b92a620 Binary files /dev/null and b/browsers/edge/images/148767.png differ diff --git a/browsers/edge/images/Multi-app_kiosk_inFrame.png b/browsers/edge/images/Multi-app_kiosk_inFrame.png new file mode 100644 index 0000000000..a1c62f8ffe Binary files /dev/null and b/browsers/edge/images/Multi-app_kiosk_inFrame.png differ diff --git a/browsers/edge/images/Normal_inFrame.png b/browsers/edge/images/Normal_inFrame.png new file mode 100644 index 0000000000..fccb0d4e56 Binary files /dev/null and b/browsers/edge/images/Normal_inFrame.png differ diff --git a/browsers/edge/images/SingleApp_contosoHotel_inFrame.png b/browsers/edge/images/SingleApp_contosoHotel_inFrame.png new file mode 100644 index 0000000000..b7dfc0ee28 Binary files /dev/null and b/browsers/edge/images/SingleApp_contosoHotel_inFrame.png differ diff --git a/browsers/edge/images/allow-shared-books-folder_sm.png b/browsers/edge/images/allow-shared-books-folder_sm.png new file mode 100644 index 0000000000..fc49829b14 Binary files /dev/null and b/browsers/edge/images/allow-shared-books-folder_sm.png differ diff --git a/browsers/edge/images/allow-smart-screen-validation.PNG b/browsers/edge/images/allow-smart-screen-validation.PNG new file mode 100644 index 0000000000..f118ea8b9c Binary files /dev/null and b/browsers/edge/images/allow-smart-screen-validation.PNG differ diff --git a/browsers/edge/images/check-gn.png b/browsers/edge/images/check-gn.png new file mode 100644 index 0000000000..8aab16a59a Binary files /dev/null and b/browsers/edge/images/check-gn.png differ diff --git a/browsers/edge/images/config-enterprise-site-list.png b/browsers/edge/images/config-enterprise-site-list.png new file mode 100644 index 0000000000..82ffc30895 Binary files /dev/null and b/browsers/edge/images/config-enterprise-site-list.png differ diff --git a/browsers/edge/images/config-open-me-with-scenarios-tab.PNG b/browsers/edge/images/config-open-me-with-scenarios-tab.PNG new file mode 100644 index 0000000000..0e39d589d5 Binary files /dev/null and b/browsers/edge/images/config-open-me-with-scenarios-tab.PNG differ diff --git a/browsers/edge/images/enterprise-mode-value-data.png b/browsers/edge/images/enterprise-mode-value-data.png new file mode 100644 index 0000000000..9e9ece9c1a Binary files /dev/null and b/browsers/edge/images/enterprise-mode-value-data.png differ diff --git a/browsers/edge/images/home-buttom-custom-url-v4-sm.png b/browsers/edge/images/home-buttom-custom-url-v4-sm.png new file mode 100644 index 0000000000..397b46c75b Binary files /dev/null and b/browsers/edge/images/home-buttom-custom-url-v4-sm.png differ diff --git a/browsers/edge/images/home-buttom-custom-url-v4.png b/browsers/edge/images/home-buttom-custom-url-v4.png new file mode 100644 index 0000000000..db47a93117 Binary files /dev/null and b/browsers/edge/images/home-buttom-custom-url-v4.png differ diff --git a/browsers/edge/images/home-button-hide-v4-sm.png b/browsers/edge/images/home-button-hide-v4-sm.png new file mode 100644 index 0000000000..b8adce292b Binary files /dev/null and b/browsers/edge/images/home-button-hide-v4-sm.png differ diff --git a/browsers/edge/images/home-button-hide-v4.png b/browsers/edge/images/home-button-hide-v4.png new file mode 100644 index 0000000000..ef43ce6f77 Binary files /dev/null and b/browsers/edge/images/home-button-hide-v4.png differ diff --git a/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png b/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png new file mode 100644 index 0000000000..7b04f17b28 Binary files /dev/null and b/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png differ diff --git a/browsers/edge/images/home-button-start-new-tab-page-v4.png b/browsers/edge/images/home-button-start-new-tab-page-v4.png new file mode 100644 index 0000000000..599ebeb8df Binary files /dev/null and b/browsers/edge/images/home-button-start-new-tab-page-v4.png differ diff --git a/browsers/edge/images/icon-thin-line-computer.png b/browsers/edge/images/icon-thin-line-computer.png new file mode 100644 index 0000000000..e941caf0c1 Binary files /dev/null and b/browsers/edge/images/icon-thin-line-computer.png differ diff --git a/browsers/edge/images/kiosk-mode-types.png b/browsers/edge/images/kiosk-mode-types.png new file mode 100644 index 0000000000..1ae43b31ac Binary files /dev/null and b/browsers/edge/images/kiosk-mode-types.png differ diff --git a/browsers/edge/images/load-any-start-page-let-users-make-changes.png b/browsers/edge/images/load-any-start-page-let-users-make-changes.png new file mode 100644 index 0000000000..fd4caf021e Binary files /dev/null and b/browsers/edge/images/load-any-start-page-let-users-make-changes.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png new file mode 100644 index 0000000000..eb3987003d Binary files /dev/null and b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png new file mode 100644 index 0000000000..bf4dc617aa Binary files /dev/null and b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png new file mode 100644 index 0000000000..eacac1b216 Binary files /dev/null and b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png new file mode 100644 index 0000000000..eacac1b216 Binary files /dev/null and b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png differ diff --git a/browsers/edge/images/microsoft-edge-kiosk-mode.png b/browsers/edge/images/microsoft-edge-kiosk-mode.png new file mode 100644 index 0000000000..ec794911b7 Binary files /dev/null and b/browsers/edge/images/microsoft-edge-kiosk-mode.png differ diff --git a/browsers/edge/images/multi-app-kiosk-mode.PNG b/browsers/edge/images/multi-app-kiosk-mode.PNG new file mode 100644 index 0000000000..fd924f92b0 Binary files /dev/null and b/browsers/edge/images/multi-app-kiosk-mode.PNG differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png new file mode 100644 index 0000000000..823309be3e Binary files /dev/null and b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs.png new file mode 100644 index 0000000000..a287ebb8fd Binary files /dev/null and b/browsers/edge/images/prelaunch-edge-and-preload-tabs.png differ diff --git a/browsers/edge/images/prelaunch-edge-only-sm.png b/browsers/edge/images/prelaunch-edge-only-sm.png new file mode 100644 index 0000000000..365bddf96a Binary files /dev/null and b/browsers/edge/images/prelaunch-edge-only-sm.png differ diff --git a/browsers/edge/images/prelaunch-edge-only.png b/browsers/edge/images/prelaunch-edge-only.png new file mode 100644 index 0000000000..975a745f3f Binary files /dev/null and b/browsers/edge/images/prelaunch-edge-only.png differ diff --git a/browsers/edge/images/preload-tabs-only-sm.png b/browsers/edge/images/preload-tabs-only-sm.png new file mode 100644 index 0000000000..32089d3fce Binary files /dev/null and b/browsers/edge/images/preload-tabs-only-sm.png differ diff --git a/browsers/edge/images/preload-tabs-only.png b/browsers/edge/images/preload-tabs-only.png new file mode 100644 index 0000000000..01181d6b82 Binary files /dev/null and b/browsers/edge/images/preload-tabs-only.png differ diff --git a/browsers/edge/images/prevent-syncing-browser-settings-sm.png b/browsers/edge/images/prevent-syncing-browser-settings-sm.png new file mode 100644 index 0000000000..7bcdfcdc8c Binary files /dev/null and b/browsers/edge/images/prevent-syncing-browser-settings-sm.png differ diff --git a/browsers/edge/images/prevent-syncing-browser-settings.png b/browsers/edge/images/prevent-syncing-browser-settings.png new file mode 100644 index 0000000000..6f98dc6c22 Binary files /dev/null and b/browsers/edge/images/prevent-syncing-browser-settings.png differ diff --git a/browsers/edge/images/set-default-search-engine-v4-sm.png b/browsers/edge/images/set-default-search-engine-v4-sm.png new file mode 100644 index 0000000000..44a5ae094a Binary files /dev/null and b/browsers/edge/images/set-default-search-engine-v4-sm.png differ diff --git a/browsers/edge/images/set-default-search-engine-v4.png b/browsers/edge/images/set-default-search-engine-v4.png new file mode 100644 index 0000000000..59528a3282 Binary files /dev/null and b/browsers/edge/images/set-default-search-engine-v4.png differ diff --git a/browsers/edge/images/single-app-kiosk-mode.PNG b/browsers/edge/images/single-app-kiosk-mode.PNG new file mode 100644 index 0000000000..a939973c62 Binary files /dev/null and b/browsers/edge/images/single-app-kiosk-mode.PNG differ diff --git a/browsers/edge/images/sync-browser-settings-automatically-sm.png b/browsers/edge/images/sync-browser-settings-automatically-sm.png new file mode 100644 index 0000000000..25b68500d5 Binary files /dev/null and b/browsers/edge/images/sync-browser-settings-automatically-sm.png differ diff --git a/browsers/edge/images/sync-browser-settings-automatically.png b/browsers/edge/images/sync-browser-settings-automatically.png new file mode 100644 index 0000000000..3f81196ebc Binary files /dev/null and b/browsers/edge/images/sync-browser-settings-automatically.png differ diff --git a/browsers/edge/images/sync-settings.PNG b/browsers/edge/images/sync-settings.PNG new file mode 100644 index 0000000000..5c72626abd Binary files /dev/null and b/browsers/edge/images/sync-settings.PNG differ diff --git a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png new file mode 100644 index 0000000000..e443c71bda Binary files /dev/null and b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png differ diff --git a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png new file mode 100644 index 0000000000..8a9b11ff19 Binary files /dev/null and b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png differ diff --git a/browsers/edge/includes/allow-address-bar-suggestions-include.md b/browsers/edge/includes/allow-address-bar-suggestions-include.md new file mode 100644 index 0000000000..bd15a448b8 --- /dev/null +++ b/browsers/edge/includes/allow-address-bar-suggestions-include.md @@ -0,0 +1,41 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-address-bar-drop-down-shortdesc](../shortdesc/allow-address-bar-drop-down-shortdesc.md)] + + +### Supported values + + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed. Hide the Address bar drop-down functionality and disable the _Show search and site suggestions as I type_ toggle in Settings. |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured **(default)** |1 |1 |Allowed. Show the Address bar drop-down list and make it available. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Address bar drop-down list suggestions +- **GP name:** AllowAddressBarDropdown +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowaddressbardropdown) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI +- **Value name:** ShowOneBox +- **Value type:** REG_DWORD + + +### Related policies + +[Configure search suggestions in Address bar](../available-policies.md#configure-search-suggestions-in-address-bar): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +

\ No newline at end of file diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md new file mode 100644 index 0000000000..669cdf2257 --- /dev/null +++ b/browsers/edge/includes/allow-adobe-flash-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-adobe-flash-shortdesc](../shortdesc/allow-adobe-flash-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled |0 |0 |Prevented/not allowed | +|Enabled **(default)** |1 |1 |Allowed | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Adobe Flash +- **GP name:** AllowFlash +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowflash) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Addons +- **Value name:** FlashPlayerEnabled +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-clearing-browsing-data-include.md b/browsers/edge/includes/allow-clearing-browsing-data-include.md new file mode 100644 index 0000000000..06982d1176 --- /dev/null +++ b/browsers/edge/includes/allow-clearing-browsing-data-include.md @@ -0,0 +1,36 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Prevented/not allowed)* + +[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] + +### Supported values + + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured **(default)** |0 |0 |Prevented/not allowed. Users can configure the _Clear browsing data_ option in Settings. | | +|Enabled |1 |1 |Allowed. Clear the browsing data upon exit automatically. |![Most restricted value](../images/check-gn.png) | +--- + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow clearing browsing data on exit +- **GP name:** AllowClearingBrowsingDataOnExit +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-clearbrowsingdataonexit) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit +- **Data type:** Integer + +#### *Registry +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Privacy +- **Value name:** ClearBrowsingHistoryOnExit +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-config-updates-books-include.md b/browsers/edge/includes/allow-config-updates-books-include.md new file mode 100644 index 0000000000..325293262e --- /dev/null +++ b/browsers/edge/includes/allow-config-updates-books-include.md @@ -0,0 +1,38 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1802 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow configuration updates for the Books Library +- **GP name:** AllowConfigurationUpdateForBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary +- **Value name:** AllowConfigurationUpdateForBooksLibrary +- **Value type:** REG_DWORD + +### Related topics + +[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) +

+

diff --git a/browsers/edge/includes/allow-cortana-include.md b/browsers/edge/includes/allow-cortana-include.md new file mode 100644 index 0000000000..a175001e68 --- /dev/null +++ b/browsers/edge/includes/allow-cortana-include.md @@ -0,0 +1,35 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-cortana-shortdesc](../shortdesc/allow-cortana-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed. Users can still search to find items on their device. |![Most restricted value](../images/check-gn.png) | +|Enabled
**(default)** |1 |1 |Allowed. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Cortana +- **GP name:** AllowCortana +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Experience/[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) +- **Supported devices:** Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\Windows\Windows Search +- **Value name:** AllowCortana +- **Value type:** REG_DWORD + +
+ diff --git a/browsers/edge/includes/allow-dev-tools-include.md b/browsers/edge/includes/allow-dev-tools-include.md new file mode 100644 index 0000000000..919b4a9968 --- /dev/null +++ b/browsers/edge/includes/allow-dev-tools-include.md @@ -0,0 +1,36 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] + + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Allowed | | +--- + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Developer Tools +- **GP name:** AllowDeveloperTools +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) +- **Supported devices:** Desktop +- **URI full Path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\F12 +- **Value name:** AllowDeveloperTools +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-enable-book-library-include.md b/browsers/edge/includes/allow-enable-book-library-include.md new file mode 100644 index 0000000000..1018a1cdd6 --- /dev/null +++ b/browsers/edge/includes/allow-enable-book-library-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured* + +[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Show the Books Library only in countries or regions where supported. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Show the Books Library, regardless of the device’s country or region. | | +--- +### ADMX info and settings + +#### ADMX info +- **GP English name:** Always show the Books Library in Microsoft Edge +- **GP name:** AlwaysEnableBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[Browser/AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** AlwaysEnableBooksLibrary +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md new file mode 100644 index 0000000000..d81f086e84 --- /dev/null +++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md @@ -0,0 +1,35 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1802 or later*
+>*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)* + +[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Microsofot gathers only basic diagnostic data. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Microsoft gathers all diagnostic data. For this policy to work correctly, you must set the diagnostic data in _Settings > Diagnostics & feedback_ to **Full**. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow extended telemetry for the Books tab +- **GP name:** EnableExtendedBooksTelemetry +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [Browser/EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary +- **Value name:** EnableExtendedBooksTelemetry +- **Value type:** REG_DWORD + + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-extensions-include.md b/browsers/edge/includes/allow-extensions-include.md new file mode 100644 index 0000000000..d779ecdd05 --- /dev/null +++ b/browsers/edge/includes/allow-extensions-include.md @@ -0,0 +1,39 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-extensions-shortdesc](../shortdesc/allow-extensions-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled |0 |0 |Prevented/not allowed | +|Enabled or not configured
**(default)** |1 |1 |Allowed | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Extensions +- **GP name:** AllowExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Extensions +- **Value name:** ExtensionsEnabled +- **Value type:** REG_DWORD + +### Related topics + +[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): +This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-full-screen-include.md b/browsers/edge/includes/allow-full-screen-include.md new file mode 100644 index 0000000000..82d4ac9996 --- /dev/null +++ b/browsers/edge/includes/allow-full-screen-include.md @@ -0,0 +1,36 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled or not configured (Allowed)* + + +[!INCLUDE [allow-fullscreen-mode-shortdesc](../shortdesc/allow-fullscreen-mode-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled
**(default)** |1 |1 |Allowed | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow fullscreen mode +- **GP name:** AllowFullScreenMode +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFullscreen +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** AllowFullScreenMode +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-inprivate-browsing-include.md b/browsers/edge/includes/allow-inprivate-browsing-include.md new file mode 100644 index 0000000000..aed98d6009 --- /dev/null +++ b/browsers/edge/includes/allow-inprivate-browsing-include.md @@ -0,0 +1,36 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Enabled or not configured (Allowed)* + + +[!INCLUDE [allow-inprivate-browsing-shortdesc](../shortdesc/allow-inprivate-browsing-shortdesc.md)] + + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow InPrivate browsing +- **GP name:** AllowInPrivate +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowInPrivate +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md new file mode 100644 index 0000000000..7feffa1941 --- /dev/null +++ b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Compatibility List +- **GP name:** AllowCVList +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation +- **Value name:** MSCompatibilityMode +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-prelaunch-include.md b/browsers/edge/includes/allow-prelaunch-include.md new file mode 100644 index 0000000000..fc39431ec2 --- /dev/null +++ b/browsers/edge/includes/allow-prelaunch-include.md @@ -0,0 +1,40 @@ + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-prelaunch-shortdesc](../shortdesc/allow-prelaunch-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restrictive value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- +### Configuration options + +For more details about configuring the prelaunch and preload options, see [Prelaunch Microsoft Edge and preload tabs in the background](../group-policies/prelaunch-preload-gp.md). + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +- **GP name:** AllowPreLaunch +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ +- **Value name:** AllowPrelaunch +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-printing-include.md b/browsers/edge/includes/allow-printing-include.md new file mode 100644 index 0000000000..196a72daea --- /dev/null +++ b/browsers/edge/includes/allow-printing-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-printing-shortdesc](../shortdesc/allow-printing-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restrictive value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow printing +- **GP name:** AllowPrinting +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrinting +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowPrinting +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-saving-history-include.md b/browsers/edge/includes/allow-saving-history-include.md new file mode 100644 index 0000000000..7829c1fed0 --- /dev/null +++ b/browsers/edge/includes/allow-saving-history-include.md @@ -0,0 +1,36 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-saving-history-shortdesc](../shortdesc/allow-saving-history-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow saving history +- **GP name:** AllowSavingHistory +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowSavingHistory +- **Value type:** REG_DWORD + + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-search-engine-customization-include.md b/browsers/edge/includes/allow-search-engine-customization-include.md new file mode 100644 index 0000000000..0ee8c5866e --- /dev/null +++ b/browsers/edge/includes/allow-search-engine-customization-include.md @@ -0,0 +1,52 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- + +### Configuration options + +For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md). + +### ADMX info and settings + +##### ADMX info +- **GP English name:** Allow search engine customization +- **GP name:** AllowSearchEngineCustomization +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization +- **Data type:** Integer + + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Protected +- **Value name:** AllowSearchEngineCustomization +- **Value type:** REG_DWORD + + +### Related policies + +- [Set default search engine](../available-policies.md#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +### Related topics + +- [!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] + +- [!INCLUDE [search-provider-discovery-shortdesc-include](search-provider-discovery-shortdesc-include.md)] + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-shared-folder-books-include.md b/browsers/edge/includes/allow-shared-folder-books-include.md new file mode 100644 index 0000000000..ca16e49ee0 --- /dev/null +++ b/browsers/edge/includes/allow-shared-folder-books-include.md @@ -0,0 +1,39 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1803*
+>*Default setting: Disabled or not configured (Not allowed)* + +[!INCLUDE [allow-a-shared-books-folder-shortdesc](../shortdesc/allow-a-shared-books-folder-shortdesc.md)] + +### Supported values +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account.| | +--- + +![Allow a shared books folder](../images/allow-shared-books-folder_sm.png) + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow a shared Books folder +- **GP name:** UseSharedFolderForBooks +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary +- **Value name:** UseSharedFolderForBooks +- **Value type:** REG_DWORD + +### Related policies + +**Allow a Windows app to share application data between users:** [!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)] + +
diff --git a/browsers/edge/includes/allow-sideloading-extensions-include.md b/browsers/edge/includes/allow-sideloading-extensions-include.md new file mode 100644 index 0000000000..b6ebf001c6 --- /dev/null +++ b/browsers/edge/includes/allow-sideloading-extensions-include.md @@ -0,0 +1,44 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured |0 |0 |Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, enable **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** policy, located at Windows Components > App Package Deployment.

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |![Most restricted value](../images/check-gn.png) | +|Enabled
**(default)** |1 |1 |Allowed. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow sideloading of Extensions +- **GP name:** AllowSideloadingOfExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSideloadingExtensions +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Value name:** AllowSideloadingOfExtensions +- **Value type:** REG_DWORD + +### Related policies + +- [Allows development of Windows Store apps and installing them from an integrated development environment (IDE)](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE. + +- [Allow all trusted apps to install](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowalltrustedapps): When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. + +### Related topics + +[Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Access development features, along with other developer-focused settings to make it possible for you to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. + +

\ No newline at end of file diff --git a/browsers/edge/includes/allow-tab-preloading-include.md b/browsers/edge/includes/allow-tab-preloading-include.md new file mode 100644 index 0000000000..b09c405754 --- /dev/null +++ b/browsers/edge/includes/allow-tab-preloading-include.md @@ -0,0 +1,39 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1802*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed. Preload Start and New tab pages. | | +--- + + +### Configuration options + +For more details about configuring the prelaunch and preload options, see [Prelaunch Microsoft Edge and preload tabs in the background](../group-policies/prelaunch-preload-gp.md). + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Edge to load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed +- **GP name:** AllowTabPreloading +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader +- **Value name:** AllowTabPreloading +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md new file mode 100644 index 0000000000..7c6889225d --- /dev/null +++ b/browsers/edge/includes/allow-web-content-new-tab-page-include.md @@ -0,0 +1,37 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Default New tab page loads)* + + +[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Not configured |Blank |Blank |Users can choose what loads on the New tab page. | +|Disabled |0 |0 |Load a blank page instead of the default New tab page and prevent users from changing it. | +|Enabled **(default)** |1 |1 |Load the default New tab page. | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow web content on New Tab page +- **GP name:** AllowWebContentOnNewTabPage +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI +- **Value name:** AllowWebContentOnNewTabPage +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/always-enable-book-library-include.md b/browsers/edge/includes/always-enable-book-library-include.md new file mode 100644 index 0000000000..62804e3f93 --- /dev/null +++ b/browsers/edge/includes/always-enable-book-library-include.md @@ -0,0 +1,35 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured* + + +[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Show the Books Library only in countries or regions where supported. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Show the Books Library, regardless of the device’s country or region. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Always show the Books Library in Microsoft Edge +- **GP name:** AlwaysEnableBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AlwaysEnableBooksLibrary +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/browser-extension-policy-shortdesc-include.md b/browsers/edge/includes/browser-extension-policy-shortdesc-include.md new file mode 100644 index 0000000000..4a64abb65c --- /dev/null +++ b/browsers/edge/includes/browser-extension-policy-shortdesc-include.md @@ -0,0 +1 @@ +[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file diff --git a/browsers/edge/includes/configure-additional-search-engines-include.md b/browsers/edge/includes/configure-additional-search-engines-include.md new file mode 100644 index 0000000000..f77a076f2a --- /dev/null +++ b/browsers/edge/includes/configure-additional-search-engines-include.md @@ -0,0 +1,52 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Prevented/not allowed)* + +[!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.

If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | +--- + + +### Configuration options + +For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md). + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure additional search engines +- **GP name:** ConfigureAdditionalSearchEngines +- **GP element:** ConfigureAdditionalSearchEngines_Prompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch +- **Value name:** ConfigureAdditionalSearchEngines +- **Value type:** REG_SZ + +### Related policies + +- [Set default search engine](../available-policies.md\#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + + +### Related topics + +- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. + +- [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. + +

\ No newline at end of file diff --git a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md new file mode 100644 index 0000000000..d7b0fa6adb --- /dev/null +++ b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Does not load content automatically)* + +[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Load and run Adobe Flash content automatically. | | +|Enabled or not configured
**(default)** |1 |1 |Do not load or run Adobe Flash content automatically. Requires action from the user. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Configure the Adobe Flash Click-to-Run setting +- **GP name:** AllowFlashClickToRun +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Security +- **Value name:** FlashClickToRunMode +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-allow-flash-url-list-include.md b/browsers/edge/includes/configure-allow-flash-url-list-include.md new file mode 100644 index 0000000000..919215341c --- /dev/null +++ b/browsers/edge/includes/configure-allow-flash-url-list-include.md @@ -0,0 +1,36 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting:* + +[!INCLUDE [configure-allow-flash-for-url-list-shortdesc](../shortdesc/configure-allow-flash-for-url-list-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +| | | | | | +| | | | | | +| | | | | | +--- + +![Most restricted value](../images/check-gn.png) + +### ADMX info and settings +#### ADMX info +- **GP English name:** +- **GP name:** +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[]() +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ +- **Value name:** +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-autofill-include.md b/browsers/edge/includes/configure-autofill-include.md new file mode 100644 index 0000000000..b63f604958 --- /dev/null +++ b/browsers/edge/includes/configure-autofill-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured* + +[!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured
**(default)** | Blank |Blank |Users can choose to use AutoFill. | | +|Disabled | 0 | no | Prevented. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |yes | Allowed. | | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Autofill +- **GP name:** AllowAutofill +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowautofill) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** Use FormSuggest +- **Value type:** REG_SZ + +
diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md new file mode 100644 index 0000000000..3a0386c574 --- /dev/null +++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md @@ -0,0 +1,54 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (No data collected or sent)* + +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] + + +>[!IMPORTANT] +>For this policy to work, enable the Allow Telemetry policy with the _Enhanced_ option and enable the Configure the Commercial ID policy by providing the Commercial ID. + +### Supported values + + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |No data collected or sent |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Send intranet history only | | +|Enabled |2 |2 |Send Internet history only | | +|Enabled |3 |3 |Send both intranet and Internet history | | +--- + +>>You can find this policy and the related policies in the following location of the Group Policy Editor: +>> +>>**_Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\_** +>> + + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure collection of browsing data for Microsoft 365 Analytics +- **GP name:** ConfigureTelemetryForMicrosoft365Analytics +- **GP element:** ZonesListBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + + +#### MDM settings +- **MDM name:** Browser/[ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection +- **Value name:** MicrosoftEdgeDataOptIn +- **Value type:** REG_DWORD + +### Related policies +- Allow Telemetry: Allows Microsoft to run diagnostics on the device and troubleshoot. The default setting for Allow Telemetry is set to _Enhanced_ (2 for MDM). + +- Configure the Commercial ID: Define the Commercial ID used to associate the device's telemetry data as belonging to a given organization. + +
diff --git a/browsers/edge/includes/configure-cookies-include.md b/browsers/edge/includes/configure-cookies-include.md new file mode 100644 index 0000000000..f89816f8d8 --- /dev/null +++ b/browsers/edge/includes/configure-cookies-include.md @@ -0,0 +1,35 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Allow all cookies from all sites)* + +[!INCLUDE [configure-cookies-shortdesc](../shortdesc/configure-cookies-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Enabled |0 |0 |Block all cookies from all sites |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Block only coddies from third party websites | | +|Disabled or not configured
**(default)** |2 |2 |Allow all cookies from all sites | | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure cookies +- **GP name:** Cookies +- **GP element:** CookiesListBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowcookies) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** Cookies +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-do-not-track-include.md b/browsers/edge/includes/configure-do-not-track-include.md new file mode 100644 index 0000000000..4ead2d87a7 --- /dev/null +++ b/browsers/edge/includes/configure-do-not-track-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured (Do not send tracking information)* + +[!INCLUDE [configure-do-not-track-shortdesc](../shortdesc/configure-do-not-track-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured
**(default)** |Blank |Blank |Do not send tracking information but let users choose to send tracking information to sites they visit. | | +|Disabled |1 |1 |Never send tracking information. | | +|Enabled |1 |1 |Send tracking information. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Do Not Track +- **GP name:** AllowDoNotTrack +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** DoNotTrack +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md new file mode 100644 index 0000000000..a1dfe3e91c --- /dev/null +++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md @@ -0,0 +1,46 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: 5 minutes* + +[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] + +You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). + +### Supported values + +- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. + +- **0** – No idle timer. + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure kiosk reset after idle timeout +- **GP name:** ConfigureKioskResetAfterIdleTimeout +- **GP element:** ConfigureKioskResetAfterIdleTimeout_TextBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode +- **Value name:**ConfigureKioskResetAfterIdleTimeout +- **Value type:** REG_DWORD + + + +### Related policies + +[Configure kiosk mode](../new-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] + + + +### Related topics +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to setup your Microsoft Edge kiosk mode experience. + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md new file mode 100644 index 0000000000..6b347ce989 --- /dev/null +++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md @@ -0,0 +1,55 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured* + + +[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |0 |0 |Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. | +|Enabled |1 |1 |Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Configure the Enterprise Mode Site List +- **GP name:** EnterpriseModeSiteList +- **GP element:** EnterSiteListPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode +- **Value name:** SiteList +- **Value type:** REG_SZ + +### Related Policies + +[Show message opening sites in IE](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE +[show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + +### Related topics + +- [Use Enterprise Mode to improve compatibility](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility). If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. + +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +- [Enterprise Mode for Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +- [Enterprise Mode and the Enterprise Mode Site List](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode). Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). + +- [Enterprise Mode and the Enterprise Mode Site List XML file](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#enterprise-mode-and-the-enterprise-mode-site-list-xml-file). The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using Enterprise Mode Site List Manager (schema v.2), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your users can easily view this site list by typing about:compat in either Microsoft Edge or IE11. + + + +

\ No newline at end of file diff --git a/browsers/edge/includes/configure-favorites-bar-include.md b/browsers/edge/includes/configure-favorites-bar-include.md new file mode 100644 index 0000000000..f4f537218f --- /dev/null +++ b/browsers/edge/includes/configure-favorites-bar-include.md @@ -0,0 +1,37 @@ + +>*Supported versions: Microsoft Edge on Windows 10, new major release* +>*Default setting: Not configured (Hidden)* + + +[!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)] + + +### Supported values + + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Not configured **(default)** |Blank |Blank |Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. | +|Disabled |0 |0 |Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | +|Enabled |1 |1 |Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Favorites Bar +- **GP name:** ConfigureFavoritesBar +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** ConfigureFavoritesBar +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-favorites-include.md b/browsers/edge/includes/configure-favorites-include.md new file mode 100644 index 0000000000..4b4862fef7 --- /dev/null +++ b/browsers/edge/includes/configure-favorites-include.md @@ -0,0 +1,4 @@ + +>Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy in place of Configure Favorites. + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md new file mode 100644 index 0000000000..9c1c8851ac --- /dev/null +++ b/browsers/edge/includes/configure-home-button-include.md @@ -0,0 +1,53 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Show home button and load the Start page)* + + +[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |0 |0 |Show home button and load the Start page. | +|Enabled |1 |1 |Show home button and load the New tab page. | +|Enabled |2 |2 |Show home button and load the custom URL defined in the Set Home button URL policy. | +|Enabled |3 |3 |Hide home button. | +--- + +### Configuration options + +For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md). + +>[!TIP] +>If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home button** policy or **Set Home button URL** policy.
  3. Disable the **Unlock Home Button** policy.
+ + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Home button +- **GP name:** ConfigureHomeButton +- **GP element:** ConfigureHomeButtonDropdown +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureHomeButton +- **Value type:** REG_DWORD + +### Related policies + +- [Set Home button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + +- [Unlock Home button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-inprivate-include.md b/browsers/edge/includes/configure-inprivate-include.md new file mode 100644 index 0000000000..c29a818b47 --- /dev/null +++ b/browsers/edge/includes/configure-inprivate-include.md @@ -0,0 +1,32 @@ +## Configure InPrivate + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured + + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +| | | | | | +| | | | | | +| | | | | | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** +- **GP name:** +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[]() +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ +- **Value name:** +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md new file mode 100644 index 0000000000..54880f184f --- /dev/null +++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md @@ -0,0 +1,46 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Not configured* + +[!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] + +For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). + +### Supported values + +| | | +|---|---| +|(0) Default or not configured | | +|(1) Enabled | | +--- + +![Microsoft Edge kiosk experience](../images/microsoft-edge-kiosk-mode.png) + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure kiosk mode +- **GP name:** ConfigureKioskMode +- **GP element:** ConfigureKioskMode_TextBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode +- **Value name:** ConfigureKioskMode +- **Value type:** REG_SZ + +### Related policies +[Configure kiosk reset after idle timeout](../new-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] + + +### Related topics +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to setup your Microsoft Edge kiosk mode experience. + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md new file mode 100644 index 0000000000..70ba21e6ab --- /dev/null +++ b/browsers/edge/includes/configure-open-edge-with-include.md @@ -0,0 +1,61 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled (A specific page or pages)* + +[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. + +**Version 1810:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

+ +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Not configured |Blank |Blank |If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | +|Enabled |0 |0 |Loads the Start page. | +|Enabled |1 |1 |Load the New tab page. | +|Enabled |2 |2 |Load the previous pages. | +|Enabled
**(default)** |3 |3 |Load a specific page or pages. | +--- + +### Configuration options + +For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md). + + +>[!TIP] +>If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
+ + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Open Microsoft Edge With +- **GP name:** ConfigureOpenMicrosoftEdgeWith +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureOpenEdgeWith +- **Value type:** REG_DWORD + +### Related policies + +- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + + + + + +--- \ No newline at end of file diff --git a/browsers/edge/includes/configure-password-manager-include.md b/browsers/edge/includes/configure-password-manager-include.md new file mode 100644 index 0000000000..4d3afb59c3 --- /dev/null +++ b/browsers/edge/includes/configure-password-manager-include.md @@ -0,0 +1,39 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Allowed/users can change the setting)* + +[!INCLUDE [configure-password-manager-shortdesc](../shortdesc/configure-password-manager-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured |Blank |Blank |Users can choose to save and manage passwords locally. | | +|Disabled |0 |no |Not allowed. |![Most restricted value](../images/check-gn.png) | +|Enabled
**(default)** |1 |yes |Allowed. | | +--- + +Verify not allowed/disabled settings: +1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap ellipses (…). +2. Click **Settings** and select **View Advanced settings**. +3. Verify the settings **Save Password** is toggled off or on and is greyed out. + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Password Manager +- **GP name:** AllowPasswordManager +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** FormSuggest Passwords +- **Value type:** REG_SZ + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-pop-up-blocker-include.md b/browsers/edge/includes/configure-pop-up-blocker-include.md new file mode 100644 index 0000000000..cb5d637204 --- /dev/null +++ b/browsers/edge/includes/configure-pop-up-blocker-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled (Turned off)* + +[!INCLUDE [configure-pop-up-blocker-shortdesc](../shortdesc/configure-pop-up-blocker-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured |Blank |Blank |Users can choose to use Pop-up Blocker. | | +|Disabled
**(default)** |0 |0 |Turn off Pop-up Blocker letting pop-up windows open. | | +|Enabled |1 |1 |Turn on Pop-up Blocker stopping pop-up windows from opening. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Pop-up Blocker +- **GP name:** AllowPopups +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups +- **Data type:** Integer + +### Registry +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowPopups +- **Value type:** REG_SZ + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md new file mode 100644 index 0000000000..eaa3667bd8 --- /dev/null +++ b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured* + +[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured
**(default)** |Blank |Blank |Users can choose to see search suggestions. | | +|Disabled |0 |0 |Prevented/not allowed. Hide the search suggestions. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Allowed. Show the search suggestions. | | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure search suggestions in Address bar +- **GP name:** AllowSearchSuggestionsinAddressBar +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes +- **Value name:** ShowSearchSuggestionsGlobal +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md new file mode 100644 index 0000000000..4a5c023576 --- /dev/null +++ b/browsers/edge/includes/configure-start-pages-include.md @@ -0,0 +1,47 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Blank or not configured (Load pages specified in App settings)* + +[!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Not configured |Blank |Blank |Load the pages specified in App settings as the default Start pages. | +|Enabled |String |String |Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1810:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | +--- + +### Configuration options + +For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md). + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Start pages +- **GP name:** HomePages +- **GP element:** HomePagesPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ProvisionedHomePages +- **Value type:** REG_SZ + + +### Related policies + +- [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages-include): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + +- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + + + +

\ No newline at end of file diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md new file mode 100644 index 0000000000..2baca3bc94 --- /dev/null +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -0,0 +1,40 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Turned on)* + +[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen or not. | | +|Disabled |0 |0 |Turned off. Do not protect users from potential threats and prevent users from turning it on. | | +|Enabled |1 |1 |Turned on. Protect users from potential threats and prevent users from turning it off. |![Most restricted value](../images/check-gn.png) | +--- + +To verify Windows Defender SmartScreen is turned off (disabled): +1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap the ellipses (**...**). +2. Click **Settings** and select **View Advanced Settings**. +3. At the bottom, verify that **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Windows Defender SmartScreen +- **GP name:** AllowSmartScreen +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** EnabledV9 +- **Value type:** REG_DWORD + +

\ No newline at end of file diff --git a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md new file mode 100644 index 0000000000..dc266010e5 --- /dev/null +++ b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md @@ -0,0 +1,51 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Start pages are not editable)* + +[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured |0 |0 |Lockdown Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | +--- + +### Configuration options + +For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md). + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Disable lockdown of Start pages +- **GP name:** DisableLockdownOfStartPages +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** DisableLockdownOfStartPages +- **Value type:** REG_SZ + + + + + +### Related Policies +- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +### Related topics + +[!INCLUDE [browser-extension-policy-shortdesc-include](browser-extension-policy-shortdesc-include.md)] + +

\ No newline at end of file diff --git a/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md b/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md new file mode 100644 index 0000000000..3d4feeb168 --- /dev/null +++ b/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md @@ -0,0 +1,31 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured* + + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +| | | | | | +| | | | | | +| | | | | | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** +- **GP name:** +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[]() +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ +- **Value name:** +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md new file mode 100644 index 0000000000..76f5af9496 --- /dev/null +++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md @@ -0,0 +1,48 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Allowed/turned on)* + +[!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | +|Enabled |2 |2 |Prevented/turned off. The “browser” group does not use the _Sync your Settings_ option. | +--- + +### Configuration options + +For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md). + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Do not sync browser settings +- **GP name:** DoNotSyncBrowserSettings +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** SettingSync.admx + +#### MDM settings +- **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\Policies\Microsoft\Windows\SettingSync +- **Value name:** DisableWebBrowserSettingSyncUserOverride +- **Value + +### Related policies + +[Prevent users from turning on browser syncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + + + +### Related topics + +[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) +

+

diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md new file mode 100644 index 0000000000..8bd1b9e20f --- /dev/null +++ b/browsers/edge/includes/do-not-sync-include.md @@ -0,0 +1,37 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Turned on)* + +[!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. Users can choose what to sync to their device. | | +|Enabled |2 |2 |Prevented/turned off. Disables the Sync your Settings toggle and prevents syncing. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Do not sync +- **GP name:** AllowSyncMySettings +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\Windows\SettingSync +- **Value name:** DisableSettingSyn +- **Value type:** REG_DWORD + +### Related topics +[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are sync'ed. + + +
\ No newline at end of file diff --git a/browsers/edge/includes/edge-respects-applocker-lists-include.md b/browsers/edge/includes/edge-respects-applocker-lists-include.md new file mode 100644 index 0000000000..60b8d8f5e0 --- /dev/null +++ b/browsers/edge/includes/edge-respects-applocker-lists-include.md @@ -0,0 +1,22 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured + + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +| | | | | | +| | | | | | +| | | | | | +--- + +### ADMX info and settings +| | | +|---|---| +|ADMX info | | +|MDM settings | | +|Registry | | +--- + + +--- \ No newline at end of file diff --git a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md new file mode 100644 index 0000000000..f724a38af6 --- /dev/null +++ b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md @@ -0,0 +1 @@ +[Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. \ No newline at end of file diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md new file mode 100644 index 0000000000..ed4e9b1019 --- /dev/null +++ b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md @@ -0,0 +1,7 @@ +>*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
+>*Default setting: Disabled or not configured* + +By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List. + +>[!NOTE] +>If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. diff --git a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md new file mode 100644 index 0000000000..e9e73eb750 --- /dev/null +++ b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Turned off/not syncing)* + +[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Turned off/not syncing. | | +|Enabled |1 |1 |Turned on/syncing. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +### ADMX info +- **GP English name:** Keep favorites in sync between Internet Explorer and Microsoft Edge +- **GP name:** SyncFavoritesBetweenIEAndMicrosoftEdge +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** SyncFavoritesBetweenIEAndMicrosoftEdge +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md new file mode 100644 index 0000000000..c0590648fa --- /dev/null +++ b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md @@ -0,0 +1 @@ +[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. \ No newline at end of file diff --git a/browsers/edge/includes/prevent-access-about-flag-include.md b/browsers/edge/includes/prevent-access-about-flag-include.md new file mode 100644 index 0000000000..a2f7492948 --- /dev/null +++ b/browsers/edge/includes/prevent-access-about-flag-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../shortdesc/prevent-access-to-about-flags-page-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed. | | +|Enabled |1 |1 |Prevents users from access the about:flags page. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent access to the about:flags page in Microsoft Edge +- **GP name:** PreventAccessToAboutFlagsInMicrosoftEdge +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventAccessToAboutFlagsInMicrosoftEdge +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md new file mode 100644 index 0000000000..e547317eb3 --- /dev/null +++ b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | | +|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for files +- **GP name:** PreventSmartScreenPromptOverrideForFiles +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** PreventOverrideAppRepUnknown +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md new file mode 100644 index 0000000000..e57bb9f213 --- /dev/null +++ b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed/turned off. Users can ignore the warning and continue to the site.| | +|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for sites +- **GP name:** PreventSmartscreenPromptOverride +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventSmartscreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** PreventOverride +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md new file mode 100644 index 0000000000..052ef6499e --- /dev/null +++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md @@ -0,0 +1,32 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)] + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. Override the security warning to sites that have SSL errors. | | +|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent certificate error overrides +- **GP name:** PreventCertErrorOverrides +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Setting +- **Value name:** PreventCertErrorOverrides +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-changes-to-favorites-include.md b/browsers/edge/includes/prevent-changes-to-favorites-include.md new file mode 100644 index 0000000000..4bbb97f4b0 --- /dev/null +++ b/browsers/edge/includes/prevent-changes-to-favorites-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured (Allowed/not locked down)* + +[!INCLUDE [prevent-changes-to-favorites-shortdesc](../shortdesc/prevent-changes-to-favorites-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed/not locked down. Users can add, import, and make changes to the Favorites list. | | +|Enabled |1 |1 |Prevented/locked down. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent changes to Favorites on Microsoft Edge +- **GP name:** LockdownFavorites +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Favorites +- **Value name:** LockdownFavorites +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-first-run-webpage-open-include.md b/browsers/edge/includes/prevent-first-run-webpage-open-include.md new file mode 100644 index 0000000000..61192efbcf --- /dev/null +++ b/browsers/edge/includes/prevent-first-run-webpage-open-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed. Microsoft Edge loads the welcome page. | | +|Enabled |1 |1 |Prevented. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent the First Run webpage from opening on Microsoft Edge +- **GP name:** PreventFirstRunPage +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage +- **Data type:** Integer + +####Registry +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventFirstRunPage +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md new file mode 100644 index 0000000000..844e72d227 --- /dev/null +++ b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Collect and send)* + +[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Collect and send Live Tile metadata. | | +|Enabled |1 |1 |Do not collect. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +- **GP name:** PreventLiveTileDataCollection +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventLiveTileDataCollection +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md new file mode 100644 index 0000000000..4b5e20e3cb --- /dev/null +++ b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)* + +[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed. Show localhost IP addresses. | | +|Enabled |1 |1 |Prevented. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent using Localhost IP address for WebRTC +- **GP name:** HideLocalHostIPAddress +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** HideLocalHostIPAddress +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md new file mode 100644 index 0000000000..d53db6bbfa --- /dev/null +++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md @@ -0,0 +1,46 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] + +### Supported values + +|Group Policy |Description | +|---|---| +|Disabled or not configured
**(default)** |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | +|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:

_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent turning off required extensions +- **GP name:** PreventTurningOffRequiredExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventTurningOffRequiredExtensions](../new-policies.md#prevent-turning-off-required-extensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Value name:** PreventTurningOffRequiredExtensions +- **Value type:** REG_SZ + +### Related policies +[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] + + +### Related topics + +- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. +- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/en-us/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. +- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-deploy): Apps can be assigned to devices whether or not they are managed by Intune. +- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. +- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/en-us/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. These types of apps are typically written in-house. + +

\ No newline at end of file diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md new file mode 100644 index 0000000000..9ee99665b0 --- /dev/null +++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md @@ -0,0 +1,40 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled or not configured (Prevented/turned off)* + +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + +### Supported values +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled |0 |0 |Allowed/turned on. Users can sync the browser settings. | +|Enabled or not configured
**(default)** |1 |1 |Prevented/turned off. | +--- + +### Configuration options + +For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md). + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent users from turning on browser syncing +- **GP name:** PreventUsersFromTurningOnBrowserSyncing +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing +- **Data type:** String + + +### Related policies +[Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings): [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]. + +### Related topics +[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) + + +
\ No newline at end of file diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md new file mode 100644 index 0000000000..7d755b87f1 --- /dev/null +++ b/browsers/edge/includes/provision-favorites-include.md @@ -0,0 +1,40 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Customizable)* + +[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] + +>[!IMPORTANT] +>Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. + +### Supported values + +|Group Policy |Description |Most restricted | +|---|---|:---:| +|Disabled or not configured
**(default)** |Default list of favorites not defined in Microsoft Edge. In this case, the Favorites list is customizable, such as adding folders, or adding and removing favorites. | | +|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file**, and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=http://localhost:8080/URLs.html
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:\Users\\Documents\URLs.html
|![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Provision Favorites +- **GP name:** ConfiguredFavorites +- **GP element:** ConfiguredFavoritesPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites +- **Value name:** ConfiguredFavorites +- **Value type:** REG_SZ + +### Related policies +[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] + +
\ No newline at end of file diff --git a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md new file mode 100644 index 0000000000..e550bc4e57 --- /dev/null +++ b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md @@ -0,0 +1 @@ +[Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. \ No newline at end of file diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md new file mode 100644 index 0000000000..5510174af6 --- /dev/null +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -0,0 +1,51 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured* + +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + +>[!TIP] +>Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. Allowed values. + + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |All sites, including intranet sites, open in Microsoft Edge automatically. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enabled**, refresh the policy, and then view the affected sites in Microsoft Edge.

    A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Send all intranet sites to Internet Explorer 11 +- **GP name:** SendIntranetTraffictoInternetExplorer +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** SendIntranetTraffictoInternetExplorer +- **Value type:** REG_DWORD + +### Related Policies +- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + + +### Related topics +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. + +- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +
\ No newline at end of file diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md new file mode 100644 index 0000000000..b1cdbc84fb --- /dev/null +++ b/browsers/edge/includes/set-default-search-engine-include.md @@ -0,0 +1,52 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Not configured (Defined in App settings)* + +[!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured
**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](#allow-search-engine-customization-include) policy, users cannot make changes. | | +|Disabled |0 |0 |Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. | | +|Enabled |1 |1 |Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.

If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) | +--- + + +### Configuration options + +For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md). + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set default search engine +- **GP name:** SetDefaultSearchEngine +- **GP element:** SetDefaultSearchEngine_Prompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch +- **Value name:** SetDefaultSearchEngine +- **Value type:** REG_SZ + +### Related policies + +- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + +### Related topics + +- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. + +- [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. + +

\ No newline at end of file diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md new file mode 100644 index 0000000000..0b2c1e8495 --- /dev/null +++ b/browsers/edge/includes/set-home-button-url-include.md @@ -0,0 +1,46 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (Blank)* + +[!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |Blank |Blank |Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. | +|Enabled - String |String |String |Load a custom URL for the home button. You must also enable the [Configure Home button](../new-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option.

Enter a URL in string format, for example, https://www.msn.com. | +--- + + +### Configuration options + +For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md). + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set Home button URL +- **GP name:** SetHomeButtonURL +- **GP element:** SetHomeButtonURLPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureHomeButtonURL +- **Value type:** REG_SZ + +### Related policies + +- [Configure Home button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + +- [Unlock Home button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + +

diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md new file mode 100644 index 0000000000..ffd31bd264 --- /dev/null +++ b/browsers/edge/includes/set-new-tab-url-include.md @@ -0,0 +1,40 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (Blank)* + +[!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |Blank |Blank |Load the default New tab page. | +|Enabled - String |String |String |Prevent users from changing the New tab page.

Enter a URL in string format, for example, https://www.msn.com. | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set New Tab page URL +- **GP name:** SetNewTabPageURL +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** NewTabPageUR +- **Value type:** REG_SZ + + +### Related policies + +[Allow web content on New Tab page](../available-policies.md#allow-web-content-on-new-tab-page): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + + + +

\ No newline at end of file diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md new file mode 100644 index 0000000000..23153686e2 --- /dev/null +++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md @@ -0,0 +1,46 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
+>*Default setting: Disabled or not configured (No additional message)* + + +[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |No additional message displays. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Show an additional message stating that a site has opened in IE11. | | +|Enabled |2 |2 |Show an additional message with a "Keep going in Microsoft Edge" link to allow users to open the site in Microsoft Edge. | | +--- + +### Configuration options +For more details about configuring the search engine, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). + +### ADMX info and settings +#### ADMX info +- **GP English name:** Show message when opening sites in Internet Explorer +- **GP name:** ShowMessageWhenOpeningSitesInInternetExplorer +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** ShowMessageWhenOpeningSitesInInternetExplorer +- **Value type:** REG_DWORD + +### Related policies + +- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +- [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11): [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + + +
\ No newline at end of file diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md new file mode 100644 index 0000000000..339dbef1f0 --- /dev/null +++ b/browsers/edge/includes/unlock-home-button-include.md @@ -0,0 +1,45 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (Home button is locked)* + +[!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |0 |0 |Lock down the home button to prevent users from making changes to the home button settings. | +|Enabled |1 |1 |Let users make changes. | +--- + + +### Configuration options + +For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md). + +### ADMX info and settings +#### ADMX info +- **GP English name:** Unlock Home Button +- **GP name:** UnlockHomeButton +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** UnlockHomeButton +- **Value type:** REG_DWORD + +### Related policies + +- [Configure Home button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + +- [Set Home button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + + +
\ No newline at end of file diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml new file mode 100644 index 0000000000..388263e0b5 --- /dev/null +++ b/browsers/edge/index.yml @@ -0,0 +1,163 @@ +### YamlMime:YamlDocument + +documentType: LandingData + +title: Microsoft Edge Group Policy configuration options + +metadata: + + document_id: + + title: Microsoft Edge Group Policy configuration options + + description: + + text: Learn how to deploy and configure group policies in Microsoft Edge on Windows 10. Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + + keywords: Microsoft Edge, Windows 10 + + ms.localizationpriority: high + + author: shortpatti + + ms.author: pashort + + ms.date: 08/09/2018 + + ms.topic: article + + ms.devlang: na + +sections: + +- title: + +- items: + + - type: markdown + + text: Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. + +- items: + + - type: list + + style: cards + + className: cardsE + + columns: 3 + + items: + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/about-microsoft-edge + + html:

Learn about Microsoft Edge, including system requirements and language support

+ + image: + + src: https://docs.microsoft.com/media/common/i_overview.svg + + title: Microsoft Edge overview + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/new-policies + + html:

Learn more about the latest group policies and features added to Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_whats-new.svg + + title: What's new + + - href: https://www.microsoft.com/en-us/WindowsForBusiness/Compare + + html:

Learn about the supported features & functionality in each Windows edition.

+ + image: + + src: https://docs.microsoft.com/media/common/i_config-tools.svg + + title: Compare Windows 10 Editions + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp + + html:

Learn how Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows.

+ + image: + + src: https://docs.microsoft.com/media/common/i_security-management.svg + + title: Security & protection + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp + + html:

Learch how you can use the Enterprise Mode site list for websites and apps that have compatibility problems in Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_management.svg + + title: Interoperability & enterprise guidance + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/index + + html:

Learn about the advanced VPN features you can add to improve the security and availability of your VPN connection.

+ + image: + + src: https://docs.microsoft.com/media/common/i_policy.svg + + title: Group policies & configuration options + +- items: + + - type: list + + style: cards + + className: cardsL + + items: + + - title: Microsoft Edge resources + + html:

Minimum system requirements

+ +

Supported languages

+ +

Document change history

+ +

Compare Windows 10 Editions

+ +

Microsoft Edge Dev blog

+ +

Microsoft Edge Dev on Twitter

+ +

Microsoft Edge changelog

+ +

Measuring the impact of Microsoft Edge

+ + - title: Internet Explorer 11 resources + + html:

Deploy Internet Explorer 11 (IE11) - IT Pros

+ +

Internet Explorer Administration Kit 11 (IEAK 11)

+ +

Download Internet Explorer 11

+ + - title: Additional resources + + html:

Group Policy and the Group Policy Management Console (GPMC)

+ +

Group Policy and the Local Group Policy Editor

+ +

Group Policy and the Advanced Group Policy Management (AGPM)

+ +

Group Policy and Windows PowerShell

+ + + + + + diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md new file mode 100644 index 0000000000..1662f74b73 --- /dev/null +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -0,0 +1,324 @@ +--- +description: Microsoft Edge kiosk mode works with assigned access to allow IT, administrators, to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. +ms.assetid: +author: shortpatti +ms.author: pashort +ms.prod: edge +ms.sitesec: library +title: Deploy Microsoft Edge kiosk mode +ms.localizationpriority: medium +ms.date: 07/25/2018 +--- + +# Deploy Microsoft Edge kiosk mode (Preview) + +>Applies to: Microsoft Edge on Windows 10
+>Preview build 17723 + +Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). + +When you configure Microsoft Edge kiosk mode in assigned access, you can set it up to show only a single URL in full-screen, in the case of digital/interactive signage on a single-app kiosk device. You can restrict Microsoft Edge for public browsing (on a single and multi-app kiosk device) which runs a multi-tab version of InPrivate with limited functionality. Also, you can configure a multi-app kiosk device to run a full or normal version of Microsoft Edge. + +Digital/Interactive signage and public browsing protects the user’s data by running Microsoft Edge InPrivate. In single-app public browsing, there is both an idle timer and an 'End Session' button. The idle timer resets the browsing session after a specified time of user inactivity. + +In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to setup your Microsoft Edge kiosk mode experience. + + + +## Microsoft Edge kiosk types +Microsoft Edge kiosk mode supports **four** types, depending on how Microsoft Edge is set up in assigned access; single-app or multi-app kiosk. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access). + +### Single-app kiosk + +When you set up Microsoft Edge kiosk mode in single-app assigned access, Microsoft Edge runs InPrivate either in full-screen or a limited multi-tab version for public browsing. For more details about setting up a single-app kiosk, see [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage). + +The single-app Microsoft Edge kiosk mode types include: + +1. **Digital / Interactive signage** devices display a specific site in full-screen mode in which Microsoft Edge runs InPrivate mode. Examples of Digital signage are a rotating advertisement or menu. Examples of Interactive signage include an interactive museum display or a restaurant order/pay station. + +2. **Public browsing** devices run a limited multi-tab version of InPrivate and Microsoft Edge is the only app available. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge. Users can clear browsing data, downloads and restart Microsoft Edge by clicking the “End session” button. You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. A public library or hotel concierge desk are two examples of public browsing in single-app kiosk device. + + ![Public browsing Microsoft Edge kiosk mode on a single-app kiosk device](images/SingleApp_contosoHotel_inFrame.png) + +### Multi-app kiosk +When you set up Microsoft Edge kiosk mode in multi-app assigned access, Microsoft Edge runs a limited multi-tab version of InPrivate or a normal browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. + +The multi-app Microsoft Edge kiosk mode types include: + +3. **Public browsing** supports browsing the internet and runs InPrivate with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate windows. On a multi-app kiosk device, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access. You can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other app(s). + + ![Public browsing Microsoft Edge kiosk mode on a multi-app kiosk device](images/Multi-app_kiosk_inFrame.png) + +4. **Normal mode** mode runs a full version of Microsoft Edge, but some features may not work depending on what other apps you configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. + + ![Normal Microsoft Edge kiosk mode on a multi-app kiosk device](images/Normal_inFrame.png) + +## Let’s get started! +Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. You can set up Microsoft Edge kiosk mode in assigned access using: + +- **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings. You can configure Microsoft Edge in single-app (kiosk type – Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the reset after an idle timeout. + +- **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access. + + >[!NOTE] + >For other MDM service, check with your provider for instructions. + +- **Windows PowerShell.** Best for setting up multiple devices as a kiosk. With this method, you can set up single-app or multi-app assigned access using a PowerShell script. For details, see For details, see [Set up a kiosk or digital sign using Windows PowerShell](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-using-windows-powershell).  + +- **Windows Configuration Designer.** Best for setting up multiple kiosk devices. Download and install both the latest version of the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and [Windows Configuration Manager](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd#install-windows-configuration-designer-1). + +### Prerequisites + +- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). + +- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the [AppUserModelID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app); this does not apply to the Windows Settings method. + +>[!Important] +>If you are using a local account as a kiosk account in Intune or provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk. + + +### Use Windows Settings + +Windows Settings is the simplest and easiest way to set up one or a couple of devices because you must perform these steps on each device. This method is ideal for small businesses. + +1. In Windows Settings, select **Accounts** \> **Other people**. + +2. Under **Set up a kiosk**, select **Assigned access**. + +3. Select **Get started**. + +4. Create a standard user account or choose an existing account for your kiosk. + +5. Select **Next**. + +6. On the **Choose a kiosk app** page, select **Microsoft Edge.** + +7. Select **Next**. + +8. Select how Microsoft Edge displays when running in kiosk mode: + + - **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls. + + - **As a public browser**, the default URL shows in a browser view with limited browser controls. + +9. Select **Next**. + +10. Enter the URL that you want to load when the kiosk launches. + + >[!NOTE] + >The URL sets the Home button, Start page, and New tab page. + +11. Microsoft Edge in kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If **Continue** is not selected, Microsoft Edge resets to the default URL. You can accept the default value of **5 minutes**, or you can choose your own idle timer value. + +12. Select **Next**, and then select **Close**. + +13. Close **Settings** to save your choices automatically and apply them the next time the user account logs on. + +14. Configure the policies for Microsoft Edge kiosk mode. For details on the valid kiosk policy settings, see [Relevant policies](#relevant-policies). + +15. Validate the Microsoft Edge kiosk mode by restarting the device and signing in with the local kiosk account. + +**_Congratulations!_** You’ve finished setting up Microsoft Edge in assigned access and a kiosk or digital sign, and configured browser policies for Microsoft Edge kiosk mode. + +**_Next steps._** +- Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. +- If you want to make changes to your kiosk, you can quickly change the display option and default URL for Microsoft Edge. + + 1. Go to **Start** \> **Settings** \> **Accounts** \> **Other people**. + + 2. Under **Set up a kiosk**, select **Assigned access**. + + 3. Make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**. + + +### Use Microsoft Intune or other MDM service + +With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. + +1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. + +2. Configure the following MDM settings to control a web browser app on the kiosk device and then restart the device. + + | | | + |---|---| + | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| + | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| + | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | + | **[ConfigureHomeButton](new-policies.md#configure-home-button)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| + | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | + | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + --- +
+ +**_Congratulations!_** You’ve finished setting up a kiosk or digital signage and configuring policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. + +**_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. + +### Use a provisioning package + +With this method, you can use a provisioning package to configure Microsoft Edge kiosk mode in assigned access. After you set up the provisioning package for configuring Microsoft Edge in assigned access, you configure how Microsoft Edge behaves on a kiosk device. + +1. Open Windows Configuration Designer to create a provisioning package and configure Microsoft Edge in assigned access. + +2. After creating the provisioning package and configuring assigned access, and before you build the package, switch to the advanced editor. + +3. Navigate to **Runtime settings \> Policies \> Browser** and set the following policies: + + | | | + |---|---| + | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| + | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| + | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | + | **[ConfigureHomeButton](new-policies.md#configure-home-button)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| + | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | + | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + --- +
+4. After you’ve configured the Microsoft Edge kiosk mode policies, including any of the related policies, it’s time to build the package. + +5. Click **Finish**. The wizard closes taking you back to the Customizations page. + +6. Apply the provisioning package to the device, which you can do during the first-run experience (out-of-box experience or OOBE) and after (runtime). For more details, see [Apply a provisioning package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package). + +**_Congratulations!_** You’ve finished creating your provisioning package for Microsoft Edge kiosk mode. + +**_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. + +--- + +## Relevant policies + +Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser). + +| **MDM Setting** | **Digital /
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** | +|------------------|:---------:|:---------:|:---------:|:---------:| +| [AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowBrowser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | ![Supported](images/148767.png)2 | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFullscreen](new-policies.md#allow-fullscreen-mode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowPrelaunch](new-policies.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPrinting](new-policies.md#allow-printing)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSavingHistory](new-policies.md#allow-saving-history)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSideloadingOfExtensions](new-policies.md#allow-sideloading-of-extensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowTabPreloading](new-policies.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowWebContentOnNewTabPage](available-policies.md#allow-web-content-on-new-tab-page)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureFavoritesBar](new-policies.md#configure-favorites-bar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureHomeButton](new-policies.md#configure-home-button)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskMode](new-policies.md#configure-kiosk-mode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [ConfigureOpenMicrosoftEdgeWith](new-policies.md#configure-open-microsoft-edge-with)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureTelemetryForMicrosoft365Analytics](new-policies.md#configure-collection-of-browsing-data-for-microsoft-365-analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [Experience/DoNotSyncBrowserSetting](available-policies.md#do-not-sync-browser-settings)\* and [Experience/PreventUsersFromTurningOnBrowserSyncing](new-policies.md#prevent-users-from-turning-on-browser-syncing)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [FirstRunURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventCertErrorOverrides](new-policies.md#prevent-certificate-error-overrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | ![Supported](images/148767.png) | ![Supported](images/148767.png)| ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventTurningOffRequiredExtensions](new-policies.md#prevent-turning-off-required-extensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetHomeButtonURL](new-policies.md#set-home-button-url)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetNewTabPageURL](new-policies.md#set-new-tab-page-url)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [UnlockHomeButton](new-policies.md#unlock-home-button)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +--- + +*\* New policy coming in the next release of Windows 10.*

+*1) For multi-app assigned access, you must configure Internet Explorer 11.*
+*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun].(https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.* + +**Legend:**

+       ![Not supported](images/148766.png) = Not applicable or not supported
+       ![Supported](images/148767.png) = Supported + +--- + +## Related topics + +- **[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage)**: Learn about the different methods to configuring your kiosks and digitals signs. Also, learn about the settings you can use to lock down the kiosk for a more secure kiosk experience. + +- **[Create a Kiosk Experience](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/create-a-kiosk-image):** Learn how to set up single-function kiosk devices, such as restaurant menus, and optional features for a welcome screen or power button availability. Also, learn how to create a multi-app kiosk, or fixed-purpose device, to provide an easy-to-understand experience giving users the things they need to use. + +- **[Configure a Windows 10 kiosk that runs multiple apps](https://aka.ms/Ckmq4n):** Learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. + +- **[Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4):** In Windows 10, you can use assigned access to create a kiosk device, which enables users to interact with just a single Universal Windows app. Learn about the best practices for implementing a kiosk app. + +- **[Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3):** Assigned access restricts a local standard user account on the device so that it only has access to a single-function device, like a kiosk. Learn about the guidelines for choosing a Windows app, web browsers, and securing your information. Also, learn about additional configurations required for some apps before it can work properly in assigned access. + +- **[Other settings to lock down](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down):** Learn how to configure a more secure kiosk experience. In addition to the settings, learn how to set up **automatic logon** for your kiosk device. For example, when the kiosk device restarts, you can log back into the device manually or by setting up automatic logon. + +- **[Add apps to Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add):** Learn about and understand a few app fundamentals and requirements before adding them to Intune and making them available to your users. + +- **[AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp):** The AssignedAccess configuration service provider (CSP) sets the device to run in kiosk mode. Once the CSP has executed, then the next user login associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. + +- **[Create a provisioning page for Windows 10](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package):** Learn to use Windows Configuration Designer (WCD) to create a provisioning package (.ppkg) for configuring devices running Windows 10. The WCD wizard options provide a simple interface to configure desktop, mobile, and kiosk device settings. + +--- + +## Known issues with prerelease build 17723 + +When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored. +- **Expected behavior** – Microsoft Edge kiosk mode launches in full-screen mode. +- **Actual behavior** – Normal Microsoft Edge launches. + +--- + +## Provide feedback or get support + +To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. + +**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. + +--- + +## Feature comparison of kiosk mode and kiosk browser app +In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. + +| **Feature** | **Microsoft Edge kiosk mode** | **Kiosk Browser** | +|---------------|:----------------:|:---------------:| +| Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Allow URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | +| Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | +| Configure Home button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | +| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Intune, must create custom URI to enable. Dedicated UI configuration targeted for 1808.* | +| Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | +--- + +**\*Windows Defender Firewall**

+To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). + +--- \ No newline at end of file diff --git a/browsers/edge/new-policies.md b/browsers/edge/new-policies.md new file mode 100644 index 0000000000..f6063c43f7 --- /dev/null +++ b/browsers/edge/new-policies.md @@ -0,0 +1,116 @@ +--- +description: Microsoft Edge now has new Group Policies and MDM Settings for IT administrators to configure Microsoft Edge. The new policies allow you to enable/disabled full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions. +ms.assetid: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +title: New Microsoft Edge Group Policies and MDM settings +ms.localizationpriority: medium +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +--- + +# New Microsoft Edge Group Policies and MDM settings (Preview) + +> Applies to: Microsoft Edge on Windows 10
+> Preview build 17713+ + +The Microsoft Edge team introduces new Group Policies and MDM Settings for the Windows 10 Insider Preview Build 17713+. The new policies allow IT administrators to enable/disable full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions. + +We are discontinuing the **Configure Favorites** group policy. Use the **[Provision Favorites](available-policies.md#provision-favorites)** instead. + + + +>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: +>> +>>      **_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_** +

+ + + +| **Group Policy** | **New/update?** | **MDM Setting** | **New/update?** | +| --- | --- | --- | --- | +| [Allow fullscreen mode](#allow-fullscreen-mode) | New | [AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) | New | +| [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-prelaunch) | New | [AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | New | +| [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | New | [AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | New | +| [Allow printing](#allow-printing) | New | [AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | New | +| [Allow Saving History](#allow-saving-history) | New | [AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | New | +| [Allow sideloading of Extensions](#allow-sideloading-of-extensions) | New | [AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | New | +| [Allow web content on new tab page](available-policies.md#allow-web-content-on-new-tab-page) | -- | [AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | New | +| [Configure collection of browsing data for Microsoft 365 Analytics](#configure-collection-of-browsing-data-for-microsoft-365-analytics) | New | [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | New | +| [Configure Favorites Bar](#configure-favorites-bar) | New | [ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | New | +| [Configure Home button](#configure-home-button) | New | [ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | New | +| [Configure kiosk mode](#configure-kiosk-mode) | New | [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | New | +| [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout) | New | [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | New | +| [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) | New | [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | New | +| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) | New | +| [Prevent certificate error overrides](#prevent-certificate-error-overrides) | New | [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | New | +| [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing) | New | [Experience/PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) | New | +| [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) | New | +| [Set Home button URL](#set-home-button-url) | New | [SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | New | +| [Set New Tab page URL](#set-new-tab-page-url) | New | [SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | New | +| [Show message when opening sites in Internet Explorer](#showmessagewhenopeninginteretexplorersites) | Updated | [ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | Updated | +| [Unlock Home button](#unlock-home-button) | New | [UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | New | +--- + + + + +## Allow fullscreen mode +[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] + +## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] + +## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed +[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] + +## Allow sideloading of Extensions +[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] + +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] + +## Configure Favorites Bar +[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] + +## Configure Home button +[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] + +## Configure kiosk mode +[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] + +## Configure kiosk reset after idle timeout +[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] + +## Configure Open Microsoft Edge With +[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] + +## Prevent certificate error overrides +[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] + +## Prevent turning off required extensions +[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] + +## Set Home button URL +[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] + +## Set New Tab page URL +[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] + +## Show message when opening sites in Internet Explorer +[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] + +## Unlock Home button +[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] + diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md index 9efd0d49d7..8f16464105 100644 --- a/browsers/edge/security-enhancements-microsoft-edge.md +++ b/browsers/edge/security-enhancements-microsoft-edge.md @@ -15,7 +15,7 @@ author: shortpatti >Applies to: Windows 10, Windows 10 Mobile -Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. +Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. ## Help to protect against web-based security threats While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking: diff --git a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md new file mode 100644 index 0000000000..19e8c5a8a4 --- /dev/null +++ b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md new file mode 100644 index 0000000000..4a49c8dc67 --- /dev/null +++ b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md new file mode 100644 index 0000000000..6c0c3cf0be --- /dev/null +++ b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md @@ -0,0 +1 @@ +Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md new file mode 100644 index 0000000000..31127ca2d7 --- /dev/null +++ b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md new file mode 100644 index 0000000000..e5fd1dde74 --- /dev/null +++ b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-cortana-shortdesc.md b/browsers/edge/shortdesc/allow-cortana-shortdesc.md new file mode 100644 index 0000000000..2857a93d27 --- /dev/null +++ b/browsers/edge/shortdesc/allow-cortana-shortdesc.md @@ -0,0 +1 @@ +Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md new file mode 100644 index 0000000000..b9bab04325 --- /dev/null +++ b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md new file mode 100644 index 0000000000..1c11de47c0 --- /dev/null +++ b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md @@ -0,0 +1 @@ +By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-extensions-shortdesc.md new file mode 100644 index 0000000000..2d1f8ec802 --- /dev/null +++ b/browsers/edge/shortdesc/allow-extensions-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md new file mode 100644 index 0000000000..0ce0f11a60 --- /dev/null +++ b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows full-screen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing full-screen mode, users and extensions must have the proper permissions. Disabling this policy prevents full-screen mode in Microsoft Edge. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md new file mode 100644 index 0000000000..75def749bb --- /dev/null +++ b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md new file mode 100644 index 0000000000..a56056d3e9 --- /dev/null +++ b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md @@ -0,0 +1 @@ +During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md new file mode 100644 index 0000000000..405fca5e9c --- /dev/null +++ b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-printing-shortdesc.md b/browsers/edge/shortdesc/allow-printing-shortdesc.md new file mode 100644 index 0000000000..5abb3b7dc7 --- /dev/null +++ b/browsers/edge/shortdesc/allow-printing-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md new file mode 100644 index 0000000000..bec7172c23 --- /dev/null +++ b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md new file mode 100644 index 0000000000..2b4e25a7c3 --- /dev/null +++ b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md @@ -0,0 +1 @@ +By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md new file mode 100644 index 0000000000..bb723ab0c6 --- /dev/null +++ b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md new file mode 100644 index 0000000000..3b245ca258 --- /dev/null +++ b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows preloading of the Start and New tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md new file mode 100644 index 0000000000..bad40654c0 --- /dev/null +++ b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge loads the default New tab page. Disabling this policy loads a blank page instead of the New tab page and prevents users from changing it. Not configuring this policy lets users choose what loads on the New tab page. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md new file mode 100644 index 0000000000..7ec95879df --- /dev/null +++ b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md @@ -0,0 +1 @@ +With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data is shared through the SharedLocal folder, which is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. \ No newline at end of file diff --git a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md new file mode 100644 index 0000000000..9a382427fa --- /dev/null +++ b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md new file mode 100644 index 0000000000..c68642520a --- /dev/null +++ b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md @@ -0,0 +1 @@ +By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. With this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md new file mode 100644 index 0000000000..c58d446834 --- /dev/null +++ b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md b/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/browsers/edge/shortdesc/configure-autofill-shortdesc.md b/browsers/edge/shortdesc/configure-autofill-shortdesc.md new file mode 100644 index 0000000000..247308fee8 --- /dev/null +++ b/browsers/edge/shortdesc/configure-autofill-shortdesc.md @@ -0,0 +1 @@ +By default, users can choose to use the Autofill feature to automatically populate the form fields. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md new file mode 100644 index 0000000000..6a9cce12e0 --- /dev/null +++ b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-cookies-shortdesc.md b/browsers/edge/shortdesc/configure-cookies-shortdesc.md new file mode 100644 index 0000000000..a35c4d0f31 --- /dev/null +++ b/browsers/edge/shortdesc/configure-cookies-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md new file mode 100644 index 0000000000..d3026c51e7 --- /dev/null +++ b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md new file mode 100644 index 0000000000..80383e4f0a --- /dev/null +++ b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md new file mode 100644 index 0000000000..4536456e59 --- /dev/null +++ b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. With this policy, you can configure Microsoft Edge to either show or hide the favorites bar on all pages. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-favorites-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-shortdesc.md new file mode 100644 index 0000000000..d61df8e460 --- /dev/null +++ b/browsers/edge/shortdesc/configure-favorites-shortdesc.md @@ -0,0 +1 @@ +Use the **[Provision Favorites](../available-policies.md#provision-favorites)** in place of Configure Favorites. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-home-button-shortdesc.md b/browsers/edge/shortdesc/configure-home-button-shortdesc.md new file mode 100644 index 0000000000..c1e1a48bab --- /dev/null +++ b/browsers/edge/shortdesc/configure-home-button-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the Home button to load the New tab page or a URL defined in the Set Home button URL policy. You can also configure Microsoft Edge to hide the home button. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-inprivate-shortdesc.md b/browsers/edge/shortdesc/configure-inprivate-shortdesc.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md new file mode 100644 index 0000000000..a0e1cbf398 --- /dev/null +++ b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md @@ -0,0 +1 @@ +Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md new file mode 100644 index 0000000000..4772d2d2dd --- /dev/null +++ b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md @@ -0,0 +1 @@ +You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md new file mode 100644 index 0000000000..7383d68455 --- /dev/null +++ b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md new file mode 100644 index 0000000000..63a62cfff5 --- /dev/null +++ b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md new file mode 100644 index 0000000000..e89395a2ab --- /dev/null +++ b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge turns off Pop-up Blocker allowing pop-up windows to appear. Enabling this policy turns on Pop-up Blocker stopping pop-up windows from appearing. Don’t configure this policy to let users choose to use Pop-up Blocker. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md new file mode 100644 index 0000000000..e95e652f45 --- /dev/null +++ b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md @@ -0,0 +1 @@ +By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md new file mode 100644 index 0000000000..f027fdb17e --- /dev/null +++ b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md new file mode 100644 index 0000000000..752f554dca --- /dev/null +++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. \ No newline at end of file diff --git a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md new file mode 100644 index 0000000000..9286227f0e --- /dev/null +++ b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md @@ -0,0 +1 @@ +By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md new file mode 100644 index 0000000000..5e485a0200 --- /dev/null +++ b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md @@ -0,0 +1 @@ +By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. \ No newline at end of file diff --git a/browsers/edge/shortdesc/do-not-sync-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-shortdesc.md new file mode 100644 index 0000000000..1e9ac07094 --- /dev/null +++ b/browsers/edge/shortdesc/do-not-sync-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge turns on the Sync your Settings toggle in Settings and let users choose what to sync on their device. Enabling this policy turns off and disables the Sync your Settings toggle in Settings, preventing syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. \ No newline at end of file diff --git a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md new file mode 100644 index 0000000000..71de365bde --- /dev/null +++ b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. \ No newline at end of file diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md new file mode 100644 index 0000000000..132291b931 --- /dev/null +++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md @@ -0,0 +1 @@ +This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md new file mode 100644 index 0000000000..b13677be33 --- /dev/null +++ b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md @@ -0,0 +1 @@ +By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md new file mode 100644 index 0000000000..135bd4f574 --- /dev/null +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of unverified file(s). \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md new file mode 100644 index 0000000000..56a2ecdd15 --- /dev/null +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md new file mode 100644 index 0000000000..0d4351e0cb --- /dev/null +++ b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md @@ -0,0 +1 @@ +Web security certificates are used to ensure a site that users go to is legitimate, and in some circumstances, encrypts the data. By default, Microsoft Edge allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md new file mode 100644 index 0000000000..195318866f --- /dev/null +++ b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md @@ -0,0 +1 @@ +By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md new file mode 100644 index 0000000000..4be519322f --- /dev/null +++ b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a more complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users a limited experience. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md new file mode 100644 index 0000000000..f587cc839c --- /dev/null +++ b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md @@ -0,0 +1 @@ +By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via a FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md new file mode 100644 index 0000000000..e428d938ed --- /dev/null +++ b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md new file mode 100644 index 0000000000..1211a69dfa --- /dev/null +++ b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md @@ -0,0 +1 @@ +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md new file mode 100644 index 0000000000..defb76bdf5 --- /dev/null +++ b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. \ No newline at end of file diff --git a/browsers/edge/shortdesc/provision-favorites-shortdesc.md b/browsers/edge/shortdesc/provision-favorites-shortdesc.md new file mode 100644 index 0000000000..7f02b200c8 --- /dev/null +++ b/browsers/edge/shortdesc/provision-favorites-shortdesc.md @@ -0,0 +1 @@ +By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. \ No newline at end of file diff --git a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md new file mode 100644 index 0000000000..c5684bc753 --- /dev/null +++ b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. \ No newline at end of file diff --git a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md new file mode 100644 index 0000000000..296965ba86 --- /dev/null +++ b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md @@ -0,0 +1 @@ +By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md new file mode 100644 index 0000000000..839e07428b --- /dev/null +++ b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge uses the default search engine specified in App settings. In this case, users can make changes to the default search engine at any time unless the Allow search engine customization policy is disabled, which restricts users from making any changes. Disabling this policy removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. Enabling this policy uses the policy-set search engine specified in the OpenSearch XML file, prevent users from changing the default search engine. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md new file mode 100644 index 0000000000..10ad478e1b --- /dev/null +++ b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md new file mode 100644 index 0000000000..35ae30c337 --- /dev/null +++ b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge loads the default New tab page by default. Enabling this policy lets you set a New tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. \ No newline at end of file diff --git a/browsers/edge/shortdesc/shortdesc-test.md b/browsers/edge/shortdesc/shortdesc-test.md new file mode 100644 index 0000000000..2c796253ef --- /dev/null +++ b/browsers/edge/shortdesc/shortdesc-test.md @@ -0,0 +1 @@ +UI settings for the home button are disabled preventing your users from making changes \ No newline at end of file diff --git a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md new file mode 100644 index 0000000000..7601ad77fc --- /dev/null +++ b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the “Keep going in Microsoft Edge” link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. \ No newline at end of file diff --git a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md new file mode 100644 index 0000000000..62c666c475 --- /dev/null +++ b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md @@ -0,0 +1 @@ +By default, when you enable the Configure Home button policy or provide a URL in the Set Home button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home button or Set Home button URL policies. \ No newline at end of file diff --git a/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md b/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md new file mode 100644 index 0000000000..72e501af4b --- /dev/null +++ b/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md @@ -0,0 +1,65 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to add employees to the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Add employees to the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups. + +The available roles are: + +- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests. + +- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page. + +**To add an employee to the Enterprise Mode Site List Portal** +1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page. + + The **Employee management** page appears. + +2. Click **Add a new employee**. + + The **Add a new employee** page appears. + +3. Fill out the fields for each employee, including: + + - **Email.** Add the employee's email address. + + - **Name.** This box autofills based on the email address. + + - **Role.** Pick a single role for the employee, based on the list above. + + - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers. + + - **Comments.** Add optional comments about the employee. + + - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + +**To export all employees to an Excel spreadsheet** +1. On the **Employee management** page, click **Export to Excel**. + +2. Save the EnterpriseModeUsersList.xlsx file. + + The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name. \ No newline at end of file diff --git a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md new file mode 100644 index 0000000000..595d31fa6f --- /dev/null +++ b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md @@ -0,0 +1,109 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager. +author: eross-msft +ms.prod: ie11 +ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c +title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) + +**Applies to:** + +- Windows 8.1 +- Windows 7 + +You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones. + +If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). + +## Create an Enterprise Mode site list (TXT) file +You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.

**Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. + +You must separate each site using commas or carriage returns. For example: + +``` +microsoft.com, bing.com, bing.com/images +``` +**-OR-** + +``` +microsoft.com +bing.com +bing.com/images +``` + +## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema +You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +Each XML file must include: + +- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser. + +- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.

**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5. + +- **<docMode> tag.**This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +### Enterprise Mode v.1 XML schema example +The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +``` + + + www.cpandl.com + www.woodgrovebank.com + adatum.com + contoso.com + relecloud.com + /about + + fabrikam.com + /products + + + + contoso.com + /travel + + fabrikam.com + /products + + + +``` + +To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (. + +## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1) +After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1). + + **To add multiple sites** + +1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**. + +2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +4. On the **File** menu, click **Save to XML**, and save your file.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +  + +  + + + diff --git a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md new file mode 100644 index 0000000000..c8077d0f92 --- /dev/null +++ b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md @@ -0,0 +1,119 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2). +author: eross-msft +ms.prod: ie11 +ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd +title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/24/2017 +--- + + +# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager (schema v.2). You can only add specific URLs, not Internet or Intranet Zones. + +To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md). + +## Create an Enterprise Mode site list (TXT) file + +You can create and use a custom text file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. + +>**Important:**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. + +You must separate each site using commas or carriage returns. For example: + +``` +microsoft.com, bing.com, bing.com/images +``` +**-OR-** + +``` +microsoft.com +bing.com +bing.com/images +``` + +## Create an Enterprise Mode site list (XML) file using the v.2 version of the Enterprise Mode schema + +You can create and use a custom XML file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. + +Each XML file must include: + +- **site-list version number**. This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.  + +- **<compat-mode> tag.** This tag specifies what compatibility setting are used for specific sites or domains. + +- **<open-in> tag.** This tag specifies what browser opens for each sites or domain. + +### Enterprise Mode v.2 XML schema example + +The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +``` + + + + EnterpriseSitelistManager + 10240 + 20150728.135021 + + + + IE8Enterprise + MSEdge + + + IE7Enterprise + IE11 + + + default + IE11 + + +``` +In the above example, the following is true: + +- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode. + +- contoso.com, and all of its domain paths, can use the default compatibility mode for the site. + +To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2). + +## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2) +After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2). + + **To add multiple sites** + +1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**. + +2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +4. On the **File** menu, click **Save to XML**, and save your file.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) +  + +  + + + diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md new file mode 100644 index 0000000000..f6061375ab --- /dev/null +++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -0,0 +1,63 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +author: eross-msft +ms.prod: ie11 +ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26 +title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) + +**Applies to:** + +- Windows 8.1 +- Windows 7 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. + +

**Note**
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md). + +## Adding a site to your compatibility list +You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager. +

**Note**
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md). + + **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)** + +1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**. + +2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

+Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. + +3. Type any comments about the website into the **Notes about URL** box.

+Administrators can only see comments while they’re in this tool. + +4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE. + +The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. + +Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +5. Click **Save** to validate your website and to add it to the site list for your enterprise.

+If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. + +6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +  + +  + + + diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md new file mode 100644 index 0000000000..eafa1921a5 --- /dev/null +++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -0,0 +1,79 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +author: eross-msft +ms.prod: ie11 +ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b +title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. + +

**Note**
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. + +## Adding a site to your compatibility list +You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.

+**Note**
If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). + + **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)** + +1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. + +2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

+Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. + +3. Type any comments about the website into the **Notes about URL** box.

+Administrators can only see comments while they’re in this tool. + +4. In the **Compat Mode** box, choose one of the following: + + - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode. + + - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode. + + - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode. + + - **Default Mode**. Loads the site using the default compatibility mode for the page. + + The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. + + Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. + + - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. + + - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. + + - **None**. Opens in whatever browser the employee chooses. + +6. Click **Save** to validate your website and to add it to the site list for your enterprise.

+If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. + +7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +  + +  + + + diff --git a/browsers/enterprise-mode/administrative-templates-and-ie11.md b/browsers/enterprise-mode/administrative-templates-and-ie11.md new file mode 100644 index 0000000000..8f22d23808 --- /dev/null +++ b/browsers/enterprise-mode/administrative-templates-and-ie11.md @@ -0,0 +1,79 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: security +description: Administrative templates and Internet Explorer 11 +author: eross-msft +ms.prod: ie11 +ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3 +title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Administrative templates and Internet Explorer 11 + +Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including: + +- What registry locations correspond to each setting. + +- What value options or restrictions are associated with each setting. + +- The default value for many settings. + +- Text explanations about each setting and the supported version of Internet Explorer. + +For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519). + +## What are Administrative Templates? +Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates: + +- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor. + +- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language. + +## How do I store Administrative Templates? +As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs). +

**Important**
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see [Scenario 1: Editing the Local GPO Using ADMX Files](https://go.microsoft.com/fwlink/p/?LinkId=276810). + +## Administrative Templates-related Group Policy settings +When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder. +

**Note**
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the **PolicyDefinitions** folder on this computer. + +IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths: + +- Computer Configuration\\Administrative Templates\\Windows Components\\ + +- User Configuration\\Administrative Templates\\Windows Components\\ + + +|Catalog |Description | +| ------------------------------------------------ | --------------------------------------------| +|IE |Turns standard IE configuration on and off. | +|Internet Explorer\Accelerators |Sets up and manages Accelerators. | +|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. | +|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. | +|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.| +|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. | +|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. | +|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. | +|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. | +|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. | +|Internet Explorer\Privacy |Turns various privacy-related features on and off. | +|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. | +|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. | +|RSS Feeds |Sets up and manages RSS feeds in the browser. | + + +## Editing Group Policy settings +Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions: + +- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates. + +- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment. + +## Related topics +- [Administrative templates (.admx) for Windows 10 download](https://go.microsoft.com/fwlink/p/?LinkId=746579) +- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) + diff --git a/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md new file mode 100644 index 0000000000..24078753c7 --- /dev/null +++ b/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md @@ -0,0 +1,59 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Approve a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes. + +## Approve or reject a change request +The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request. + +**To approve or reject a change request** +1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page. + + The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane. + +2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons. + +3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**. + + An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request. + + +## Send a reminder to the Approver(s) group +If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group. + +- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**. + + An email is sent to the selected Approver(s). + + +## View rejected change requests +The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request. + +**To view the rejected change request** + +- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane. + + All rejected change requests appear, with role assignment determining which ones are visible. + + +## Next steps +After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md new file mode 100644 index 0000000000..cf0a576c0e --- /dev/null +++ b/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md @@ -0,0 +1,49 @@ +--- +title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros) +description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. +ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df +ms.prod: ie11 +ms.mktglfcycl: deploy +ms.pagetype: appcompat +ms.sitesec: library +author: eross-msft +ms.author: lizross +ms.date: 08/14/2017 +ms.localizationpriority: low +--- + + +# Check for a new Enterprise Mode site list xml file + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance. + +**How Internet Explorer 11 looks for an updated site list** + +1. Internet Explorer starts up and looks for an updated site list in the following places: + + 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list. + + 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list. + + 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry. + +2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. + +   + +  + +  + + + diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md new file mode 100644 index 0000000000..ff584c1c9d --- /dev/null +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -0,0 +1,479 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. +author: eross-msft +ms.prod: ie11 +ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6 +title: Collect data using Enterprise Site Discovery +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Collect data using Enterprise Site Discovery + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 with Service Pack 1 (SP1) + +Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. + +>**Upgrade Analytics and Windows upgrades**
+>You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-analytics-get-started). + + +## Before you begin +Before you start, you need to make sure you have the following: + +- Latest cumulative security update (for all supported versions of Internet Explorer): + + 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. + + ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) + + 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. + + ![affected software section](images/affectedsoftware.png) + + 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. + +- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including: + + - Configuration-related PowerShell scripts + + - IETelemetry.mof file + + - Sample System Center 2012 report templates + + You must use System Center 2012 R2 Configuration Manager or later for these samples to work. + +Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts. + +## What data is collected? +Data is collected on the configuration characteristics of IE and the sites it browses, as shown here. + +|Data point |IE11 |IE10 |IE9 |IE8 |Description | +|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------| +|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. | +|Domain | X | X | X | X |Top-level domain of the browsed site. | +|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. | +|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. | +|Document mode reason | X | X | | |The reason why a document mode was set by IE. | +|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. | +|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. | +|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. | +|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | +|Number of visits | X | X | X | X |Number of times a site has been visited. | +|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. | + + +>**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. + +### Understanding the returned reason codes +The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection. + +#### DocMode reason +The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.| +|4 |Page is using an X-UA-compatible meta tag. | +|5 |Page is using an X-UA-compatible HTTP header. | +|6 |Page appears on an active **Compatibility View** list. | +|7 |Page is using native XML parsing. | +|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. | +|9 |Page state is set by the browser mode and the page's DOCTYPE.| + +#### Browser state reason +The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. | +|2 |Site appears on an active **Compatibility View** list, created in Group Policy. | +|3 |Site appears on an active **Compatibility View** list, created by the user. | +|4 |Page is using an X-UA-compatible tag. | +|5 |Page state is set by the **Developer** toolbar. | +|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. | +|7 |Site appears on the Microsoft **Compatibility View (CV)** list. | +|8 |Site appears on the **Quirks** list, created in Group Policy. | +|11 |Site is using the default browser. | + +#### Zone +The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|-1 |Internet Explorer is using an invalid zone. | +|0 |Internet Explorer is using the Local machine zone. | +|1 |Internet Explorer is using the Local intranet zone. | +|2 |Internet Explorer is using the Trusted sites zone. | +|3 |Internet Explorer is using the Internet zone. | +|4 |Internet Explorer is using the Restricted sites zone. | + +## Where is the data stored and how do I collect it? +The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: + +- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer. + +- **XML file**. Any agent that works with XML can be used. + +## WMI Site Discovery suggestions +We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company. + +On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:

250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB + +>**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. + +## Getting ready to use Enterprise Site Discovery +Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges +You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. + +>**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output. + +**To set up Enterprise Site Discovery** + +- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). + +### WMI only: Set up your firewall for WMI data +If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps: + +**To set up your firewall** + +1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. + +2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. + +3. Restart your computer to start collecting your WMI data. + +## Use PowerShell to finish setting up Enterprise Site Discovery +You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery). + +>**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device. + +- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. + +- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. + +**To set up data collection using a domain allow list** + + - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. + + >**Important**
Wildcards, like \*.microsoft.com, aren’t supported. + +**To set up data collection using a zone allow list** + + - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. + + >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. + +## Use Group Policy to finish setting up Enterprise Site Discovery +You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery). + +>**Note**
 All of the Group Policy settings can be used individually or as a group. + + **To set up Enterprise Site Discovery using Group Policy** + +- Open your Group Policy editor, and go to these new settings: + + |Setting name and location |Description |Options | + |---------------------------|-------------|---------| + |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |

| + |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. | | + |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone

Binary representation: *00010*, based on:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones

Binary representation: *10110*, based on:

1 – Restricted Sites zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone | + |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:

microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com | + +### Combining WMI and XML Group Policy settings +You can use both the WMI and XML settings individually or together: + +**To turn off Enterprise Site Discovery** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputBlank
+ +**Turn on WMI recording only** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputBlank
+ +**To turn on XML recording only** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputXML file path
+ +**To turn on both WMI and XML recording** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputXML file path
+ +## Use Configuration Manager to collect your data +After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### Collect your hardware inventory using the MOF Editor while connected to a client device +You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. + + **To collect your inventory** + +1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. + + ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) + +2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. + +3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. + + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) + +4. Select the check boxes next to the following classes, and then click **OK**: + + - IESystemInfo + + - IEURLInfo + + - IECountInfo + +5. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports. + +### Collect your hardware inventory using the MOF Editor with a .MOF import file +You can collect your hardware inventory using the MOF Editor and a .MOF import file. + + **To collect your inventory** + +1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. + +2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**. + +3. Pick the inventory items to install, and then click **Import**. + +4. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports. + +### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. + +**To collect your inventory** + +1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory. + +2. Add this text to the end of the file: + + ``` + [SMS_Report (TRUE), + SMS_Group_Name ("IESystemInfo"), + SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IESystemInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String SystemKey; + [SMS_Report (TRUE) ] + String IEVer; + }; + + [SMS_Report (TRUE), + SMS_Group_Name ("IEURLInfo"), + SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IEURLInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String URL; + [SMS_Report (TRUE) ] + String Domain; + [SMS_Report (TRUE) ] + UInt32 DocMode; + [SMS_Report (TRUE) ] + UInt32 DocModeReason; + [SMS_Report (TRUE) ] + UInt32 Zone; + [SMS_Report (TRUE) ] + UInt32 BrowserStateReason; + [SMS_Report (TRUE) ] + String ActiveXGUID[]; + [SMS_Report (TRUE) ] + UInt32 CrashCount; + [SMS_Report (TRUE) ] + UInt32 HangCount; + [SMS_Report (TRUE) ] + UInt32 NavigationFailureCount; + [SMS_Report (TRUE) ] + UInt32 NumberOfVisits; + [SMS_Report (TRUE) ] + UInt32 MostRecentNavigationFailure; + }; + + [SMS_Report (TRUE), + SMS_Group_Name ("IECountInfo"), + SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IECountInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String CountKey; + [SMS_Report (TRUE) ] + UInt32 CrashCount; + [SMS_Report (TRUE) ] + UInt32 HangCount; + [SMS_Report (TRUE) ] + UInt32 NavigationFailureCount; + }; + ``` + +3. Save the file and close it to the same location. + Your environment is now ready to collect your hardware inventory and review the sample reports. + +## View the sample reports with your collected data +The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. + +### SCCM Report Sample – ActiveX.rdl +Gives you a list of all of the ActiveX-related sites visited by the client computer. + +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) + +### SCCM Report Sample – Site Discovery.rdl +Gives you a list of all of the sites visited by the client computer. + +![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) + +## View the collected XML data +After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: + +``` xml + + + [dword] + [dword] + [dword] + + + [string] + + [guid] + + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [string] + [dword] + + + + +``` +You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list. + +**To add your XML data to your Enterprise Mode site list** + +1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. + + ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) + +2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +## Turn off data collection on your client devices +After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off. + +**To stop collecting data, using PowerShell** + +- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1 –IEFeatureOff`. + + >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer. + + +**To stop collecting data, using Group Policy** + +1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**. + +2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location. + +### Delete already stored data from client computers +You can completely remove the data stored on your employee’s computers. + +**To delete all existing data** + +- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands: + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo` + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo` + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo` + + - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'` + +## Related topics +* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562) +* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) +  + + + diff --git a/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md b/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md new file mode 100644 index 0000000000..36066de055 --- /dev/null +++ b/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md @@ -0,0 +1,94 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes. +author: eross-msft +ms.prod: ie11 +title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Use the Settings page to finish setting up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes. + +## Use the Environment settings area +This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications. + +**To add location info** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**. + +3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**. + +## Use the Group and role settings area +After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group. + +**To add a new group and determine the required change request Approvers** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Group and role settings** area of the page, click **Group details**. + + The **Add or edit group names** box appears. + +3. Click the **Add group** tab, and then add the following info: + + - **New group name.** Type name of your new group. + + - **Group head email.** Type the email address for the primary contact for the group. + + - **Group head name.** This box automatically fills, based on the email address. + + - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + + +**To set a group's required Approvers** +1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box. + +2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles. + + - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role. + +## Use the Freeze production changes area +This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date. + +**To add the start and end dates** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time. + +3. Click **Save**. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) \ No newline at end of file diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md new file mode 100644 index 0000000000..18b8b34406 --- /dev/null +++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md @@ -0,0 +1,70 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to create a change request within the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Create a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. + +>[!Important] +>Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +**To create a new change request** +1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. + + The **Create new request** page appears. + +2. Fill out the required fields, based on the group and the app, including: + + - **Group name.** Select the name of your group from the dropdown box. + + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. + + - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. + + - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list. + + - **Requested by.** Automatically filled in with your name. + + - **Description.** Add descriptive info about the app. + + - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**. + + - **Reason for request.** Select the best reason for why you want to update, delete, or add the app. + + - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. + + - **App location (URL).** The full URL location to the app, starting with http:// or https://. + + - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. + + - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/en-us/library/cc288325(v=vs.85).aspx). + +4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. + + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. + +5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. + + - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. + + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. + +## Next steps +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..13fd5539cd --- /dev/null +++ b/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,46 @@ +--- +ms.localizationpriority: low +description: Delete a single site from your global Enterprise Mode site list. +ms.pagetype: appcompat +ms.mktglfcycl: deploy +author: eross-msft +ms.prod: ie11 +ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a +title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + + + **To delete a single site from your global Enterprise Mode site list** + +- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
+The site is permanently removed from your list. + +If you delete a site by mistake, you’ll need to manually add it back using the instructions in the following topics, based on operating system. + +- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) + +- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..c6e03cadc0 --- /dev/null +++ b/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,50 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. +author: eross-msft +ms.prod: ie11 +ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea +title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. + +If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md). + + **To change how your page renders** + +1. In the Enterprise Mode Site List Manager, double-click the site you want to change. + +2. Change the comment or the compatibility mode option. + +3. Click **Save** to validate your changes and to add the updated information to your site list.
+If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +4. On the **File** menu, click **Save to XML**, and save the updated file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md new file mode 100644 index 0000000000..20155271eb --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md @@ -0,0 +1,50 @@ +## Enterprise Mode and the Enterprise Mode Site List XML file +The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11. + +Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge. + +### Site list xml file + +This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. + +```xml + + + + EnterpriseSiteListManager + 10586 + 20150728.135021 + + + + IE8Enterprise + IE11 + + + default + IE11 + + + IE7Enterprise + IE11 + + + + + IE8Enterprise" + IE11 + + + IE7 + IE11 + + + IE7 + IE11 + + + +``` \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode-features-include.md b/browsers/enterprise-mode/enterprise-mode-features-include.md new file mode 100644 index 0000000000..8090fc9ba8 --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-features-include.md @@ -0,0 +1,16 @@ +### Enterprise Mode features +Enterprise Mode includes the following features: + +- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. + +- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. +Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema. + +- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. + + >[!Important] + >All centrally-made decisions override any locally-made choices. + +- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. + +- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md b/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md new file mode 100644 index 0000000000..b7d9399d77 --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md @@ -0,0 +1,51 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company. +author: eross-msft +ms.prod: ie11 +ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e +title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Enterprise Mode for Internet Explorer 11 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +## In this section +|Topic |Description | +|---------------------------------------------------------------|-----------------------------------------------------------------------------------| +|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. | +|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. | +|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. | +|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | +|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | +|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. | +|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.| +|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | +|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | +|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. | +|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. | +|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. | +|[Remove sites from a local compatibility view list](remove-sites-from-a-local-compatibililty-view-list.md) |Guidance about how to remove websites from a device's local compatibility view list. | +|[Turn off Enterprise Mode](turn-off-enterprise-mode.md) |Guidance about how to stop using your site list and how to turn off local control, using Group Policy or the registry. | +  + +  + +  + + + diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md new file mode 100644 index 0000000000..88711fd787 --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md @@ -0,0 +1,233 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update. +author: eross-msft +ms.prod: ie11 +ms.assetid: 17c61547-82e3-48f2-908d-137a71938823 +title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Enterprise Mode schema v.1 guidance + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +Use the Enterprise Mode Site List Manager (schema v.1) to create and update your Enterprise Mode site list for devices running the v.1 version of the schema, or the Enterprise Mode Site List Manager (schema v.2) to create and update your Enterprise Mode site list for devices running the v.2 version of the schema. We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. + +## Enterprise Mode schema v.1 example +The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. + +**Important**
+Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both http://contoso.com and https://contoso.com. + +``` xml + + + www.cpandl.com + www.woodgrovebank.com + adatum.com + contoso.com + relecloud.com + /about + + fabrikam.com + /products + + + + contoso.com + /travel + + fabrikam.com + /products + + + +``` + +### Schema elements +This table includes the elements used by the Enterprise Mode schema. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ElementDescriptionSupported browser
<rules>Root node for the schema. +

Example +

+<rules version="205">
+  <emie>
+    <domain>contoso.com</domain>
+  </emie>
+</rules>
Internet Explorer 11 and Microsoft Edge
<emie>The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. +

Example +

+<rules version="205">
+  <emie>
+    <domain>contoso.com</domain>
+  </emie>
+</rules>
+-or- +

For IPv6 ranges:

<rules version="205">
+  <emie>
+    <domain>[10.122.34.99]:8080</domain>
+  </emie>
+  </rules>
+-or- +

For IPv4 ranges:

<rules version="205">
+  <emie>
+    <domain>10.122.34.99:8080</domain>
+  </emie>
+  </rules>
Internet Explorer 11 and Microsoft Edge
<docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied. +

Example +

+<rules version="205">
+  <docMode>
+    <domain docMode="7">contoso.com</domain>
+  </docMode>
+</rules>
Internet Explorer 11
<domain>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. +

Example +

+<emie>
+  <domain>contoso.com:8080</domain>
+</emie>
Internet Explorer 11 and Microsoft Edge
<path>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section. +

Example +

+<emie>
+  <domain exclude="false">fabrikam.com
+    <path exclude="true">/products</path>
+  </domain>
+</emie>

+Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does.

Internet Explorer 11 and Microsoft Edge
+ +### Schema attributes +This table includes the attributes used by the Enterprise Mode schema. + + + + + + + + + + + + + + + + + + + + + + + + + +
AttributeDescriptionSupported browser
<version>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.Internet Explorer 11 and Microsoft Edge
<exclude>Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements. +

Example +

+<emie>
+  <domain exclude="false">fabrikam.com
+    <path exclude="true">/products</path>
+  </domain>
+</emie>

+Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does.

Internet Explorer 11 and Microsoft Edge
<docMode>Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section. +

Example +

+<docMode>
+  <domain exclude="false">fakrikam.com
+    <path docMode="7">/products</path>
+  </domain>
+</docMode>
Internet Explorer 11
+ +### Using Enterprise Mode and document mode together +If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain. + +For example, say you want all of the sites in the contoso.com domain to open using IE8 Enterprise Mode, except test.contoso.com, which needs to open in document mode 11. Because Enterprise Mode takes precedence over document mode, if you want test.contoso.com to open using document mode, you'll need to explicitly add it as an exclusion to the <emie> parent node. + +```xml + + + contoso.com + test.contoso.com + + + test.contoso.com + + +``` + +### What not to include in your schema +We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: +- Don’t use protocols. For example, `http://`, `https://`, or custom protocols. They break parsing. +- Don’t use wildcards. +- Don’t use query strings, ampersands break parsing. + +## How to use trailing slashes +You can use trailing slashes at the path-level, but not at the domain-level: +- **Domain-level.** Don’t add trailing slashes to a domain, it breaks parsing. +- **Path-level.** Adding a trailing slash to a path means that the path ends at that point. By not adding a trailing slash, the rule applies to all of the sub-paths. + +**Example** + +``` xml +contoso.com + /about/ + +``` +In this example, `contoso.com/about/careers` will use the default version of Internet Explorer, even though `contoso.com/about/` uses Enterprise Mode. + + +## How to target specific sites +If you want to target specific sites in your organization. + +|Targeted site |Example |Explanation | +|--------------|--------|------------| +|You can specify subdomains in the domain tag. |<docMode>
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode> |

| +|You can specify exact URLs by listing the full path. |<emie>
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>|| +|You can nest paths underneath domains. |<emie>
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie> | | +|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> | | \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md new file mode 100644 index 0000000000..df6a01cb68 --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md @@ -0,0 +1,298 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10. +author: eross-msft +ms.prod: ie11 +ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5 +title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 12/04/2017 +--- + + +# Enterprise Mode schema v.2 guidance + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. + +**Important**
+If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +## Enterprise Mode schema v.2 updates +Because of the schema changes, you can't combine the old version (v.1) with the new version (v.2) of the schema. If you look at your XML file, you can tell which version you're using by: + +- <rules>. If your schema root node includes this key, you're using the v.1 version of the schema. + +- <site-list>. If your schema root node includes this key, you're using the v.2 version of the schema. + +You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, saving the v.1 version of the schema in the new Enterprise Mode Site List Manager (schema v.2) automatically updates the file to use the v.2 version of the schema. + +### Enterprise Mode v.2 schema example +The following is an example of the v.2 version of the Enterprise Mode schema. + +**Important**
+Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both http://contoso.com and https://contoso.com. +  +``` xml + + + + EnterpriseSitelistManager + 10240 + 20150728.135021 + + + + IE8Enterprise + MSEdge + + + default + IE11 + + + IE7Enterprise + IE11 + + + default + IE11 + + + default + none + + IE8Enterprise" + + + IE7 + IE11 + + + IE8Enterprise + IE11 + + + IE7 + IE11 + + +``` + +### Updated schema elements +This table includes the elements used by the v.2 version of the Enterprise Mode schema. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ElementDescriptionSupported browser
<site-list>A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>. +

Example +

+<site-list version="205">
+  <site url="contoso.com">
+    <compat-mode>IE8Enterprise</compat-mode>
+    <open-in>IE11</open-in>
+  </site>
+</site-list>
Internet Explorer 11 and Microsoft Edge
<site>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element. +

Example +

+<site url="contoso.com">
+  <compat-mode>default</compat-mode>
+  <open-in>none</open-in>
+</site>
+-or- +

For IPv4 ranges:

<site url="10.122.34.99:8080">
+  <compat-mode>IE8Enterprise</compat-mode>
+<site>

+-or- +

For IPv6 ranges:

<site url="[10.122.34.99]:8080">
+  <compat-mode>IE8Enterprise</compat-mode>
+<site>

+You can also use the self-closing version, <url="contoso.com" />, which also sets: +

    +
  • <compat-mode>default</compat-mode>
    • +
  • <open-in>none</open-in>
    • +
Internet Explorer 11 and Microsoft Edge
<compat-mode>A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. +

Example +

+<site url="contoso.com">
+  <compat-mode>IE8Enterprise</compat-mode>
+</site>
+-or- +

For IPv4 ranges:

<site url="10.122.34.99:8080">
+  <compat-mode>IE8Enterprise</compat-mode>
+<site>

+-or- +

For IPv6 ranges:

<site url="[10.122.34.99]:8080">
+  <compat-mode>IE8Enterprise</compat-mode>
+<site>

+Where: +

    +
  • IE8Enterprise. Loads the site in IE8 Enterprise Mode.
    This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.

    • +

  • IE7Enterprise. Loads the site in IE7 Enterprise Mode.
    This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.

    Important
    This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.

    • +

  • IE[x]. Where [x] is the document mode number into which the site loads.

    • +

  • Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
    • +
Internet Explorer 11
<open-in>A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10. +

Example +

+<site url="contoso.com">
+  <open-in>none</open-in>
+</site>

+Where: +

    +
  • IE11. Opens the site in IE11, regardless of which browser is opened by the employee.

    • +

  • MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.

    • +

  • None or not specified. Opens in whatever browser the employee chooses.
    • +
Internet Explorer 11 and Microsoft Edge
+ +### Updated schema attributes +The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema. + + + + + + + + + + + + + + + + + + + + + + + + + +
AttributeDescriptionSupported browser
allow-redirectA boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser). +

Example +

+<site url="contoso.com/travel">
+  <open-in allow-redirect="true">IE11</open-in>
+</site>
+In this example, if http://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.		Internet Explorer 11 and Microsoft Edge
versionSpecifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.Internet Explorer 11 and Microsoft Edge
urlSpecifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL. +
Note
+Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com. +

Example +

+<site url="contoso.com:8080">
+  <compat-mode>IE8Enterprise</compat-mode>
+  <open-in>IE11</open-in>
+</site>
+In this example, going to http://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.		Internet Explorer 11 and Microsoft Edge
+ +### Deprecated attributes +These v.1 version schema attributes have been deprecated in the v.2 version of the schema: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Deprecated attributeNew attributeReplacement example
<forceCompatView><compat-mode>Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>
<docMode><compat-mode>Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>
<doNotTransition><open-in>Replace <doNotTransition="true"> with <open-in>none</open-in>
<domain> and <path><site>Replace: +
+<emie>
+  <domain exclude="false">contoso.com</domain>
+</emie>
+With: +
+<site url="contoso.com"/>
+  <compat-mode>IE8Enterprise</compat-mode>
+</site>
+-AND-

+Replace: +

+<emie>
+  <domain exclude="true">contoso.com
+     <path exclude="false" forceCompatView="true">/about</path>
+  </domain>
+</emie>
+With: +
+<site url="contoso.com/about">
+  <compat-mode>IE7Enterprise</compat-mode>
+</site>
+ +While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features. + +**Important**
+Saving your v.1 version of the file using the new Enterprise Mode Site List Manager (schema v.2) automatically updates the XML to the new v.2 version of the schema. + +### What not to include in your schema +We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: + +- Don’t use protocols. For example, http://, https://, or custom protocols. They break parsing. +- Don’t use wildcards. +- Don’t use query strings, ampersands break parsing. + +## Related topics +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + + + + diff --git a/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md new file mode 100644 index 0000000000..f1c67006ba --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md @@ -0,0 +1,36 @@ +## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools +You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier. + +### Enterprise Mode Site List Manager +This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. + +There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10: + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema. + + We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema. + + If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal. + +### Enterprise Mode Site List Portal +The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. + +In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you: + +- Manage site lists from any device supporting Windows 7 or greater. + +- Submit change requests. + +- Operate offline through an on-premise solution. + +- Provide role-based governance. + +- Test configuration settings before releasing to a live environment. + +Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md new file mode 100644 index 0000000000..4ead83795d --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md @@ -0,0 +1,7 @@ +## Enterprise Mode Site List Manager versions +There are currently two versions of the Enterprise Site List Manager, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system. + +|Schema version |Operating system |Enterprise Site List Manager version | +|-----------------|---------------|------------------------------------| +|Enterprise Mode schema, version 2 (v.2) |Windows 10
-OR-
Windows 8.1
-OR-
Windows 7|Uses the Enterprise Mode Site List Manager (schema v.2) and the v.2 version of the schema. If you import a v.1 version schema into the Enterprise Mode Site List Manager (schema v.2), the XML is saved into the v.2 version of the schema.

For more info about the v.2 version of the schema, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).| +|Enterprise Mode schema, version 1 (v.1) |Windows 10
-OR-
Windows 8.1
-OR-
Windows 7|Uses the Enterprise Mode Site List Manager (schema v.1) and the v.1 version of the schema.

For more info about the v.1 version of the schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)| \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode.md b/browsers/enterprise-mode/enterprise-mode.md new file mode 100644 index 0000000000..663a632588 --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode.md @@ -0,0 +1,57 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use this section to learn about how to turn on Enterprise Mode. +author: shortpatti +ms.author: pashort +ms.prod: edge, ie11 +ms.assetid: +title: Enterprise Mode for Microsoft Edge +ms.sitesec: library +ms.date: '' +--- + +# Enterprise Mode for Microsoft Edge +Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers the confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. + +## Available dual-browser experiences + + +## Enterprise Mode features + + + + +## Enterprise Mode Site List management tools +...description of what you can do with these tools; also specify if you must use both or if each tool works independently and no dependencies on the other tool... I think these tools are for two different scenarios... + +You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple of tools that can make that process even easier. + +| | | +|---------|---------| +|Enterprise Mode Site List Manager |Use if your site list is relatively small. | +|Enterprise Mode Site List Portal |Use if your site list is too large to add individual sites, or if you have more than one person managing the sites. | + +### Enterprise Mode Site List Manager + + +### Enterprise Mode Site List Portal + + + +## Enterprise Mode Site List XML file +[!INCLUDE [enterprise-mode-and-enterprise-site-list-include](enterprise-mode-and-enterprise-site-list-include.md)] + + +## Turn on Enterprise Mode + + +### Add a single site to the site list + + +### Add mulitple sites to the site list + + diff --git a/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..8e779574c1 --- /dev/null +++ b/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,46 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. +author: eross-msft +ms.prod: ie11 +ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d +title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. This file includes all of your URLs, including your compatibility mode selections and should be stored somewhere safe. If your list gets deleted by mistake you can easily import this file and return everything back to when this file was last saved. + +**Important**
  +This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file. + + **To export your compatibility list** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**. + +2. Export the file to your selected location. For example, `C:\Users\\Documents\sites.emie`. + +## Related topics + +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/images/config-enterprise-site-list.png b/browsers/enterprise-mode/images/config-enterprise-site-list.png new file mode 100644 index 0000000000..82ffc30895 Binary files /dev/null and b/browsers/enterprise-mode/images/config-enterprise-site-list.png differ diff --git a/browsers/enterprise-mode/images/enterprise-mode-value-data.png b/browsers/enterprise-mode/images/enterprise-mode-value-data.png new file mode 100644 index 0000000000..9e9ece9c1a Binary files /dev/null and b/browsers/enterprise-mode/images/enterprise-mode-value-data.png differ diff --git a/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..963880eb75 --- /dev/null +++ b/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,45 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to clear all of the sites from your global Enterprise Mode site list. +author: eross-msft +ms.prod: ie11 +ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97 +title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can clear all of the sites from your global Enterprise Mode site list. + +**Important**   +This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system. + + **To clear your compatibility list** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Clear list**. + +2. Click **Yes** in the warning message.

Your sites are all cleared from your list. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md new file mode 100644 index 0000000000..546fe2133e --- /dev/null +++ b/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md @@ -0,0 +1,39 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to remove sites from a local compatibility view list. +author: eross-msft +ms.prod: ie11 +ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9 +title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove sites from a local compatibility view list + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems. + + **To remove sites from a local compatibility view list** + +1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**. + +2. Pick the site to remove, and then click **Remove**.

+Sites can only be removed one at a time. If one is removed by mistake, it can be added back using this same box and the **Add** section. + +  + +  + + + diff --git a/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md new file mode 100644 index 0000000000..8b15e9ddd5 --- /dev/null +++ b/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md @@ -0,0 +1,55 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to remove sites from a local Enterprise Mode site list. +author: eross-msft +ms.prod: ie11 +ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2 +title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove sites from a local Enterprise Mode site list + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Remove websites that were added to a local Enterprise Mode site list by mistake or because the sites no longer have compatibility problems. + +**Note**
The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator. + +  **To remove single sites from a local Enterprise Mode site list** + +1. Open Internet Explorer 11 and go to the site you want to remove. + +2. Click **Tools**, and then click **Enterprise Mode**.

+The checkmark disappears from next to Enterprise Mode and the site is removed from the list. + +**Note**
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again. + + **To remove all sites from a local Enterprise Mode site list** + +1. Open IE11, click **Tools**, and then click **Internet options**. + +2. Click the **Delete** button from the **Browsing history** area. + +3. Click the box next to **Cookies and website data**, and then click **Delete**. + +**Note**
This removes all of the sites from a local Enterprise Mode site list. + +   + +  + +  + + + diff --git a/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..7ec1867c5b --- /dev/null +++ b/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,43 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. +author: eross-msft +ms.prod: ie11 +ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a +title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Save your site list to XML in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. + + **To save your list as XML** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**. + +2. Save the file to the location you specified in your Enterprise Mode registry key, set up when you turned on Enterprise Mode for use in your company. For information about the Enterprise Mode registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).

+The first time a user starts Internet Explorer 11 on a managed device; Internet Explorer will look for a new version of the site list at the specified location. If the browser finds an updated site list, IE downloads the new XML site list and uses it. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md b/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md new file mode 100644 index 0000000000..f49ad80a75 --- /dev/null +++ b/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md @@ -0,0 +1,50 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Schedule approved change requests for production using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time. + +**To schedule an immediate change** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Now**, and then clicks **Save**. + + The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes. + + +**To schedule the change for a different day or time** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**. + + The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes. + + +## Next steps +After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..5292cf3570 --- /dev/null +++ b/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,41 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Search to see if a specific site already appears in your global Enterprise Mode site list. +author: eross-msft +ms.prod: ie11 +ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9 +title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again. + + **To search your compatibility list** + +- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.

+The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md new file mode 100644 index 0000000000..bfb9659bd0 --- /dev/null +++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md @@ -0,0 +1,157 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Set up and turn on Enterprise Mode logging and data collection in your organization. +author: eross-msft +ms.prod: ie11 +ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde +title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Set up Enterprise Mode logging and data collection + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. + +![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) + +The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. + +![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) + +Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. + +## Using ASP to collect your data +When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. + + **To set up an endpoint server** + +1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609). + +2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.

+This lets you create an ASP form that accepts the incoming POST messages. + +3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. + + ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) + +4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. + + ![IIS Manager, setting logging options](images/ie-emie-logging.png) + +5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

+Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. + +6. Apply these changes to your default website and close the IIS Manager. + +7. Put your EmIE.asp file into the root of the web server, using this command: + + ``` + <% @ LANGUAGE=javascript %> + <% + Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode")); + %> + ``` +This code logs your POST fields to your IIS log file, where you can review all of the collected data. + + +### IIS log file information +This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. + +![Enterprise Mode log file](images/ie-emie-logfile.png) + + +## Using the GitHub sample to collect your data +Microsoft has created the [EMIE-Data-Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) that shows how to collect your Enterprise Mode reports. This sample only shows how to collect data, it doesn’t show how to aggregate the data into your Enterprise Mode site list.

+This sample starts with you turning on Enterprise Mode and logging (either through Group Policy, or by manually setting the EnterpriseMode registry key) so that your users can use Enterprise Mode locally. For the steps to do this, go to [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +**Note**
If you decide to manually change the registry key, you can change the **Enable** setting to `[deployment url]/api/records/`, which automatically sends your reports to this page. + +### Setting up, collecting, and viewing reports +For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report. + + **To set up the sample** + +1. Set up a server to collect your Enterprise Mode information from your users. + +2. Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project. + +3. Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file. + +4. On the **Build** menu, tap or click **Build Solution**.

+The required packages are automatically downloaded and included in the solution. + + **To set up your endpoint server** + +1. Right-click on the name, PhoneHomeSample, and click **Publish**. + + ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) + +2. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. + + **Important**
+ Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  + + ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) + + After you finish the publishing process, you need to test to make sure the app deployed successfully. + + **To test, deploy, and use the app** + +1. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to: + + ``` "Enable"="http:///api/records/" + ``` + Where `` points to your deployment URL. + +2. After you’re sure your deployment works, you can deploy it to your users using one of the following: + + - Turn on the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting, putting your `` information into the **Options** box. + + - Deploy the registry key in Step 3 using System Center or other management software. + +3. Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary. + + **To view the report results** + +- Go to `http:///List` to see the report results.

+If you’re already on the webpage, you’ll need to refresh the page to see the results. + + ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) + + +### Troubleshooting publishing errors +If you have errors while you’re publishing your project, you should try to update your packages. + + **To update your packages** + +1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. + + ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) + +2. Click **Updates** on the left side of the tool, and click the **Update All** button.

+You may need to do some additional package cleanup to remove older package versions. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) +  + +  + + + diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md new file mode 100644 index 0000000000..0aca62e070 --- /dev/null +++ b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md @@ -0,0 +1,232 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to set up the Enterprise Mode Site List Portal for your organization. +author: eross-msft +ms.prod: ie11 +title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Set up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment. + +## Step 1 - Copy the deployment folder to the web server +You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server. + +**To download the source code** +1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server. + +2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). + + >[!Note] + >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. + +3. Open File Explorer and then open the **EMIEWebPortal/** folder. + +4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**. + +5. Type _npm i_ into the command prompt, then press **Enter**. + + Installs the npm package manager and bulk adds all the third-party libraries back into your codebase. + +6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution. + +7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. + +## Step 2 - Create the Application Pool and website, by using IIS +Create a new Application Pool and the website, by using the IIS Manager. + +**To create a new Application Pool** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**. + + The **Add Application Pool** box appears. + +2. In the **Add Application Pool** box, enter the following info: + + - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_. + + - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher. + + - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content. + +3. Click **OK**. + +4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane. + + The **Advanced Settings** box appears. + +5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box. + +6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_. + +7. Right-click on the directory, click **Properties**, and then click the **Security** tab. + +8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer. + +9. Add **Everyone** to the list with **Read & execute access**. + +**To create the website** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**. + + The **Add Website** box appears. + +2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**. + + The **Select Application Pool** box appears. + +4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_. + +5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_. + +6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization. + +7. Clear the **Start Website immediately** check box, and then click **OK**. + +8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_. + + The **<website_name> Home** pane appears. + +9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. + + >[!Note] + >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. + +10. Return to the **<website_name> Home** pane, and double-click the **Connection Strings** icon. + +11. Open the **LOBMergedEntities Connection String** to edit: + + - **Data source.** Type the name of your local computer. + + - **Initial catalog.** The name of your database. + + >[!Note] + >Step 3 of this topic provides the steps to create your database. + +## Step 3 - Create and prep your database +Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. + +**To create and prep your database** +1. Start SQL Server Management Studio. + +2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine. + +3. Expand the instance, right-click on **Databases**, and then click **New Database**. + +4. Type a database name. For example, _EMIEDatabase_. + +5. Leave all default values for the database files, and then click **OK**. + +6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory. + +7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_. + +8. Run the query. + +## Step 4 - Map your Application Pool to a SQL Server role +Map your ApplicationPoolIdentity to your database, adding the db_owner role. + +**To map your ApplicationPoolIdentity to a SQL Server role** +1. Start SQL Server Management Studio and connect to your database. + +2. Expand the database instance and then open the server-level **Security** folder. + + > [!IMPORTANT] + > Make sure you open the **Security** folder at the server level and not for the database. + +3. Right-click **Logins**, and then click **New Login**. + + The **Login-New** dialog box appears. + +4. Type the following into the **Login name** box, based on your server instance type: + + - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_. + + - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`. + + > [!IMPORTANT] + > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID). + +5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane. + +6. Click **OK**. + +## Step 5 - Restart the Application Pool and website +Using the IIS Manager, you must restart both your Application Pool and your website. + +**To restart your Application Pool and website** +1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane. + +2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane. + +## Step 6 - Registering as an administrator +After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. + +**To register as an administrator** +1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085. + +2. Click **Register now**. + +3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box. + +4. Click **Administrator** from the **Role** box, and then click **Save**. + +5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole. + + A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. + +6. Select your name from the available list, and then click **Activate**. + +7. Go to the Enterprise Mode Site List Portal Home page and sign in. + +## Step 7 - Configure the SMTP server and port for email notification +After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system. + +**To set up your SMTP server and port for emails** +1. Open Visual Studio, and then open the web.config file from your deployment directory. + +2. Update the SMTP server and port info with your info, using this format: + + ``` + + + ``` +3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info. + +## Step 8 - Register the scheduler service +Register the EMIEScheduler tool and service for production site list changes. + +**To register the scheduler service** + +1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. + + >[!Important] + >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. + +2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. + +3. Run the command, `InstallUtil ""`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._ + + You'll be asked for your user name and password for the service. + +4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) \ No newline at end of file diff --git a/browsers/enterprise-mode/turn-off-enterprise-mode.md b/browsers/enterprise-mode/turn-off-enterprise-mode.md new file mode 100644 index 0000000000..12a4ee7ffd --- /dev/null +++ b/browsers/enterprise-mode/turn-off-enterprise-mode.md @@ -0,0 +1,77 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it. +author: eross-msft +ms.prod: ie11 +ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3 +title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Turn off Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +It’s important that you test the sites you’re adding, or considering removing, from your Enterprise Mode site list. To make this testing easier, you can turn off the site list or the entire Enterprise Mode functionality. For example, you might have an intranet site on your list that you’ve upgraded to be compatible with the new web standards . If you test the site while the site list is active, Internet Explorer 11 will automatically switch to Enterprise Mode. By turning off the site list, you can see what the page actually looks like and decide whether to remove it from your site list. + +In addition, if you no longer want your users to be able to turn Enterprise Mode on locally, you can remove Enterprise Mode from the local **Tools** menu. + +**Important**
+Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode. + +  **To turn off the site list using Group Policy** + +1. Open your Group Policy editor, like Group Policy Management Console (GPMC). + +2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.

+Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately. + + **To turn off local control using Group Policy** + +1. Open your Group Policy editor, like Group Policy Management Console (GPMC). + +2. Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**. + +3. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality. + + **To turn off the site list using the registry** + +1. Open a registry editor, such as regedit.exe. + +2. Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.

+You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers. + +3. Close all and restart all instances of Internet Explorer.

+IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on). + + **To turn off local control using the registry** + +1. Open a registry editor, such as regedit.exe. + +2. Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.

+You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers. + +3. Close and restart all instances of IE.

+Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on). + +## Related topics +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) +- [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md new file mode 100644 index 0000000000..e4e3d83ec8 --- /dev/null +++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md @@ -0,0 +1,47 @@ +Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing +centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. + +>[!NOTE] +>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. + +**Group Policy** + +1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** setting.

Turning this setting on also requires you to create and store a site list. + + + +2. Click **Enabled**, and then in the **Options** area, type the location to your site list. + +3. Refresh your policy and then view the affected sites in Microsoft Edge.

The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is. + +**Registry** + +All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. + +1. **To turn on Enterprise Mode for all users on the PC:** Open the registry editor and go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode`. + +2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file.

For example: + + + - **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"` + + - **Local network:** `"SiteList"="\\network\shares\sites.xml"` + + - **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"` + + > **Example:** + >> _Web URL_ http://localhost:8080/EnterpriseMode.xml + >> + >> _Network Share_ \\NetworkShare.xml (Place this inside the group policy folder on Sysvol) + >> + >> _Drive Letter_ C:.xml + + All of your managed devices must have access to this location if you want them to use Enterprise Mode and your site list. + +3. Refresh the policy in your organization and then view the affected sites in + Microsoft Edge.

The site shows a message in Microsoft Edge, saying that the page needs IE. + At the same time, the page opens in IE11; in a new frame if it is not yet + running, or in a new tab if it is. diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md new file mode 100644 index 0000000000..0f5ff8d1f9 --- /dev/null +++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -0,0 +1,61 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Turn on local user control and logging for Enterprise Mode. +author: eross-msft +ms.prod: ie11 +ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1 +title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Turn on local control and logging for Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools. + +Besides turning on this feature, you also have the option to provide a URL for Enterprise Mode logging. If you turn logging on, Internet Explorer initiates a simple POST back to the supplied address, including the URL and a specification that **EnterpriseMode** was turned on or off through the **Tools** menu. + + **To turn on local control of Enterprise Mode using Group Policy** + +1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. + + ![group policy editor with emie setting](images/ie-emie-editpolicy.png) + +2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. + + **To turn on local control of Enterprise Mode using the registry** + +1. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`. + +2. In the right pane, right-click and click **New**, click **String Value**, and then name the new value **Enable**. + +3. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. + + ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) + +Your **Value data** location can be any of the following types: + +- **URL location (like, http://www.emieposturl.com/api/records or http://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
+The `http://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. +- **Local network location (like, http://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. +- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. + +For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). + +  + +  + + + diff --git a/browsers/enterprise-mode/use-the-enterprise-mode-portal.md b/browsers/enterprise-mode/use-the-enterprise-mode-portal.md new file mode 100644 index 0000000000..d57c5f411b --- /dev/null +++ b/browsers/enterprise-mode/use-the-enterprise-mode-portal.md @@ -0,0 +1,80 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal. +ms.prod: ie11 +title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Use the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users. + +## Minimum system requirements for portal and test machines +Some of the components in this table might also need additional system resources. Check the component's documentation for more information. + +|Item |Description | +|-----|------------| +|Operating system |Windows 7 or later | +|Memory |16 GB RAM | +|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security | +|Active Directory (AD) |Devices must be domain-joined | +|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later | +|Visual Studio |Visual Studio 2015 or later | +|Node.js® package manager |npm Developer version or higher | +|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later | + +## Role assignments and available actions +Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table. + +|Role assignment |Available actions | +|----------------|------------------| +|Requester |

  • Create a change request


  • Validate changes in the pre-production environment


  • Rollback pre-production and production changes in case of failure


  • Send approval requests


  • View own requests


  • Sign off and close own requests
| +|Approver

(includes the App Manager and Group Head roles) |
  • All of the Requester actions, plus:


  • Approve requests
| +|Administrator |
  • All of the Requester and Approver actions, plus:


  • Add employees to the portal


  • Assign employee roles


  • Approve registrations to the portal


  • Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)


  • Use the standalone Enterprise Mode Site List Manager page


  • View reports
| + +## Enterprise Mode Site List Portal workflow by employee role +The following workflow describes how to use the Enterprise Mode Site List Portal. + +1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md) + +2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md) + +3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md) + +4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md) + +5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md) + + +## Related topics +- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) + +- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md) + +- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) +  + +  + + + diff --git a/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..fbe6ddff8f --- /dev/null +++ b/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,61 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager. +author: eross-msft +ms.prod: ie11 +ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b +title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 12/04/2017 +--- + + +# Use the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +[!INCLUDE [enterprise-mode-site-list-mgr-versions-include](../../enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md)] + +## Using the Enterprise Mode Site List Manager +The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager. + +|Topic |Description | +|------|------------| +|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.2). | +|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.1). | +|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Enterprise Mode Site List Manager (schema v.2). | +|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). | +|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | + +## Related topics + + +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) +- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) +  + +  + + + diff --git a/browsers/enterprise-mode/using-enterprise-mode.md b/browsers/enterprise-mode/using-enterprise-mode.md new file mode 100644 index 0000000000..313a07e8e8 --- /dev/null +++ b/browsers/enterprise-mode/using-enterprise-mode.md @@ -0,0 +1,57 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode. +author: eross-msft +ms.prod: ie11 +ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a +title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using IE7 Enterprise Mode or IE8 Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode gives you a way for your legacy websites and apps to run using emulated versions of Windows Internet Explorer 7 or Windows Internet Explorer 8, while your new sites and apps run using Internet Explorer 11, including modern standards and features. + +Although it’s called IE7 Enterprise Mode, it actually turns on Enterprise Mode along with Internet Explorer 7 or Microsoft Internet Explorer 5 Compatibility View. Compatibility View chooses which document mode to use based on whether there’s a `DOCTYPE` tag in your code: + +- **DOCTYPE tag found.** Webpages render using the Internet Explorer 7 document mode. +- **No DOCTYPE tag found.** Webpages render using the Internet Explorer 5 document mode. + +**Important**
+Because we’ve added the IE7 Enterprise Mode option, we’ve had to rename the original functionality of Enterprise Mode to be IE8 Enterprise Mode. We’ve also replaced Edge Mode with IE11 Document Mode, so you can explicitly use IE11 on Windows 10. + +## Turning on and using IE7 Enterprise Mode or IE8 Enterprise Mode +For instructions about how to add IE7 Enterprise Mode or IE8 Enterprise Mode to your webpages and apps, see: + +- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) + +- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) + +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) + +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) + +For instructions and more info about how to fix your compatibility issues using Enterprise Mode, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md new file mode 100644 index 0000000000..94de88ee4e --- /dev/null +++ b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md @@ -0,0 +1,67 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Verify your changes using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +>[!Important] +>This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: + +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. + +- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. + +- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry. + +## Verify and send the change request to Approvers +The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful. + +**To verify changes and send to the Approver(s)** +1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**. + + The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval. + + +**To rollback your pre-production changes** +1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**. + + The change request and issue info are sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment. + + After the Requester rolls back the changes, the request can be updated and re-submitted. + + +## View rolled back change requests +The original Requester and the Administrator(s) group can view the rolled back change requests. + +**To view the rolled back change request** + +- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane. + + All rolled back change requests appear, with role assignment determining which ones are visible. + +## Next steps +If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic. diff --git a/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md new file mode 100644 index 0000000000..00fb099e3f --- /dev/null +++ b/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md @@ -0,0 +1,42 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Verify the change request update in the production environment using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +## Verify and sign off on the update in the production environment +The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful. + +**To verify the changes and sign off** +- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**. + + The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off. + + +**To rollback production changes** +1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results. + +2. Add a description about the issue into the **Change description** box, and then click **Send failure details**. + + The info is sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the production environment. + + After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists. + diff --git a/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md b/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md new file mode 100644 index 0000000000..29d1d8afe9 --- /dev/null +++ b/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md @@ -0,0 +1,38 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List. + +**To view the active Enterprise Mode Site List** +1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page. + + The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. + +2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser. + + +**To export the active Enterprise Mode Site List** +1. On the **Production sites list** page, click **Export**. + +2. Save the ProductionSiteList.xlsx file. + + The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser. diff --git a/browsers/enterprise-mode/what-is-enterprise-mode-include.md b/browsers/enterprise-mode/what-is-enterprise-mode-include.md new file mode 100644 index 0000000000..34359d6f1b --- /dev/null +++ b/browsers/enterprise-mode/what-is-enterprise-mode-include.md @@ -0,0 +1,4 @@ +## What is Enterprise Mode? +Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. \ No newline at end of file diff --git a/browsers/includes/available-duel-browser-experiences-include.md b/browsers/includes/available-duel-browser-experiences-include.md new file mode 100644 index 0000000000..175646f824 --- /dev/null +++ b/browsers/includes/available-duel-browser-experiences-include.md @@ -0,0 +1,12 @@ +## Available dual-browser experiences +Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: + +- Use Microsoft Edge as your primary browser. + +- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies. + +- Use Microsoft Edge as your primary browser and open all intranet sites in IE11. + +- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies. + +For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog. \ No newline at end of file diff --git a/browsers/includes/configuration-options.md b/browsers/includes/configuration-options.md new file mode 100644 index 0000000000..2b2516dfe2 --- /dev/null +++ b/browsers/includes/configuration-options.md @@ -0,0 +1,11 @@ +## Configuration options +You can make changes to your deployment through the software management system you have chosen. + +### Choosing an update channel + +### Configure policies using Group Policy Editor + +### Configure policies using Registry Editor + +### Configure policies using Intune + diff --git a/browsers/includes/control-browser-content.md b/browsers/includes/control-browser-content.md new file mode 100644 index 0000000000..e32eda17a8 --- /dev/null +++ b/browsers/includes/control-browser-content.md @@ -0,0 +1,18 @@ +## Controlling browser content +This section explains how to control content in the browser. + +### Configure Pop-up Blocker +[configure-pop-up-blocker-include](../edge/includes/configure-pop-up-blocker-include.md) + +### Allow exentions +[allow-extensions-include](../edge/includes/allow-extensions-include.md) + +[send-all-intranet-sites-ie-include](../edge/includes/send-all-intranet-sites-ie-include.md) + +[keep-fav-sync-ie-edge-include](../edge/includes/keep-fav-sync-ie-edge-include.md) + +extensions +javascript +Tracking your browser: +- Do not track + diff --git a/browsers/includes/control-browsing-behavior.md b/browsers/includes/control-browsing-behavior.md new file mode 100644 index 0000000000..067eba3f7d --- /dev/null +++ b/browsers/includes/control-browsing-behavior.md @@ -0,0 +1,90 @@ + +# Control browsing behavior +This section explains how to contol the behavior of Microsoft Edge in certain circumstances. Besides changing how sites deplay and the look and feel of the browser itself, you can also change how the browser behaves, for example, you can change the settings for security. + + + +## Security settings + +## Cookies + +[configure-cookies-include](../edge/includes/configure-cookies-include.md) + +## Search engine settings +...shortdesc of search engines...how admins can control the default search engine... + +### Allow address bar suggestions +[allow-address-bar-suggestions-include](../edge/includes/allow-address-bar-suggestions-include.md) + +[configure-search-suggestions-address-bar-include](../edge/includes/configure-search-suggestions-address-bar-include.md) + +[allow-search-engine-customization-include](../edge/includes/allow-search-engine-customization-include.md) + +[configure-additional-search-engines-include](../edge/includes/configure-additional-search-engines-include.md) + +[set-default-search-engine-include](../edge/includes/set-default-search-engine-include.md) + + + + +## Extensions +Extensions allow you to add features and functionality directly into the browser itself. Choose from a range of extensions from the Microsoft Store. + + + +[Allow Extensions](../edge/available-policies.md#allow-extensions) + +[allow-sideloading-extensions-include](../edge/includes/allow-sideloading-extensions-include.md) + +[prevent-turning-off-required-extensions-include](../edge/includes/prevent-turning-off-required-extensions-include.md) + +## Home button settings +The Home page... + + +### Scenarios +You can specify www.bing.com or www.google.com as the startup pages for Microsoft Edge using "HomePages" (MDM) or Configure Start Pages (GP). You can also enable the Disable Lockdown of Start pages (GP) policy or set the the DisableLockdownOfStartPages (MDM) setting to 1 allowing users to change the Microsoft Edge start options. Additionally, you can enable the Disable Lockdown of Start Pages or set the DisableLockdownOfStartPages to 2 locking down the IT-provided URLs, but allowing users to add or remove additional URLs. Users cannot switch Startup setting to another, for example, to load New Tab page or "previous pages" at startup. + +### Configuration combinations + +| **Configure Home Button** | **Set Home Button URL** | **Unlock Home Button** | **Results** | +|---------------------------------|-------------------------|------------------------|---------------------------------| +| Not configured (0/Null default) | N/A | N/A | Shows home button and loads the Start page. | +| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and prevent users from making changes to it. | +| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and let users from making changes to it. | +| Enabled (2) | Enabled | Disabled (0 default) | Shows home button, loads custom URL defined in the Set Home Button URL policy, prevent users from changing what page loads. | +| Enabled (2) | Enabled | Enabled | Shows home button, loads custom URL defined in the Set Home Button URL policy, and allow users to change what page loads. | +| Enabled (3) | N/A | N/A | Hides home button. | +--- + +[configure-home-button-include](configure-home-button-include.md) + +[set-home-button-url-include](set-home-button-url-include.md) + +[unlock-home-button-include](unlock-home-button-include.md) + +## Start page settings + +[configure-start-pages-include](configure-start-pages-include.md) + +[disable-lockdown-of-start-pages-include](disable-lockdown-of-start-pages-include.md) + + + +## New Tab page settings + +[set-new-tab-url-include](set-new-tab-url-include.md) + +[allow-web-content-new-tab-page-include](allow-web-content-new-tab-page-include.md) + + +## Exit tasks + +[allow-clearing-browsing-data-include](allow-clearing-browsing-data-include.md) + + +## Kiosk mode + +[Configure kiosk mode](configure-microsoft-edge-kiosk-mode-include.md) + +[Configure kiosk reset after idle timeout](configure-edge-kiosk-reset-idle-timeout-include.md) diff --git a/browsers/includes/customize-look-and-feel.md b/browsers/includes/customize-look-and-feel.md new file mode 100644 index 0000000000..5bada8092e --- /dev/null +++ b/browsers/includes/customize-look-and-feel.md @@ -0,0 +1,2 @@ +## Customize the look and feel + diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md new file mode 100644 index 0000000000..21a3238bd5 --- /dev/null +++ b/browsers/includes/helpful-topics-include.md @@ -0,0 +1,28 @@ + +## Helpful information and additional resources +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) + +- [Use the Enterprise Mode Site List Manager](../enterprise-mode/use-the-enterprise-mode-site-list-manager.md) + +- [Collect data using Enterprise Site Discovery](../enterprise-mode/collect-data-using-enterprise-site-discovery.md) + +- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) + +- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) + +- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) + + + + + +- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) +- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) +- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md new file mode 100644 index 0000000000..2e8b76896b --- /dev/null +++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md @@ -0,0 +1,12 @@ +If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. + +>[!IMPORTANT] +>Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. + +1. In the Enterprise Mode Site List Manager, click **File \> Import**. + +2. Go to the exported .EMIE file.

For example, `C:\users\\documents\sites.emie` + +1. Click **Open**. + +2. Review the alert message about all of your entries being overwritten and click **Yes**. diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md new file mode 100644 index 0000000000..5937eb6bef --- /dev/null +++ b/browsers/includes/interoperability-goals-enterprise-guidance.md @@ -0,0 +1,28 @@ +## Interoperability goals and enterprise guidance + +Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. + +You must continue using IE11 if web apps use any of the following: + +* ActiveX controls + +* x-ua-compatible headers + +* <meta> tags + +* Enterprise mode or compatibility view to address compatibility issues + +* legacy document modes [what is this?] + +If you have uninstalled IE11, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. + +>[!TIP] +>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714). + + +|Technology |Why it existed |Why we don't need it anymore | +|---------|---------|---------| +|ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | | +|Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | | +|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge will have a single “living” document mode. In order to minimize the compatibility burden, features will be tested behind switches in about:flags until they are stable and ready to be turned on by default. | + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md index ec70489dce..f1136e386c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md @@ -48,7 +48,7 @@ If you get an error during the Windows Update process, see [Fix the problem with 5. Try to reinstall IE11 from either Windows Update (if you saw it in Step 3) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website. -If these steps didn't fix your problem, see [Troubleshooting a failed installation of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=304130). +   diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index e3c64ee2bb..cd31220caa 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -17,7 +17,7 @@ You can use the Group Policy setting, **Set a default associations configuration **To set the default browser as Internet Explorer 11** -1. Open your Group Policy editor and go to the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

+1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). ![set default associations group policy setting](images/setdefaultbrowsergp.png) diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 49d9417151..e1fa685f30 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,5 +1,6 @@ # [Microsoft HoloLens](index.md) ## [What's new in Microsoft HoloLens](hololens-whats-new.md) +## [Insider preview for Microsoft HoloLens](hololens-insider.md) ## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md) ## [Set up HoloLens](hololens-setup.md) ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 68f9c695ce..95f7f92bed 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -9,13 +9,19 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 06/04/2018 +ms.date: 07/27/2018 --- # Change history for Microsoft HoloLens documentation This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). +## July 2018 + +New or changed topic | Description +--- | --- +[Insider preview for Microsoft HoloLens](hololens-insider.md) | New + ## June 2018 New or changed topic | Description diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md new file mode 100644 index 0000000000..05e12d5cce --- /dev/null +++ b/devices/hololens/hololens-insider.md @@ -0,0 +1,176 @@ +--- +title: Insider preview for Microsoft HoloLens (HoloLens) +description: It’s simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens. +ms.prod: hololens +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 07/27/2018 +--- + +# Insider preview for Microsoft HoloLens + +Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. + +>Latest insider version: 10.0.17720.1000 + + +## How do I install the Insider builds? + +On a device running the Windows 10 April 2018 Update, go to **Settings -> Update & Security -> Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. + +Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. + +Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. + +## New features for HoloLens + +The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes). + +### For everyone + + +Feature | Details | Instructions +--- | --- | --- +Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | To start recording, select **Start > Video**. To stop recording, select **Start > Stop video**. +Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter | On **Start**, select **Connect**. Select the device you want to project to. +New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. | You’ll now see notifications from apps that provide them. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). +HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | When you’re using an immersive app, input text, select a file from the file picker, or interact with dialogs without leaving the app. +Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | Adjust the device volume using the volume up/down buttons located on the right arm of the HoloLens. Use the visual display to track the volume level. +New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. | Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. +Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. | Capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge). Select a nearby Windows device to share with. +Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. | In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. + +### For developers + +- Support for Holographic [Camera Capture UI API](https://docs.microsoft.com/windows/uwp/audio-video-camera/capture-photos-and-video-with-cameracaptureui), which will let developers expose a way for users to seamlessly invoke camera or video capture from within their applications. For example, users can now capture and insert photo or video content directly within apps like Word. +- Mixed Reality Capture has been improved to exclude hidden mesh from captures, which means videos captures by apps will no longer contain black corners around the content. + +### For commercial customers + + +Feature | Details | Instructions +--- | --- | --- +Enable post-setup provisioning | Can now apply a runtime provisioning package at any time using **Settings**. | On your PC:

1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
3. Drag and drop the provisioning package to the Documents folder on the HoloLens.

On your HoloLens:

1. Go to **Settings > Accounts > Access work or school**.
2. In **Related Settings**, select **Add or remove a provisioning package**.
3. On the next page, select **Add a package** to launch the file picker and select your provisioning package.
**Note:** if the folder is empty, make sure you select **This Device** and select **Documents**.
After your package has been applied, it will show in the list of Installed packages. To view package details or to remove the package from the device, select the listed package. +Assigned access with Azure AD groups | Flexibility to use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | Prepare XML file to configure Assigned Access on PC:

1. In a text editor, open [the provided file AssignedAccessHoloLensConfiguration_AzureADGroup.xml](#xml).
2. Change the group ID to one available in your Azure AD tenant. You can find the group ID of an Azure Active Directory Group by either :
- following the steps at [Azure Active Directory version 2 cmdlets for group management](https://docs.microsoft.com/azure/active-directory/active-directory-accessmanagement-groups-settings-v2-cmdlets),
OR
- in the Azure portal, with the steps at [Manage the settings for a group in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-settings-azure-portal).

**Note:** The sample configures the following apps: Skype, Learning, Feedback Hub, Flow, Camera, and Calibration.

Create provisioning package with WCD:

1. On a PC, follow the steps at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md) to create a provisioning package.
2. Ensure that you include the license file in **Set up device**.
3. Select **Switch to advanced editor** (bottom left), and **Yes** for warning prompt.
4. Expand the runtime settings selection in the **Available customizations** panel and select **AssignedAccess > MultiAppAssignedAccessSettings**.
5. In the middle panel, you should now see the setting displayed with documentation in the panel below. Browse to the XML you modified for Assigned Access.
6. On the **Export** menu, select **Provisioning package**.
**Warning:** If you encrypt the provisioning package, provisioning the HoloLens device will fail.
7. Select **Next** to specify the output location where you want the provisioning package to go once it's built.
8. Select **Next**, and then select **Build** to start building the package.
9. When the build completes, select **Finish**.

Apply the package to HoloLens:

1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). HoloLens will show up as a device in File Explorer on the PC.
2. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
3. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the fit page.
4. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
5. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.

Enable assigned access on HoloLens:

1. After applying the provisioning package, during the **Account Setup** flows in OOBE, select **My work or school owns this** to set up your device with an Azure AD account.
**Note:** This account must not be in the group chosen for Assigned Access.
2. Once you reach the Shell, ensure the Skype app is installed either via your MDM environment or from the Store.
3. After the Skype app is installed, sign out.
4. On the sign-in screen, select the **Other User** option and enter an Azure AD account email address that belongs to the group chosen for Assigned Access. Then enter the password to sign in. You should now see this user with only the apps configured in the Assigned Access profile. +PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. +Sign in with Web Cred Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. Look for additional web sign-in methods coming in the future. | From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  +Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view HoloLens device serial number. +Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view and set your HoloLens device name (rename). + +### For international customers + + +Feature | Details | Instructions +--- | --- | --- +Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. | See below. + +#### Installing the Chinese or Japanese versions of the Insider builds + +In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT). + +>[!IMPORTANT] +>Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens. + +1. On a retail HoloLens device, [opt in to Insider Preview builds](#get-insider) to prepare your device for the RS5 Preview. +2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). +3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololenspreviewdownload-ch) or [Japanese](https://aka.ms/hololenspreviewdownload-jp). +4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it. +5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)  +6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. +7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) +8. Select **Install software** and follow the instructions to finish installing. +9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. + +When you’re done with setup, go to **Settings -> Update & Security -> Windows Insider Program** and check that you’re configured to receive the latest preview builds. The Chinese/Japanese version of HoloLens will be kept up-to-date with the latest preview builds via the Windows Insider Program the same way the English version is. + +## Note for language support + +- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language. +- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English). + +## Note for developers + +You are welcome and encouraged to try developing your applications using this build of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with this latest build of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. + +## Provide feedback and report issues + +Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reality/give-us-feedback) on your HoloLens or Windows 10 PC to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way. + +>[!NOTE] +>Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). + + +## AssignedAccessHoloLensConfiguration_AzureADGroup.xml + +Copy this sample XML to use for the [**Assigned access with Azure AD groups** feature](#for-commercial-customers). + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + + + + + +``` + diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 9b54f8a335..5e1218f90c 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 05/22/2018 +ms.date: 08/14/2018 --- # Set up HoloLens in kiosk mode @@ -145,8 +145,7 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) -8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. -8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. + 8. On the **File** menu, select **Save.** 9. On the **Export** menu, select **Provisioning package**. 10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md index 0f62fc2e6e..6912c956f4 100644 --- a/devices/hololens/hololens-setup.md +++ b/devices/hololens/hololens-setup.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 08/02/2018 --- # Set up HoloLens @@ -30,7 +30,12 @@ The HoloLens setup process combines a quick tutorial on using HoloLens with the 2. [Turn on HoloLens](https://support.microsoft.com/help/12642). You will be guided through a calibration procedure and how to perform [the gestures](https://support.microsoft.com/help/12644/hololens-use-gestures) that you will use to operate HoloLens. 3. Next, you'll be guided through connecting to a Wi-Fi network. 4. After HoloLens connects to the Wi-Fi network, you select between **My work or school owns it** and **I own it**. - - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app). + - When you choose **My work or school owns it**, you sign in with an Azure AD account. + + >[!NOTE] + >[To share your HoloLens device with multiple Azure AD accounts](hololens-multiple-users.md), the HoloLens device must be running Windows 10, version 1803, and be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md). + + If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app). 1. Enter your organizational account. 2. Accept privacy statement. 3. Sign in using your Azure AD credentials. This may redirect to your organization's sign-in page. diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md index b855080450..f7da9a892b 100644 --- a/devices/hololens/hololens-upgrade-enterprise.md +++ b/devices/hololens/hololens-upgrade-enterprise.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 07/09/2018 --- # Unlock Windows Holographic for Business features @@ -81,11 +81,10 @@ Provisioning packages are files created by the Windows Configuration Designer to ### Apply the provisioning package to HoloLens -1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of the initial setup experience (the first page with the blue box). +1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of the initial setup experience (the first page with the blue box). HoloLens will show up as a device in File Explorer on the PC. -2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously. - -3. HoloLens will show up as a device in File Explorer on the PC. + >[!NOTE] + >If the HoloLens device is running Windows 10, version 1607 or earlier, briefly press and release the **Volume Down** and **Power** buttons simultaneously to open File Explorer. 4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage. @@ -95,8 +94,7 @@ Provisioning packages are files created by the Windows Configuration Designer to 7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup. ->[!NOTE] ->If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. + diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 90e76edb5e..786b38a1e3 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 05/21/2018 +ms.date: 07/27/2018 --- # Microsoft HoloLens @@ -22,6 +22,7 @@ ms.date: 05/21/2018 | Topic | Description | | --- | --- | | [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update. | +[Insider preview for Microsoft HoloLens](hololens-insider.md) | Learn about new HoloLens features available in the latest Insider Preview build. | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management | | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time | | [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business | diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 1a7df44a44..10317bd4e4 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 06/01/2018 +ms.date: 07/12/2018 ms.localizationpriority: medium --- @@ -15,6 +15,12 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## July 2018 + +New or changed topic | Description +--- | --- +[Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Added information and links for new Microsoft Whiteboard app release. + ## June 2018 New or changed topic | Description diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index 4a5167db40..241cfc77e6 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -33,7 +33,7 @@ When connecting external devices and displays to a Surface Hub, there are severa ## Guest Mode -Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be be displayed as a black image. To display your content without violating HDCP requirements, use the keypad on the right side of the Surface Hub to directly choose the external source. +Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be displayed as a black image. To display your content without violating HDCP requirements, use the keypad on the right side of the Surface Hub to directly choose the external source. >[!NOTE] >When an HDCP source is connected, use the side keypad to change source inputs. diff --git a/devices/surface-hub/enable-8021x-wired-authentication.md b/devices/surface-hub/enable-8021x-wired-authentication.md index 8407392860..810dc3d2ce 100644 --- a/devices/surface-hub/enable-8021x-wired-authentication.md +++ b/devices/surface-hub/enable-8021x-wired-authentication.md @@ -56,5 +56,5 @@ This OMA-URI node takes a text string of XML as a parameter. The XML provided as ## Adding certificates -If your selected authentication method is certificate-based, you will will need to [create a provisioning package](provisioning-packages-for-surface-hub.md), [utilize MDM](https://docs.microsoft.com/windows/client-management/mdm/clientcertificateinstall-csp), or import a certificate from settings (**Settings** > **Update and Security** > **Certificates**) to deploy those certificates to your Surface Hub device in the appropriate Certificate Store. When adding certificates, each PFX must contain only one certificate (a PFX cannot have multiple certificates). +If your selected authentication method is certificate-based, you will need to [create a provisioning package](provisioning-packages-for-surface-hub.md), [utilize MDM](https://docs.microsoft.com/windows/client-management/mdm/clientcertificateinstall-csp), or import a certificate from settings (**Settings** > **Update and Security** > **Certificates**) to deploy those certificates to your Surface Hub device in the appropriate Certificate Store. When adding certificates, each PFX must contain only one certificate (a PFX cannot have multiple certificates). diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index e0111f0b35..90479cad66 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -141,7 +141,7 @@ Next, you enable the device account with [Skype for Business Online](#skype-for- To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need. -| Skype room system scenario | If you have Office 365 Premium, Office 365 ProPlus, or Skype for Business Standalone Plan 2, you need: | If you have an Enterprise-based plan, you need: | If you have have Skype for Business Server 2015 (on-premises or hybrid), you need: | +| Skype room system scenario | If you have Office 365 Premium, Office 365 ProPlus, or Skype for Business Standalone Plan 2, you need: | If you have an Enterprise-based plan, you need: | If you have Skype for Business Server 2015 (on-premises or hybrid), you need: | | --- | --- | --- | --- | | Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL | | Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL | @@ -282,7 +282,7 @@ Use this procedure if you use Exchange online. 5. Add email address for your on-premises domain account. - For this procedure, you'll be using AD admin tools to add an email address for your on-preises domain account. + For this procedure, you'll be using AD admin tools to add an email address for your on-premises domain account. - In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**. - Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**. diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index b819e54b9a..06b5ab6450 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -51,3 +51,10 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof +## Additional resources + +- [Surface Hub update history](https://support.microsoft.com/help/4037666/surface-surface-hub-update-history) +- [Surface IT Pro Blog](https://blogs.technet.microsoft.com/surface/) +- [Surface Playlist of videos](https://www.youtube.com/playlist?list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ) +- [Microsoft Surface on Twitter](https://twitter.com/surface) + diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 13af52d485..d0e895cd1a 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -46,7 +46,6 @@ Surface Hub now supports the ability to automatically enroll in Intune by joinin For more information, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment). - ## Manage Surface Hub settings with MDM You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML. @@ -85,7 +84,7 @@ For more information, see [SurfaceHub configuration service provider](https://ms ### Supported Windows 10 settings -In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://msdn.microsoft.com/library/windows/hardware/dn920025.aspx). +In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference). The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML. diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md index 81c91723b7..ef1cd24725 100644 --- a/devices/surface-hub/surface-hub-recovery-tool.md +++ b/devices/surface-hub/surface-hub-recovery-tool.md @@ -18,6 +18,9 @@ The [Microsoft Surface Hub Recovery Tool](https://www.microsoft.com/download/det To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf). +>[!IMPORTANT] +>Do not let the device go to sleep or interrupt the download of the image file. + If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support). ## Prerequisites diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 08346d20b4..10f086f358 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -6,13 +6,16 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/20/2017 +ms.date: 07/12/2018 ms.localizationpriority: medium --- # Set up and use Whiteboard to Whiteboard collaboration (Surface Hub) -Microsoft Whiteboard’s latest update (17.8302.5275X or greater) includes the capability for two Surface Hubs to collaborate in real time on the same board. +The Microsoft Whiteboard app includes the capability for two Surface Hubs to collaborate in real time on the same board. + +>[!IMPORTANT] +>A new Microsoft Whiteboard app was released on July 12, 2018. The existing Whiteboard app that comes installed on Surface Hub and is pinned to the Welcome screen cannot collaborate with the new version that can be installed on the PC. If people in your organization install the new Whiteboard on their PCs, you must install the new Whiteboard on Surface Hub to enable collaboration. To learn more about installing the new Whiteboard on your Surface Hub, see [Whiteboard on Surface Hub opt-in](https://go.microsoft.com/fwlink/p/?LinkId=2004277). By ensuring that your organization meets the prerequisites, users can then ink, collaborate, and ideate together. diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 227433e7b2..445be071c9 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -117,6 +117,14 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app >[!Note] >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater. +### Version 2.22.139.0 +*Release Date: 26 July 2018* + +This version of Surface Dock Updater adds support for the following: + +- Increase update reliability +- Add support for Surface Go + ### Version 2.12.136.0 *Release Date: 29 January 2018* diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index c5de082d9e..73c49f7dbc 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -42,7 +42,7 @@ Management of SEMM with Configuration Manager requires the installation of Micro #### Download SEMM scripts for Configuration Manager -After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) from the TechNet Gallery Script Center. +After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://www.microsoft.com/en-us/download/details.aspx?id=46703) from the Download Center. ## Deploy Microsoft Surface UEFI Manager @@ -269,7 +269,7 @@ The following code fragment, found on lines 352-363, is used to write this regis ### Settings names and IDs -To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from [SEMM management scripts for Configuration Manager](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) in the TechNet Gallery Script Center. +To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/en-us/download/details.aspx?id=46703) The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device. @@ -424,4 +424,4 @@ Removal of SEMM from a device deployed with Configuration Manager using these sc >When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken. ->For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken. \ No newline at end of file +>For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken. diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index 3550f35fd6..cbfbebde41 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -49,4 +49,8 @@ Surface devices with support for out-of-box deployment with Windows Autopilot, e ## Surface partners enabled for Windows Autopilot Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management. -You can find a list of Surface partners enabled for Windows Autopilot at the [Windows Autopilot for Surface portal](https://www.microsoft.com/en-us/itpro/surface/windows-autopilot-for-surface). \ No newline at end of file +When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: + +- [SHI](https://www.shi.com/?reseller=shi) +- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface.html) +- [Atea](https://www.atea.com/) \ No newline at end of file diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index d5a982714e..def3d886d3 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -26,10 +26,11 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea ## Inclusive Classroom features |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | |---|---|---|---|---|---|---| -| Read aloud with simultaneous highlighting |

  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(N/A for Outlook PC)

|

X

(N/A for any OneNote apps or Outlook PC)

| -| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

|

X

(N/A for any OneNote apps)

| +| Read aloud with simultaneous highlighting |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
|

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(N/A for Outlook PC)

|

X

(N/A for any OneNote apps or Outlook PC)

| +| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS, Android
|

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

|

X

(N/A for any OneNote apps)

| | Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access)

|

X

(N/A for Word iOS)

|

X

(N/A for Word iOS)

|

X

(N/A for any OneNote apps or Word iOS)

| -| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| + +| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
|

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| | Line focus mode |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| | Picture Dictionary |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|
@@ -40,18 +41,19 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea | Spelling suggestions for phonetic misspellings |
  • Word 2016, Word Online, Word for Mac
  • Outlook 2016
| |

X

|

X

|

X

| | | Synonyms alongside spelling suggestions that can be read aloud |
  • Word 2016
  • Outlook 2016
| |

X

|

X

|

X

| | | Grammar checks |
  • Word 2016, Word Online, Word for Mac
  • Outlook 2016
| |

X

|

X

| | | -| Customizable writing critiques |
  • Word 2016, Word for Mac
  • Outlook 2016
| |

X

|

X

| | | -| Tell me what you want to do |
  • Office 2016
  • Office Online
  • Office on iOS, Android, Windows 10
| |

X

|

X

|

X

| | +| Customizable writing critiques |
  • Word 2016, Word for Mac
  • Outlook 2016
|

X

|

X

|

X

| | | +| Tell me what you want to do |
  • Office 2016
  • Office Online
  • Office on iOS, Android, Windows 10
|

X

|

X

|

X

|

X

| | | Editor |
  • Word 2016
| |

X

|

X

| | |
| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | |---|---|---|---|---|---|---| -| Accessibility Checker |
  • All Office 365 authoring applications on PC, Mac, Web
| |

X

| | | | -| Accessible Templates |
  • Word for PCs, Mac
  • Excel for PCs, Mac
  • PowerPoint for PCs, Mac
  • Sway on iOS, Web, Windows 10
| |

X

| | | | -| Ability to add alt-text for images |
  • Word for PCs (includes automatic suggestions for image descriptions)
  • SharePoint Online (includes automatic suggestions for image descriptions)
  • PowerPoint for PCs (includes automatic suggestions for image descriptions)
  • OneNote (includes automatic extraction of text in images)
  • All Office 365 authoring applications (include ability to add alt-text manually)
| |

X

| | | | + +| Accessibility Checker |
  • All Office 365 authoring applications on PC, Mac, Web
| |

X

|

X

| | | +| Accessible Templates |
  • Word for PCs, Mac
  • Excel for PCs, Mac
  • PowerPoint for PCs, Mac
  • Sway on iOS, Web, Windows 10
| |

X

|

X

| | | +| Ability to add alt-text for images |
  • Word for PCs (includes automatic suggestions for image descriptions)
  • SharePoint Online (includes automatic suggestions for image descriptions)
  • PowerPoint for PCs (includes automatic suggestions for image descriptions)
  • OneNote (includes automatic extraction of text in images)
  • All Office 365 authoring applications (include ability to add alt-text manually)
|

X

|

X

|

X

| | | | Ability to add captions to videos |
  • PowerPoint for PCs
  • Sway on iOS, Web, Windows 10
  • Microsoft Stream (includes ability to have captions auto-generated for videos in English and Spanish)
| |

X

| | | | -| Export as tagged PDF |
  • Word for PCs, Mac
  • Sway on iOS, Web, Windows 10
| | | | | | +| Export as tagged PDF |
  • Word for PCs, Mac
  • Sway on iOS, Web, Windows 10
| |

X

|

X

| | | | Ability to request accessible content |
  • Outlook Web Access
| | | | | |
@@ -79,4 +81,4 @@ Depending on how you plan to do billing, you can have Office 365 accounts that a 1. Sign-in to your services and subscriptions with your Microsoft account. 2. Find the subscription in the list, then select **Change how you pay**. >**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires. -3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. \ No newline at end of file +3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. diff --git a/education/windows/TOC.md b/education/windows/TOC.md index ca73e87080..5cfd544fe5 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -4,6 +4,9 @@ ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) ## [Set up Windows devices for education](set-up-windows-10.md) ### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) +#### [Azure AD Join for school PCs](set-up-school-pcs-azure-ad-join.md) +#### [Shared PC mode for school devices](set-up-school-pcs-shared-pc-mode.md) +#### [Provisioning package settings](set-up-school-pcs-provisioning-package.md) ### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) ### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) ### [Provision student PCs with apps](set-up-students-pcs-with-apps.md) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index b65a448e31..c14ad21e17 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -2,7 +2,7 @@ title: Change history for Windows 10 for Education (Windows 10) description: New and changed topics in Windows 10 for Education keywords: Windows 10 education documentation, change history -ms.prod: w10 +ms.prod: w10 ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library @@ -32,7 +32,7 @@ New or changed topic | Description | New or changed topic | Description | | --- | ---- | -| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the the list of device manufacturers. | +| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the list of device manufacturers. | | [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | | [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | | [Take a Test app technical reference](take-a-test-app-technical.md) | Added a note that the Alt+F4 key combination for enabling students to exit the test is disabled in Windows 10, version 1703 (Creators Update) and later. Also added additional info about the Ctrl+Alt+Del key combination. | diff --git a/education/windows/images/suspc-add-recommended-apps-1807.png b/education/windows/images/suspc-add-recommended-apps-1807.png new file mode 100644 index 0000000000..61a674e363 Binary files /dev/null and b/education/windows/images/suspc-add-recommended-apps-1807.png differ diff --git a/education/windows/images/suspc-admin-token-delete-1807.png b/education/windows/images/suspc-admin-token-delete-1807.png new file mode 100644 index 0000000000..0656dbb899 Binary files /dev/null and b/education/windows/images/suspc-admin-token-delete-1807.png differ diff --git a/education/windows/images/suspc-assessment-url-1807.png b/education/windows/images/suspc-assessment-url-1807.png new file mode 100644 index 0000000000..c799e26271 Binary files /dev/null and b/education/windows/images/suspc-assessment-url-1807.png differ diff --git a/education/windows/images/suspc-available-student-settings-1807.png b/education/windows/images/suspc-available-student-settings-1807.png new file mode 100644 index 0000000000..d39fc2ceba Binary files /dev/null and b/education/windows/images/suspc-available-student-settings-1807.png differ diff --git a/education/windows/images/suspc-configure-student-settings-1807.png b/education/windows/images/suspc-configure-student-settings-1807.png new file mode 100644 index 0000000000..553fb4d689 Binary files /dev/null and b/education/windows/images/suspc-configure-student-settings-1807.png differ diff --git a/education/windows/images/suspc-createpackage-signin-1807.png b/education/windows/images/suspc-createpackage-signin-1807.png new file mode 100644 index 0000000000..7a80f5c751 Binary files /dev/null and b/education/windows/images/suspc-createpackage-signin-1807.png differ diff --git a/education/windows/images/suspc-createpackage-summary-1807.png b/education/windows/images/suspc-createpackage-summary-1807.png new file mode 100644 index 0000000000..e78ac67856 Binary files /dev/null and b/education/windows/images/suspc-createpackage-summary-1807.png differ diff --git a/education/windows/images/suspc-current-os-version-1807.png b/education/windows/images/suspc-current-os-version-1807.png new file mode 100644 index 0000000000..bc2ba6a08d Binary files /dev/null and b/education/windows/images/suspc-current-os-version-1807.png differ diff --git a/education/windows/images/suspc-current-os-version-next-1807.png b/education/windows/images/suspc-current-os-version-next-1807.png new file mode 100644 index 0000000000..a0b6632bd3 Binary files /dev/null and b/education/windows/images/suspc-current-os-version-next-1807.png differ diff --git a/education/windows/images/suspc-device-names-1807.png b/education/windows/images/suspc-device-names-1807.png new file mode 100644 index 0000000000..f3ad674b99 Binary files /dev/null and b/education/windows/images/suspc-device-names-1807.png differ diff --git a/education/windows/images/suspc-enable-shared-pc-1807.png b/education/windows/images/suspc-enable-shared-pc-1807.png new file mode 100644 index 0000000000..52fb68f830 Binary files /dev/null and b/education/windows/images/suspc-enable-shared-pc-1807.png differ diff --git a/education/windows/images/suspc-savepackage-insertusb-1807.png b/education/windows/images/suspc-savepackage-insertusb-1807.png new file mode 100644 index 0000000000..cd75795863 Binary files /dev/null and b/education/windows/images/suspc-savepackage-insertusb-1807.png differ diff --git a/education/windows/images/suspc-savepackage-ppkgisready-1807.png b/education/windows/images/suspc-savepackage-ppkgisready-1807.png new file mode 100644 index 0000000000..fd82b1e50b Binary files /dev/null and b/education/windows/images/suspc-savepackage-ppkgisready-1807.png differ diff --git a/education/windows/images/suspc-select-wifi-1807.png b/education/windows/images/suspc-select-wifi-1807.png new file mode 100644 index 0000000000..c8b94d6aad Binary files /dev/null and b/education/windows/images/suspc-select-wifi-1807.png differ diff --git a/education/windows/images/suspc-select-wifi-network-1807.png b/education/windows/images/suspc-select-wifi-network-1807.png new file mode 100644 index 0000000000..5a362daaa0 Binary files /dev/null and b/education/windows/images/suspc-select-wifi-network-1807.png differ diff --git a/education/windows/images/suspc-sign-in-select-1807.png b/education/windows/images/suspc-sign-in-select-1807.png new file mode 100644 index 0000000000..abffbec690 Binary files /dev/null and b/education/windows/images/suspc-sign-in-select-1807.png differ diff --git a/education/windows/images/suspc-take-a-test-1807.png b/education/windows/images/suspc-take-a-test-1807.png new file mode 100644 index 0000000000..ea6295658f Binary files /dev/null and b/education/windows/images/suspc-take-a-test-1807.png differ diff --git a/education/windows/images/suspc-take-a-test-app-1807.png b/education/windows/images/suspc-take-a-test-app-1807.png new file mode 100644 index 0000000000..9d6c503f3c Binary files /dev/null and b/education/windows/images/suspc-take-a-test-app-1807.png differ diff --git a/education/windows/images/suspc-time-zone-1807.png b/education/windows/images/suspc-time-zone-1807.png new file mode 100644 index 0000000000..274e411a4d Binary files /dev/null and b/education/windows/images/suspc-time-zone-1807.png differ diff --git a/education/windows/images/suspc-wifi-network-1807.png b/education/windows/images/suspc-wifi-network-1807.png new file mode 100644 index 0000000000..6e03d35363 Binary files /dev/null and b/education/windows/images/suspc-wifi-network-1807.png differ diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md new file mode 100644 index 0000000000..16b59b9799 --- /dev/null +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -0,0 +1,95 @@ +--- +title: Azure AD Join with Setup School PCs app +description: Describes how Azure AD Join is configured in the Set up School PCs app. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 07/13/2018 +--- + +# Azure AD Join for school PCs + +> [!NOTE] +> Set up School PCs app uses Azure AD Join to configure PCs. The app is helpful if you use the cloud based directory, Azure Active Directory (AD). If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration +> Designer](set-up-students-pcs-to-join-domain.md) to +> join your PCs to your school's domain. + +Set up School PCs lets you create a provisioning package that automates Azure AD +Join on your devices. This feature eliminates the need to manually: + +- Connect to your school’s network. + +- Join your organization's domain. + +## Automated connection to school domain + +During initial device setup, Azure AD Join automatically connects your PCs to your school's Azure AD domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup. + +Students who sign in to their PCs with their Azure AD credentials get access to on-premises apps and the following cloud apps: +* Office 365 +* OneDrive +* OneNote. + +## Enable Azure AD Join + +Learn how to enable Azure AD Join for your school. After you configure this setting, you'll be able to request an automated Azure AD bulk token, which you need to create a provisioning package. + +1. Sign in to the Azure portal with your organization's credentials. +2. Go to **Azure +Active Directory** \> **Devices** \> **Device settings**. +3. Enable the setting +for Azure AD by selecting **All** or **Selected**. If you choose the latter +option, select the teachers and IT staff to allow them to connect to Azure AD. + +![Select the users you want to let join devices to Azure AD](images/suspc-enable-shared-pc-1807.png) + +You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff. + +## All Device Settings + +The following table describes each setting within **Device Settings**. + +| Setting | Description | +|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Users may join devices to Azure AD | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. | +| Additional local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant additional local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. | +| Users may register their devices with Azure AD | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you are enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you. | +| Require Multi-Factor Authentication to join devices | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication. | +| Maximum number of devices per user | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before additional ones are added. | +| Users may sync settings and enterprise app data | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Azure AD Premium are permitted to select specific users to allow. | + +## Clear Azure AD tokens + +Your Intune tenant can only have 500 active Azure AD tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens. + +To reduce your inventory, clear out all unnecessary and inactive tokens. +1. Go to **Azure Active Directory** \> **Users** \> **All users** +2. In the **User Name** column, select and delete all accounts with a **package\ _** +prefix. These accounts are created at a 1:1 ratio for every token and are safe +to delete. +3. Select and delete inactive and expired user accounts. + +### How do I know if my package expired? +Automated Azure AD tokens expire after 30 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts. + +![Screenshot of the Azure portal, Azure Active Directory, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspc-admin-token-delete-1807.png) + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) +* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md new file mode 100644 index 0000000000..16b671865d --- /dev/null +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -0,0 +1,122 @@ +--- +title: What's in Set up School PCs provisioning package +description: Lists the provisioning package settings that are configured in the Set up School PCs app. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 07/13/2018 +--- + +# What's in my provisioning package? +The Set up School PCs app builds a specialized provisioning package with school-optimized settings. + +A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx) article. + +## Shared PC Mode policies +This table outlines the policies applied to devices in shared PC mode. If you [selected to optimize a device for use by a single student](set-up-school-pcs-shared-pc-mode.md#optimize-device-for-use-by-a-single-student), the table notes the differences. Specifically, you'll see differences in the following policies: +* Disk level deletion +* Inactive threshold +* Restrict local storage + +In the table, *True* means that the setting is enabled, allowed, or applied. Use the **Description** column to help you understand the context for each setting. + +For a more detailed look at the policies, see the Windows article [Set up shared or guest PC](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc#policies-set-by-shared-pc-mode). + +|Policy name|Default value|Description| +|---------|---------|---------| +|Enable Shared PC mode|True| Configures the PCs so they are in shared PC mode.| +|Set education policies | True | School-optimized settings are applied to the PCs so that they are appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education). | +|Account Model| Only guest, Domain-joined only, or Domain-joined and guest |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. | +|Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they have not signed in within the number of days specified by inactive threshold policy. | +|Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | +|Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and does not delete accounts. | +|Enable account manager | True | Enables automatic account management. | +|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account has not signed in, it will be deleted. +|Kiosk Mode AMUID | Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. | +|Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. | +|Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy does not prevent students from saving on the PCs local hard drive. | +|Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. | +|Max page file size in MB| 1024| Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.| +|Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. | +|Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. | +|Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. | + +## MDM and local group policies +This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app. + +For a more detailed look of each policy listed, see [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation. + + +|Policy name |Default value |Description | +|---------|---------|---------| +|Authority|User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. +|BPRT|User-defined| Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. | +|WLAN Setting| XML is generated from the Wi-Fi profile in the Set up School PCs app.| Configures settings for wireless connectivity.| +|Hide OOBE for desktop| True | Hides the interactive OOBE flow for Windows 10.| +|Download Mode|1 - HTTP blended with peering behind the same NAT|Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates| +|Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel| Specifies how frequently devices receive preview builds and feature updates.| +|Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user.| +|Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates.| +|Update power policy for cart restarts | 1 - Configured| Skips all restart checks to ensure that the reboot will happen at the scheduled install time. | +|Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days.| +|Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device | +|Allow developer unlock | Disabled | Students cannot unlock the PC and use it in developer mode | +|Allow Cortana | Disabled | Cortana is not allowed on the device. +|Allow manual MDM unenrollment | Disabled | Students cannot remove the mobile device manager from their device. | +|Settings page visibility|Enabled |Specific pages in the System Settings app are not visible or accessible to students.| +|Allow add provisioning package | Disabled | Students cannot add and upload new provisioning packages to their device. | +|Allow remove provisioning package | Disabled | Students cannot remove packages that you've uploaded to their device, including the Set up School PCs app | +|Start Layout|Enabled |Lets you specify the Start layout for users and prevents them from changing the configuration.| +|Import Edge Assets| Enabled| Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files.| +|Allow pinned folder downloads|1 - The shortcut is visible and disables the setting in the Settings app |Makes the Downloads shortcut on the Start menu visible to students.| +|Allow pinned folder File Explorer|1 - The shortcut is visible and disables the setting in the Settings app |Makes the File Explorer shortcut on the Start menu visible to students.| +|Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. | Deploys a jpg, jpeg, or png image to be used as lock screen image on the device. +|Personalization| Lock screen image URL| Image filename| You can specify a jpg, jpeg, or png image to be used as the device lock screen image. This setting can take an http or https URL to a remote image to be downloaded, or a file URLto an existing local image. +|Update|Active hours end | 5 PM | There will be no update reboots before this time. | +|Update|Active hours start | 7 AM | There will be no update reboots after this time. | +|Updates Windows | Nightly | Sets Windows to update on a nightly basis. | + +## Apps uninstalled from Windows 10 devices +Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device. The following table lists all apps uninstalled from Windows 10 devices. + + +|App name |Application User Model ID | +|---------|---------| +|3D Builder | Microsoft.3DBuilder_8wekyb3d8bbwe | +|Bing Weather | Microsoft.BingWeather_8wekyb3d8bbwe | +|Desktop App Installer|Microsoft.DesktopAppInstaller_8wekyb3d8bbwe| +|Get Started | Microsoft.Getstarted_8wekyb3d8bbw | +|Messaging|Microsoft.Messaging_8wekyb3d8bbwe +|Microsoft Office Hub| Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe | +|Microsoft Solitaire Collection | Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe | +|One Connect|Microsoft.OneConnect_8wekyb3d8bbwe| +|Paid Wi-Fi & Cellular | Microsoft.OneConnect_8wekyb3d8bbwe | +|Feedback Hub | Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe | +|Xbox | Microsoft.XboxApp_8wekyb3d8bbwe | +|Mail/Calendar | microsoft.windowscommunicationsapps_8wekyb3d8bbwe| + +## Apps installed on Windows 10 devices +Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. Apps that are installed include: +* OneDrive +* OneNote +* Sway + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md new file mode 100644 index 0000000000..acebeccc44 --- /dev/null +++ b/education/windows/set-up-school-pcs-shared-pc-mode.md @@ -0,0 +1,80 @@ +--- +title: Shared PC mode for school devices +description: Describes how shared PC mode is set for devices set up with the Set up School PCs app. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 07/13/2018 +--- + +# Shared PC mode for school devices + +Shared PC mode optimizes Windows 10 for shared use scenarios, such as classrooms and school libraries. A Windows 10 PC in shared PC mode requires minimal to zero maintenance and management. Update settings are optimized for classroom settings, so that they automatically occur outside of school hours. + +Shared PC mode can be applied on devices running: +* Windows 10 Pro +* Windows 10 Pro Education +* Windows 10 Education +* Windows 10 Enterprise + +To learn more about how to set up a device in shared PC mode, see [Set up a shared or guest PC with Windows 10](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc). + +## Windows Updates +Shared PC mode configures power and Windows Update settings so that computers update regularly. Computers that are set up through the Set up School PCs app are configured to: +* Wake nightly. +* Check for and install updates. +* Forcibly reboot, when necessary, to complete updates. + +These configurations reduce the need to update and reboot computers during daytime work hours. Notifications about needed updates are also blocked from disrupting students. + +## Default admin accounts in Azure Active Directory +By default, the account that joins your computer to Azure AD will be given admin permissions on the computer. Global administrators in the joined Azure AD domain will also have admin permissions when signed in to the joined computer. + +An Azure AD Premium subscription lets you specify the accounts that get admin accounts on a computer. These accounts are configured in Intune in the Azure portal. + +## Account deletion policies +This section describes the deletion behavior for the accounts configured in shared PC mode. A delete policy makes sure that outdated or stale accounts are regularly removed to make room for new accounts. + +### Azure AD accounts + +The default deletion policy is set to automatically cache accounts. Cached accounts are automatically deleted when disk space gets too low, or when there's an extended period of inactivity. Accounts continue to delete until the computer reclaims sufficient disk space. Deletion policies behave the same for Azure AD and Active Directory domain accounts. + +### Guest and Kiosk accounts +Guest accounts and accounts created through Kiosk are deleted after they sign out of their account. + +### Local accounts +Local accounts that you created before enabling shared PC mode aren't deleted. Local accounts that you create through the following path, after enabling PC mode, are not deleted: **Settings** app > **Accounts** > **Other people** > **Add someone** + +## Create custom Windows images +Shared PC mode is compatible with custom Windows images. + +To create a compatible image, first create your custom Windows image with all software, updates, and drivers. Then use the System Preparation (Sysprep) tool with the `/oobe` flag to create the SharedPC-compatible version. For example, `sysrep/oobe`. + +Teachers can then run the Set up School PCs package on the computer. + +## Optimize device for use by a single student +Shared PC mode is enabled by default. This mode optimizes device settings for schools where PCs are shared by students. The Set up School PCs app also offers the option to configure settings for devices that aren't shared. + +If you select this setting, the app modifies shared PC mode so that it's appropriate for a single device. To see how the settings differ, refer to the Shared PC mode policy table in the article [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) +1. In the app, go to the **Create package** > **Settings** step. +2. Select **Optimize device for a single student, instead of a shared cart or lab**. + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 3f6907cffb..b23242412b 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -1,6 +1,6 @@ --- -title: Set up School PCs app technical reference -description: Describes the changes that the Set up School PCs app makes to a PC. +title: Set up School PCs app technical reference overview +description: Describes the purpose of the Set up School PCs app for Windows 10 devices. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 ms.technology: Windows @@ -8,302 +8,74 @@ ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: CelesteDG -ms.author: celested -ms.date: 04/04/2018 +author: lenewsad +ms.author: lanewsad +ms.date: 07/11/2018 --- -# Technical reference for the Set up School PCs app +What is Set up School PCs? +================================================= + **Applies to:** -- Windows 10 +- Windows 10 + +The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The +app, which is available for Windows 10 version 1703 and later, configures and saves +school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. + +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up +School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity. + + +## Join PC to Azure Active Directory +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up +School PCs app creates a setup file that joins your PC to your Azure Active +Directory tenant. + +The app also helps set up PCs for use with or without Internet connectivity. + +## List of Set up School PCs features +The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription. + +| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | +|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------| +| **Fast sign-in** | X | X | X | X | +| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | | +| **Custom Start experience** | X | X | X | X | +| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | | +| **Guest account, no sign-in required** | X | X | X | X | +| Set up computers for use by anyone with or without an account. | | | | | +| **School policies** | X | X | X | X | +| Settings create a relevant, useful learning environment and optimal computer performance. | | | | | +| **Azure AD Join** | | X | X | X | +| Computers join with your existing Azure AD or Office 365 subscription for centralized management. | | | | | +| **Single sign-on to Office 365** | | | X | X | +| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | | +| **Take a Test app** | | | | X | +| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | | +| [Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD** | | | | X | +| Synchronize student and application data across devices for a personalized experience. | | | | | + +> [!NOTE] +> If your school uses Active Directory, use [Windows Configuration +> Designer](set-up-students-pcs-to-join-domain.md) +> to configure your PCs to join the domain. You can only use the Set up School +> PCs app to set up PCs that are connected to Azure AD. -The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic. +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) +* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + -If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. - -Here's a list of what you get when using the Set up School PCs app in your school. - -| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | -| --- | :---: | :---: | :---: | :---: | -| **Fast sign-in**
Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | -| **Custom Start experience**
The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X | -| **Guest account, no sign-in required**
This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | -| **School policies**
Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | -| **Azure AD Join**
The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | -| **Single sign-on to Office 365**
By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. | | | X | X | -| **Take a Test**
Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. | | | | X | -| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | - - -> [!NOTE] -> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD. - -## Automated Azure AD join -One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated. - -To make this as seamless as possible, in your Azure AD tenant: -- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD. - - **Figure 1** - Select the users you want to enable to join devices to Azure AD - - ![Select the users you want to enable to join devices to Azure AD](images/azuread_usersandgroups_devicesettings_usersmayjoin.png) - -- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff. - - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app. - - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student. - -- Turn off multifactor authentication. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**. - - **Figure 2** - Turn off multi-factor authentication in Azure AD - - ![Turn off multi-factor authentication in Azure AD](images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png) - -- Set the maximum number of devices a user can add to unlimited. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**. - - **Figure 3** - Set maximum number of devices per user to unlimited - - ![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png) - -- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these. - - **Figure 4** - Delete the accounts automatically created for the Azure AD tokens - - ![Delete the accounts automatically created for the Azure AD tokens](images/azuread_usersandgroups_allusers_automaticaccounts.png) - -- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs. - - **Figure 5** - Sample summary page showing the expiration date - - ![Sample summary page showing the expiration date](images/suspc_choosesettings_summary.png) - - - - - -## Information about Windows Update - -Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to: -* Wake nightly -* Check and install updates -* Forcibly reboot if necessary to finish applying updates - -The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked. - -## Guidance for accounts on shared PCs - -* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. -* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out. -* On a Windows PC joined to Azure Active Directory: - * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. - * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out. -* If admin accounts are necessary on the PC - * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or - * Create admin accounts before setting up shared PC mode, or - * Create exempt accounts before signing out. -* The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. - * To add the account SID to the registry key using PowerShell: - - ``` - $adminName = "LocalAdmin" - $adminPass = 'Pa$$word123' - iex "net user /add $adminName $adminPass" - $user = New-Object System.Security.Principal.NTAccount($adminName) - $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) - $sid = $sid.Value; - New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force - ``` - -## Custom images -Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). - -## Provisioning package details - -The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx). - -### Education customizations set by local MDM policy - -- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud. -- A custom Start layout, taskbar layout, and lock screen image are set. -- Prohibits unlocking the PC to developer mode. -- Prohibits untrusted Microsoft Store apps from being installed. -- Prohibits students from removing MDM. -- Prohibits students from adding new provisioning packages. -- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs). -- Sets Windows Update to update nightly. - - -### Uninstalled apps - -- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) -- Weather (Microsoft.BingWeather_8wekyb3d8bbwe) -- Tips (Microsoft.Getstarted_8wekyb3d8bbwe) -- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) -- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) -- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe) -- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) -- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) -- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) - -### Local Group Policies - -> [!IMPORTANT] -> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy path

Policy name

Value

Admin Templates > Control Panel > Personalization

Prevent enabling lock screen slide show

Enabled

Prevent changing lock screen and logon image

Enabled

Admin Templates > System > Power Management > Button Settings

Select the Power button action (plugged in)

Sleep

Select the Power button action (on battery)

Sleep

Select the Sleep button action (plugged in)

Sleep

Select the lid switch action (plugged in)

Sleep

Select the lid switch action (on battery)

Sleep

Admin Templates > System > Power Management > Sleep Settings

Require a password when a computer wakes (plugged in)

Enabled

Require a password when a computer wakes (on battery)

Enabled

Specify the system sleep timeout (plugged in)

5 minutes

Specify the system sleep timeout (on battery)

5 minutes

Turn off hybrid sleep (plugged in)

Enabled

Turn off hybrid sleep (on battery)

Enabled

Specify the unattended sleep timeout (plugged in)

5 minutes

Specify the unattended sleep timeout (on battery)

5 minutes

Allow standby states (S1-S3) when sleeping (plugged in)

Enabled

Allow standby states (S1-S3) when sleeping (on battery)

Enabled

Specify the system hibernate timeout (plugged in)

Enabled, 0

Specify the system hibernate timeout (on battery)

Enabled, 0

Admin Templates>System>Power Management>Video and Display Settings

Turn off the display (plugged in)

5 minutes

Turn off the display (on battery)

5 minutes

Admin Templates>System>Power Management>Energy Saver Settings

Energy Saver Battery Threshold (on battery)

70

Admin Templates>System>Logon

Show first sign-in animation

Disabled

Hide entry points for Fast User Switching

Enabled

Turn on convenience PIN sign-in

Disabled

Turn off picture password sign-in

Enabled

Turn off app notification on the lock screen

Enabled

Allow users to select when a password is required when resuming from connected standby

Disabled

Block user from showing account details on sign-in

Enabled

Admin Templates>System>User Profiles

Turn off the advertising ID

Enabled

Admin Templates>Windows Components>Biometrics

Allow the use of biometrics

Disabled

Allow users to log on using biometrics

Disabled

Allow domain users to log on using biometrics

Disabled

Admin Templates>Windows Components>Cloud Content

Do not show Windows Tips

Enabled

Turn off Microsoft consumer experiences

Enabled

Admin Templates>Windows Components>Data Collection and Preview Builds

Toggle user control over Insider builds

Disabled

Disable pre-release features or settings

Disabled

Do not show feedback notifications

Enabled

Allow Telemetry

Basic, 0

Admin Templates > Windows Components > File Explorer

Show lock in the user tile menu

Disabled

Admin Templates > Windows Components > Maintenance Scheduler

Automatic Maintenance Activation Boundary

*MaintenanceStartTime*

Automatic Maintenance Random Delay

Enabled, 2 hours

Automatic Maintenance WakeUp Policy

Enabled

Admin Templates > Windows Components > OneDrive

Prevent the usage of OneDrive for file storage

Enabled

Admin Templates > Windows Components > Windows Hello for Business

Use phone sign-in

Disabled

Use Windows Hello for Business

Disabled

Use biometrics

Disabled

Windows Settings > Security Settings > Local Policies > Security Options

Accounts: Block Microsoft accounts

**Note** Microsoft accounts can still be used in apps.

Enabled

Interactive logon: Do not display last user name

Enabled

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

User Account Control: Behavior of the elevation prompt for standard users

Auto deny


- -## Use the app -When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). - -## Related topics - -[Set up Windows devices for education](set-up-windows-10.md) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 5c865392c2..c4b90aee80 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -1,6 +1,6 @@ --- title: Use Set up School PCs app -description: Learn how the Set up School PCs app works and how to use it. +description: Learn how to use the Set up School PCs app and apply the provisioning package. keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use ms.prod: w10 ms.technology: Windows @@ -8,308 +8,247 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: CelesteDG -ms.author: celested -ms.date: 12/11/2017 +author: lenewsad +ms.author: lanewsad +ms.date: 08/03/2018 --- -# Use the Set up School PCs app -**Applies to:** +# Use the Set up School PCs app -- Windows 10 +IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM. -IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. +Set up School PCs also: +* Joins each student PC to your organization's Office 365 and Azure Active Directory tenant. +* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state. +* Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours. +* Locks down the student PC to prevent activity that isn't beneficial to their education. -## What does this app do? +This article describes how to get started and provide information about your school in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). -Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically: -- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant -- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM. -- Removes OEM preinstalled software from each student PC -- Auto-configures and saves a wireless network profile on each student PC -- Gives a friendly and unique name to each student device for future management -- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup -- Enables optional guest account for younger students, lost passwords, or visitors -- Enables optional secure testing account -- Enables optional Autopilot Reset feature to return devices to a fully configured or known IT-approved state -- Locks down the student PC to prevent mischievous activity: - * Prevents students from removing the PC from the school's device management system - * Prevents students from removing the Set up School PCs settings -- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours -- Customizes the Start layout with Office -- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more -- Uninstalls apps not specific to education, such as Solitaire -- Prevents students from adding personal Microsoft accounts to the PC +## Requirements +Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements. -You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide.
+* Office 365 and Azure Active Directory +* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40) +* Permission to buy apps in Microsoft Store for Education +* Set up School PCs app has permission to access the Microsoft Store for Education +* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office +* Student PCs must either: + * Be within range of the Wi-Fi network that you configured in the app. + * Have a wired Ethernet connection when you set them up. -> [!VIDEO https://www.youtube.com/embed/2ZLup_-PhkA] +### Configure USB drive for additional space +USB drives are, by default, FAT32-formatted, and are unable to save more than 4 GB of data. If you plan to install several apps, or large apps like Microsoft Office, you'll need more space. To create more space on the USB drive, reformat it to NTFS. +1. Insert the USB drive into your computer. +2. Go to the **Start** > **This PC**. +3. In the **Devices and drives** section, find your USB drive. Right-click to see its options. +4. Select **Format** from the list to bring up the **Format drive name** window. +5. Set **File system** to **NTFS**. +6. Click **Start** to format the drive. -You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI) +### Prepare existing PC account for new setup +Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data. -## Tips for success +If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state. -* **Run the same Windows 10 build on the admin device and the student PCs** +To begin, go to the **Settings** app on the appropriate PC. +1. Click **Update & Security** > **Recovery**. +2. In the **Reset this PC** section, click **Get started**. +3. Click **Remove everything**. - It's critical that the IT administrator's or technical teacher's device is running the same Windows 10 build as the student PCs that you're provisioning. +You can also go to **Start** > **Power** icon. Hold down the Shift key and click **Restart** to load the Windows boot user experience. From there, follow these steps: +1. Click **Troubleshoot** and then choose **Reset this PC**. +2. Select **Remove everything**. +3. If the option appears, select **Only the drive where Windows is installed**. +4. Click **Just remove my files**. +5. Click **Reset**. -* **Ensure that the student PCs meet the minimum OS requirements for the version of Set up School PCs** +## Recommendations +This section offers recommendations to prepare you for the best possible setup experience. +### Run the same Windows 10 build on the admin device and the student PCs +We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs. - Check the minimum OS requirements for the Set up School PCs app in the **System Requirements > OS** section of the app's description on the Microsoft Store. For example, the latest version of Set up School PCs requires Windows 10 versions with build 15063.0 or higher. Do not use the app to provision student PCs with Windows 10, version 1607 (build 14393) images. - - We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs that you're provisioning. +### Student PCs should meet OS requirements for the app +Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs. -* **Run the app at work** +To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**. - For the best results, run the Set up School PCs app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions. +### Use app on a PC that is connected to your school's network +We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually. - > [!NOTE] - > Don't use the **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open Wi-Fi networks that require the user to accept Terms of Use. + > [!NOTE] + > Don't use the **Set up Schools PCs** app for PCs that must connect to: + >* Enterprise networks that require the user to accept Terms of Use. + >* Open Wi-Fi networks that require the user to accept Terms of Use. -* **Network tips** - * You cannot use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. You can only connect to an open network, or one with a basic password. - * If you need to set up a lot of devices over Wi-Fi, make sure that your network configuration can support it. - - We recommend configuring your DHCP so at least 200 IP addresses are available for the devices you are setting up. Configure your IP addresses to expire after a short time (about 30 minutes). This ensures that you can set up many devices simultaneously, and IP addresses will free up quickly so you can continue to set up devices without hitting network issues. +### Run app on an open network or network that requires a basic password +Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it. -* **Apply to new student PCs** - * The provisioning package that the Set up School PCs app creates should be used on new PCs that haven't been set up for accounts yet. If you apply the provisioning package to a student PC that has already been set up, existing accounts and data might be lost. - - > [!WARNING] - > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings. +We recommend that you: +* Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously. +* Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues. - * The student PCs must be in range of the Wi-Fi network that you configured in Set up School PCs or have a wired Ethernet connection when you set them up. Otherwise, setup will fail. - * If the PC has already been set up and you want to return to the first-run experience to apply a new package, you can reset the PC to get to a clean state and get it back to the first-run experience and ready to provision again. +>> [!WARNING] +> Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings. - To do this: - - Go to **Settings > Update & security > Recovery**. In the **Reset this PC** section of the **Recovery** page, click **Get started**. - - Or, hit **Shift** + click **Restart** in the **Power** menu to load the Windows boot user experience. From there, follow these steps: - 1. Click **Troubleshoot** and then choose **Reset this PC**. - 2. Select **Remove everything**. - 3. Select **No - remove provisioning packages**. - 4. Select **Only the drive where Windows is installed** (this may not always show up). - 5. Click **Just remove my files**. - 6. Click **Reset**. +### Use an additional USB drive +To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup. -* **Use an NTFS-formatted USB key** +### Limit changes to school-optimized settings - If you're planning to install several apps, the Set up School PCs package may exceed 4 GB. Check if your USB drive format is FAT32. If it is, you won't be able to save more than 4 GB of data on the drive. To work around this, reformat the USB drive to use the NTFS format. To do this: +We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and the time it takes to sign in. - 1. Insert the USB key into your computer. - 2. Go to the Start menu and type **This PC** and then select the **This PC (Desktop app)** from the search results. - 3. In the **Devices and drivers** section, find the USB drive, select and then right-click to bring up options. - 4. Select **Format** from the list to bring up the **Format ** window. - 5. Set **File system** to **NTFS** and then click **Start** to format the drive. +## Create the provisioning package -* **Use more than one USB key** +The **Set up School PCs** app guides you through the configuration choices for the student PCs. - If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on. - -* **Keep it clean** - - We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md). - -* **Get more info** - - Learn more about what Set up School PCs does, including provisioning details, in [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). - -## Prerequisites - -- [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40). - - The app supports these languages: Chinese (Simplified), Chinese (Traditional), Danish, Dutch, English (United Kingdom), English (United States), French, German, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Russian, Spanish (Spain), Spanish (Mexico), Swedish, and Turkish. - -- Install the app on your work PC and make sure you're connected to your school's network. -- You must have Office 365 and Azure Active Directory. -- You must have the Microsoft Store for Education configured. -- You must be a global admin in the Microsoft Store for Education. -- It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app. -- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office. -- Check the default file system format for your USB drive. You may need to set this to NTFS to save a provisioning package that's 4 GB or larger. - -## Set up School PCs step-by-step - -### Create the provisioning package - -The **Set up School PCs** app guides you through the configuration choices for the student PCs. - -1. Launch the Set up School PCs app. - - **Figure 1** - Launch the Set up School PCs app - - ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) - -2. Click **Get started**. -3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page: - - To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. - - To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. - - If you opt to sign in, follow these steps: - - 1. Choose the account from the list. If you don't see the account, select **Work or school account**, click **Continue**, and enter the account details. - 2. Click **Next** once you've specified the account. - 3. If you added an account, you may be asked to provide the user account and password. You will get a notification to allow the app to access your account. This will give Set up School PCs permission to access Store for Business, read memberships, sign you in and read your profile, and more. - 4. Click **Accept**. - - The account will show up as the account that Set up School PCs will use to connect the school PCs to the cloud. - - **Figure 2** - Verify that the account you selected shows up - - ![Verify that the account you selected shows up](images/suspc_createpackage_signin.png) - - 5. Click **Next**. - -4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page: - 1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network. - 2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network. - - If you click **Skip**, you will see the following dialog. - * If you select **Got it**, you will go to the next page without Wi-Fi set up. - * If you select **Add Wi-Fi**, you will go back to the Wi-Fi page to add a wireless network. - - **Figure 3** - Only skip Wi-Fi if you have a wired Ethernet connection - - ![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png) - -5. To assign a name to the student PCs, in the **Name these devices** page: - 1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client. - - > [!NOTE] - > The name must be five (5) characters or less. Set up School PCs automatically appends `_%SERIAL%` to the prefix that you specify. `_%SERIAL%` ensures that all device names are unique. - - For example, if you add *Math4* as the prefix, the device names will be *Math4* followed by a random string of letters and numbers. - - 2. Click **Next**. - -6. To specify other settings for the student PC, in the **Configure student PC settings** page: - - Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image. - - > [!NOTE] - > If you select this option, the provisioning process will take longer (about 30 minutes). - - - Select **Allow local storage (not recommended for shared devices)** to let students save files to the **Desktop** and **Documents** folder on the student PC. We don't recommend this option if the device will be part of a shared cart or lab. - - Select **Optimize device for a single student, instead of a shared cart or lab** to optimize the device for use by a single student (1:1). - - Check this option if the device will not be part of a shared cart or lab. - - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in). - - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data, or if the student doesn't use the PC over a prolonged period. - - - Select **Let guests sign-in to these PCs** to allow guests to use student PCs without a school account. For example, if the device will be in a library and you want other users (like visiting students or teachers) to be able to use the device, you can select this option. - - If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC. - - - Select **Enable Autopilot Reset** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they're ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. - - To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background. - - **Figure 4** - Configure student PC settings - - ![Configure student PC settings](images/suspc_createpackage_configurestudentpcsettings_121117.png) - - When you're doing configuring the student PC settings, click **Next**. - -7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page. Windows will also lock down the student PC so that students can't access anything else while taking the test. - 1. Specify if you want to create a Take a Test button on the sign-in screens of students' PCs. - 2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. - 3. Enter the assessment URL. - - You can leave the URL blank so that students can enter one later. This enables teachers to use the Take a Test account for daily quizzes or tests by having students manually enter a URL. - - **Figure 5** - Configure the Take a Test app - - ![Configure the Take a Test app](images/suspc_createpackage_takeatestpage_073117.png) - - 3. Click **Next** or **Skip** depending on whether you want to set up Take a Test. - -8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following: - * **Office 365 for Windows 10 S (Education Preview)** - * Office 365 for Windows 10 S will only work on student PCs running Windows 10 S. If you try to install this app on other editions of Windows, setup will fail. - * When adding the Office 365 for Windows 10 S to a package, the device you use to run Set up School PCs does not have to be running Windows 10 S. - * **Minecraft: Education Edition** - Free trial - * Popular **STEM and Makerspace apps** - - 1. Select the apps that you would like to provision and then click **Next** when you're done. Apps that you provision on student PCs will be pinned to the Start menu. - 2. Click **Skip** if you don't want to provision any apps. - - **Figure 6** - Select from a set of recommended apps - - ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_073117.png) +### Sign in +1. Open the Set up School PCs app on your PC and click **Get started**. - The set of recommended Microsoft Store for Education apps may vary from what we show here. + ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) +2. Select how you want to sign in. + a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3. + b. To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](use-set-up-school-pcs-app.md#Wireless-network). +3. In the new window, select the account you want to use throughout setup. -9. In the **Review package summary** page, make sure that all the settings you configured appear correctly. - 1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes. + ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspc-sign-in-select-1807.png) - **Figure 7** - Review your settings and change them as needed + To add an account not listed: +a. Click **Work or school account** > **Continue**. + b. Type in the account username and click **Next**. + c. You may be asked to verify the user account and password. - ![Review your settings and change them as needed](images/suspc_createpackage_summary_073117.png) +1. Click **Accept** to allow Set up School PCs to access your account throughout setup. +2. When your account name appears on the page, as shown in the image below, click **Next.** - 2. Click **Accept**. + ![Verify that the account you selected shows up](images/suspc-createpackage-signin-1807.png) -10. In the **Insert a USB drive now** page: - 1. Insert a USB drive to save your settings and create a provisioning package on the USB drive. - 2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list. - 3. Click **Save** to save the provisioning package to the USB drive. +### Wireless network +Add and save the wireless network profile that you want student PCs to connect to. Only skip Wi-Fi setup if you have an Ethernet connection. - **Figure 8** - Select the USB drive and save the provisioning package +Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.** - ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png) + ![Wireless network page with two Wi-Fi networks listed and one selected.](images/suspc-select-wifi-network-1807.png) -11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive. +### Device names +Create a short name to add as a prefix to each of the PCs you set up. The name will help you recognize and manage this group of devices in your mobile device manager. The name must be five (5) characters or less. - **Figure 9** - Provisioning package is ready +To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers. - ![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png) - -12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. - - **Figure 10** - Line up the student PCs and get them ready for setup - - ![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png) - -13. Click **Next**. -14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs. - - Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package. - - **Figure 11** - Install the provisioning package on the student PCs - - ![Install the provisioning package on the student PCs](images/suspc_runpackage_installpackage.png) + !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspc-device-names-1807.png) -### Apply the provisioning package to the student PCs -The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A provisioning package is a method for applying settings to Windows 10 without needing to reimage the device. When Windows 10 refers to *package*, it means your provisioning package, and when it refers to *provisioning*, it means applying the provisioning package to the student PC. +### Settings +Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. -> [!NOTE] -> The student PC must contain a new or reset image and the PC must not already have been through first-run setup (OOBE). +![Screenshot of the Current OS version page with the Select OS version menu selected, showing 6 Windows 10 options. All other settings on page are unavailable to select.](images/suspc-current-os-version-1807.png) -**To set up the student PC using the Set up School PCs provisioning package** +Setting selections vary based on the OS version you select. The example screenshot below shows the settings that become available when you select **Windows 10 version 1703**. The option to **Enable Autopilot Reset** is not available for this version of Windows 10. -1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 Creators Update (version 1703), this first-run setup screen says **Let's start with region. Is this right?**. +![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspc-available-student-settings-1807.png) - If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +> [!NOTE] +> The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot below, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, you will not be asked to configure the time zone. - **Figure 12** - The first screen during first-run setup in Windows 10 Creators Update (version 1703) +The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column. - ![The first screen to set up a new PC in Windows 10 Creators Update](images/win10_1703_oobe_firstscreen.png) +|Setting |1703|1709|1803|What happens if I select it? |Note| +|---------|---------|---------|---------|---------|---------| +|Remove apps pre-installed by the device manufacturer |X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.| +|Allow local storage (not recommended for shared devices) |X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be part of a shared cart or lab.| +|Optimize device for a single student, instead of a shared cart or lab |X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | +|Let guests sign in to these PCs |X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.| +|Enable Autopilot Reset |Not available|X|X| Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.| +|Lock screen background|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.| -2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package. +After you've made your selections, click **Next**. - **Figure 13** - Windows automatically detects the provisioning package and installs it +![Configure student PC settings page showing 5 settings, with two settings selected. Lock screen background image is the default image. Cursor is hovering over the blue Next button.](images/suspc-current-os-version-next-1807.png) - ![Windows automatically detects the provisioning package and installs it](images/suspc_studentpcsetup_installingsetupfile.png) +### Time zone -3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC. +> [!WARNING] +> If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error. - **Figure 14** - Remove the USB drive when you see the message that the media can be removed +Choose the time zone where your school's PCs are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**. - ![You can remove the USB drive when you see the message that the media can be removed](images/suspc_setup_removemediamessage.png) +![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspc-time-zone-1807.png) + +### Take a Test +Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device. +1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs. + + ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspc-take-a-test-1807.png) + +2. Select from the advanced settings. Available settings inclue: + * Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the PC's keyboard. + * Allow teachers to monitor online tests: Enables screen capture in the Take a Test app. +3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment. +4. Click **Next**. + +### Recommended apps +Choose from a list of recommended Microsoft Store apps to install on student PCs. Then click **Next**. After they're assigned, apps are pinned to the student's Start menu. + + ![Add recommended apps screen with 7 icons of recommended apps and selection boxes. Skip button is enabled and Next button is disabled. ](images/suspc-add-recommended-apps-1807.png) + +The following table lists the recommended apps you'll see. + +|App |Note | +|---------|---------| +|Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode. | +|Minecraft: Education Edition | Free trial| +|Other apps fit for the classroom |Select from WeDo 2.0 LEGO®, Arduino IDE, Ohbot, Sesavis Visual, and EV3 Programming| + +If you receive an error and are unable to add the selected apps, click **Skip**. Contact your IT admin to get these apps later. + + +### Summary +1. Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over. +2. To make changes now, click any page along the left side of the window. +3. When finished, click **Accept**. + + ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspc-createpackage-summary-1807.png) + +### Insert USB +1. Insert a USB drive. The **Save** button will light up when your computer detects the USB. +2. Choose your USB drive from the list and click **Save**. + + ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspc-savepackage-insertusb-1807.png) + +3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**. + + ![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspc-savepackage-ppkgisready-1807.png) + +## Run package - Get PCs ready +Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**. -4. If you set up the package to do Azure AD Join, that's it! You're done, and the PC is now ready for students to use. + ![Your provisioning package is ready! screen with 3 steps to get student PCs ready for setup. Save button is active.](images/suspc_runpackage_getpcsready.png) - If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience. +## Run package - Install package on PC -## Related topics +The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows 10 without reimaging the device. + +When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student PC. This section describes how to apply the settings to a PC in your school. + +> [!IMPORTANT] +> The PC must have a new or reset Windows 10 image and must not already have been through first-run setup (also referred to as OOBE). For instructions about how to reset a computer's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup). + +1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 version 1803, the first-run setup screen reads, **Let's start with region. Is this right?** + + If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. + + ![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/win10_1703_oobe_firstscreen.png) + +2. Insert the USB drive. Windows automatically recognizes and installs the package. + + ![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspc_studentpcsetup_installingsetupfile.png) +3. When you receive the message that it's okay to remove the USB drive, remove it from the PC. If there are more PCs to set up, insert the USB drive into the next PC. + + ![Screen with message telling user to remove the USB drive.](images/suspc_setup_removemediamessage.png) + +4. If you didn't set up the package with Azure AD Join, continue the Windows device setup experience. If you did configure the package with Azure AD Join, the computer is ready for use and no further configurations are required. + + If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources. -[Set up Windows devices for education](set-up-windows-10.md) diff --git a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md index 25df0da425..5dec2b8fb8 100644 --- a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md +++ b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md @@ -28,7 +28,7 @@ The Application Virtualization (App-V) Desktop Client requires no additional pro ### Hardware Requirements -The hardware requirements requirements are applicable to all versions. +The hardware requirements are applicable to all versions. - Processor—See recommended system requirements for the operating system you are using. @@ -177,7 +177,7 @@ The Application Virtualization (App-V) Client for Remote Desktop Services requir ### Hardware Requirements -The hardware requirements requirements are applicable to all versions. +The hardware requirements are applicable to all versions. - Processor—See recommended system requirements for the operating system you are using. diff --git a/mdop/index.md b/mdop/index.md index 2eabdc2716..ef4167770e 100644 --- a/mdop/index.md +++ b/mdop/index.md @@ -7,7 +7,7 @@ ms.pagetype: mdop ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/24/2018 --- # MDOP Information Experience @@ -36,14 +36,14 @@ The following table provides links to the product documentation for the MDOP pro

AGPM 4.0 - Windows Vista SP1, Windows 7, Windows Server 2008, Windows Server 2008 R2

AGPM 3.0- Windows Vista SP1, Windows Server 2008

AGPM 2.5 - Windows Vista, Windows Server 2003

-

[Overview of Microsoft Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=232980)(https://go.microsoft.com/fwlink/p/?LinkId=232980)

-

[AGPM 4.0 SP3](https://technet.microsoft.com/library/mt346468.aspx) (https://technet.microsoft.com/library/mt346468.aspx)

-

[AGPM 4.0 SP2](https://go.microsoft.com/fwlink/p/?LinkId=325035) (https://go.microsoft.com/fwlink/p/?LinkId=325035)

+

[Overview of Microsoft Advanced Group Policy Management](agpm/index.md)

+

[AGPM 4.0 SP3](agpm/whats-new-in-agpm-40-sp3.md)

+

[AGPM 4.0 SP2](agpm/whats-new-in-agpm-40-sp2.md)

[AGPM 4.0 SP1](https://go.microsoft.com/fwlink/p/?LinkId=286715) (https://go.microsoft.com/fwlink/p/?LinkId=286715)

-

[AGPM 4.0](https://go.microsoft.com/fwlink/p/?LinkId=232964) (https://go.microsoft.com/fwlink/p/?LinkId=232964)

-

[AGPM 3.0](https://go.microsoft.com/fwlink/p/?LinkId=232967) (https://go.microsoft.com/fwlink/p/?LinkId=232967)

-

[AGPM 2.5](https://go.microsoft.com/fwlink/p/?LinkId=232969) (https://go.microsoft.com/fwlink/p/?LinkId=232969)

-

[AGPM Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=232275) (https://go.microsoft.com/fwlink/p/?LinkId=232275)

+

[AGPM 4.0](agpm/whats-new-in-agpm-40-sp1.md)

+

[AGPM 3.0](agpm/whats-new-in-agpm-30.md)

+

[AGPM 2.5](agpm/agpm-25-navengl.md)

+

[AGPM Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=232275)

Microsoft Application Virtualization (App-V) lets you make applications available to end user computers without installing the applications directly on those computers.

@@ -57,14 +57,13 @@ The following table provides links to the product documentation for the MDOP pro

[About Microsoft Application Virtualization 4.6 SP1](appv-v4/about-microsoft-application-virtualization-46-sp1.md)

[About Microsoft Application Virtualization 4.6](appv-v4/about-microsoft-application-virtualization-46.md)

[About Microsoft Application Virtualization 4.5](appv-v4/about-microsoft-application-virtualization-45.md)

-

[SoftGrid](https://go.microsoft.com/fwlink/p/?LinkId=232981) (https://go.microsoft.com/fwlink/p/?LinkId=232981)

-

[App-V Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=231902) (https://go.microsoft.com/fwlink/p/?LinkId=231902)

+

[App-V Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=231902)

[App-V 5.0 eBooks](https://go.microsoft.com/fwlink/p/?LinkId=309570) (https://go.microsoft.com/fwlink/p/?LinkId=309570)

Microsoft BitLocker Administration and Monitoring (MBAM) provides an administrative interface to enterprise-wide BitLocker drive encryption.

[Microsoft BitLocker Administration and Monitoring 2.5](mbam-v25/index.md)

-

[MBAM 2.5 Video Demonstration: Deploying MBAM 2.5](https://go.microsoft.com/fwlink/?LinkId=518206) (https://go.microsoft.com/fwlink/?LinkId=518206)

+

[MBAM 2.5 Video Demonstration: Deploying MBAM 2.5](https://go.microsoft.com/fwlink/?LinkId=518206)

[About MBAM 2.5 SP1](mbam-v25/about-mbam-25-sp1.md)

[About MBAM 2.0 SP1](mbam-v2/about-mbam-20-sp1.md)

[Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide](mbam-v2/index.md)

@@ -105,7 +104,7 @@ The following table provides links to the product documentation for the MDOP pro

[Microsoft Enterprise Desktop Virtualization 2.0](medv-v2/index.md)

[About MED-V 1.0 SP1](medv-v1/about-med-v-10-sp1.md)

[Microsoft Enterprise Desktop Virtualization 1.0](medv-v1/index.md)

-

[MED-V Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=231903) (https://go.microsoft.com/fwlink/p/?LinkId=231903)

+

Microsoft User Experience Virtualization (UE-V) captures settings to apply to computers accessed by the user including desktop computers, laptop computers, and VDI sessions.

@@ -141,10 +140,6 @@ In addition to the product documentation available online, supplemental product - -

MDOP Videos

-

For a list of available MDOP videos, go to [Microsoft Desktop Optimization Pack Technologies Videos](https://go.microsoft.com/fwlink/p/?LinkId=234275) (https://go.microsoft.com/fwlink/p/?LinkId=234275).

-

MDOP Virtual Labs

For a list of available MDOP virtual labs, go to [Microsoft Desktop Optimization Pack (MDOP) Virtual Labs](https://go.microsoft.com/fwlink/p/?LinkId=234276) (https://go.microsoft.com/fwlink/p/?LinkId=234276).

@@ -168,9 +163,6 @@ In addition to the product documentation available online, supplemental product MDOP is a suite of products that can help streamline desktop deployment, management, and support across the enterprise. MDOP is available as an additional subscription for Software Assurance customers. -**Evaluate MDOP** -MDOP is also available for test and evaluation to [MSDN](http://msdn.microsoft.com/subscriptions/downloads/default.aspx?PV=42:178) and [TechNet](http://technet.microsoft.com/subscriptions/downloads/default.aspx?PV=42:178) subscribers in accordance with MDSN and TechNet agreements. - **Download MDOP** MDOP subscribers can download the software at the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/p/?LinkId=166331). diff --git a/mdop/mbam-v25/getting-started-with-mbam-25.md b/mdop/mbam-v25/getting-started-with-mbam-25.md index 3513df82f6..a7ba39d226 100644 --- a/mdop/mbam-v25/getting-started-with-mbam-25.md +++ b/mdop/mbam-v25/getting-started-with-mbam-25.md @@ -20,8 +20,6 @@ See the following resources for additional MBAM documentation: - [Microsoft BitLocker Administration and Monitoring Deployment Guide](https://go.microsoft.com/fwlink/?LinkId=396653) -- [Microsoft Training Overview](https://go.microsoft.com/fwlink/p/?LinkId=80347) - Before you deploy MBAM to a production environment, we recommend that you validate your deployment plan in a test environment. ## Getting started with MBAM 2.5 diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md index 7b603f1d3f..db4b4232a6 100644 --- a/mdop/mbam-v25/mbam-25-supported-configurations.md +++ b/mdop/mbam-v25/mbam-25-supported-configurations.md @@ -284,7 +284,7 @@ MBAM supports the following versions of Configuration Manager. -

Microsoft System Center Configuration Manager (Current Branch), version 1610

+

Microsoft System Center Configuration Manager (Current Branch), versions up to 1806

64-bit

@@ -335,6 +335,11 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll + +

Microsoft SQL Server 2017

+

Standard, Enterprise, or Datacenter

+

+

64-bit

Microsoft SQL Server 2016

Standard, Enterprise, or Datacenter

@@ -360,7 +365,7 @@ https://www.microsoft.com/en-us/download/details.aspx?id=54967< **Note** -In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 . In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features. +In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 and to support SQL 2017 you must install the July 2018 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=57157. In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.   ### SQL Server processor, RAM, and disk space requirements – Stand-alone topology diff --git a/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md b/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md index ca1329c6b0..6cb5d4878e 100644 --- a/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md +++ b/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md @@ -23,7 +23,7 @@ UE-V 2.1 SP1 adds support for Windows 10, in addition to the same software that ### Compatibility with Microsoft Azure -Windows 10 lets enterprise users synchronize Windows app settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V on on-premises domain-joined computers only. To enable coexistence between Windows 10 and UE-V, you must disable the following UE-V templates using either PowerShell on each client or Group Policy. +Windows 10 lets enterprise users synchronize Windows app settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V for on-premises domain-joined computers only. To enable coexistence between Windows 10 and UE-V, you must disable the following UE-V templates using either PowerShell on each client or Group Policy. In Group Policy, under the Microsoft User Experience Virtualization node, configure these policy settings: diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index 4815821e0a..0aa8fe3acc 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: store author: TrudyHa ms.author: TrudyHa -ms.date: 11/01/2017 +ms.date: 08/01/2017 ms.topic: conceptual ms.localizationpriority: medium --- @@ -43,22 +43,31 @@ There are a couple of things we need to know when you pay for apps. You can add **To manage Allow users to shop setting** 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) -2. Click **Manage**, and then click **Settings**. -3. On **Shop**, turn on or turn off **Allow users to shop**. +2. Select **Manage**, and then select **Settings**. +3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**. ![manage settings to control Basic Purchaser role assignment](images/sfb-allow-shop-setting.png) +## Allow app requests + +People in your org can request license for apps that they need, or that others need. When **All app requests** is turned on, app requests are sent to org admins. Admins for your tenant will receive an email with the request, and can decide about making the purchase. + +**To manage All app requests** +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) +2. Select **Manage**, and then select **Settings**. +3. On **Shop**, under **Shopping behavior** turn on or turn off **Allow app requests**. + ## Acquire apps **To acquire an app** 1. Sign in to http://businessstore.microsoft.com -2. Click **Shop**, or use Search to find an app. -3. Click the app you want to purchase. +2. Select **Shop for my group**, or use Search to find an app. +3. Select the app you want to purchase. 4. On the product description page, choose your license type - either online or offline. -5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**. -6. If you don’t have a payment method saved in **Billing - Payment methods**, we will prompt you for one. -7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Billing - Payment methods**. +5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and select **Next**. +6. If you don’t have a payment method saved in **Billing & payments**, we will prompt you for one. +7. Add your credit card or debit card info, and select **Next**. Your card info is saved as a payment option on **Billing & payments - Payment methods**. -You’ll also need to have your business address saved on **Billing - Account profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information). +You’ll also need to have your business address saved on **My organization - Profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information). Microsoft Store adds the app to your inventory. From **Products & services**, you can: - Distribute the app: add to private store, or assign licenses @@ -67,12 +76,4 @@ Microsoft Store adds the app to your inventory. From **Products & services**, yo For info on distributing apps, see [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md). -For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). - -## Request apps -People in your org can request additional licenses for apps that are in your organization's private store. When **Allow app requests** is turned on, people in your org can respond to a notification about app license availability. Admins for your tenant will receive an email with the request, and can decide about making the purchase. - -**To manage Allow app requests** -1. Sign in to http://businessstore.microsoft.com -2. Click **Manage**, click **Settings**, and then click **Distribute**. -3. Under **Private store** turn on, or turn off **Allow app requests**. \ No newline at end of file +For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). \ No newline at end of file diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index 742b3c694e..12d927fce2 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -55,7 +55,7 @@ Reclaim licenses, and then request a refund. If you haven't assigned licenses, s 1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. 3. Find the app you want to refund, click the ellipses under **Actions**, and then choose **View license details**. -4. Select the the people who you want to reclaim license from, click the ellipses under **Actions**, and then choose **Reclaim licenses**. +4. Select the people who you want to reclaim license from, click the ellipses under **Actions**, and then choose **Reclaim licenses**. 5. Click **Order history**, click the order you want to refund, and click **Refund order**. For free apps, the app will be removed from your inventory in **Apps & software**. diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index d7484344ae..aa159ddffe 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 5/31/2018 +ms.date: 07/31/2018 --- # Microsoft Store for Business and Education release history @@ -17,6 +17,13 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## June 2018 +- **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection. +- **Performance improvements in private store** - We continue to work on performance improvements in the private store. Now, most products new to your inventory are available in your private store within 15 minutes of adding them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) + +## May 2018 +- **Immersive Reader app available in Microsoft Store for Education** - This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. + ## April 2018 - **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses. - **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 6dad7ccd03..22e03ceda8 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -10,7 +10,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 3/30/2018 +ms.date: 8/7/2018 --- # Roles and permissions in Microsoft Store for Business and Education @@ -31,10 +31,11 @@ This table lists the global user accounts and the permissions they have in Micro | | Global Administrator | Billing Administrator | | ------------------------------ | --------------------- | --------------------- | -| Sign up for Microsoft Store for Business and Education | X | | +| Sign up for Microsoft Store for Business and Education | X | | Modify company profile settings | X | | | Acquire apps | X | X | | Distribute apps | X | X | +| Purchase subscription-based software | X | X |   - **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. @@ -43,7 +44,7 @@ This table lists the global user accounts and the permissions they have in Micro ## Microsoft Store roles and permissions -Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. +Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. This table lists the roles and their permissions. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index e2988a84c9..3f6676128a 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 5/31/2018 +ms.date: 07/31/2018 --- # What's new in Microsoft Store for Business and Education @@ -17,19 +17,10 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**May 2018** +**July 2018** -| | | -|--------------------------------------|---------------------------------| -| ![performance icon](images/edu-icon.png) |**Immersive Reader app in Microsoft Store for Education**

Microsoft Immersive Reader is now available for education organizations using Microsoft Store for Education. This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. Check out and download [Immersive Reader](https://educationstore.microsoft.com/en-us/store/details/immersive-reader/9PJZQZ821DQ2).

**Applies to**:
Microsoft Store for Education | +We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new feature - -
@@ -2164,6 +2165,34 @@ Footnotes: + +[TenantLockdown CSP](tenantlockdown-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5cross markcross mark
+ + + + [TPMPolicy CSP](tpmpolicy-csp.md) @@ -2416,6 +2445,34 @@ Footnotes: + +[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5cross markcross mark
+ + + + [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) @@ -2531,6 +2588,34 @@ Footnotes: + +[WiredNetwork CSP](wirednetwork-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5check mark5check mark5
+ + + + [w7 APPLICATION CSP](w7-application-csp.md) @@ -2568,6 +2653,7 @@ Footnotes: - 2 - Added in Windows 10, version 1703 - 3 - Added in Windows 10, version 1709 - 4 - Added in Windows 10, version 1803 +- 5 - Added in Windows 10, next major version ## CSP DDF files download @@ -2602,6 +2688,7 @@ The following list shows the configuration service providers supported in Window | [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | | [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | @@ -2614,6 +2701,7 @@ The following list shows the configuration service providers supported in Window - 2 - Added in Windows 10, version 1703 - 3 - Added in Windows 10, version 1709 - 4 - Added in Windows 10, version 1803 +- 5 - Added in Windows 10, next major version ## CSPs supported in Microsoft Surface Hub diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 3e9c038842..30c188ac88 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -7,11 +7,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 01/29/2018 +ms.date: 07/19/2018 --- # Defender CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. @@ -114,6 +116,9 @@ The following table describes the supported values: | 46 | Behavior | | 47 | Vulnerability | | 48 | Policy | +| 49 | EUS (Enterprise Unwanted Software)| +| 50 | Ransomware | +| 51 | ASR Rule |   @@ -126,19 +131,17 @@ The data type is a integer. The following list shows the supported values: -- 0 = Unknown -- 1 = Detected -- 2 = Cleaned -- 3 = Quarantined -- 4 = Removed -- 5 = Allowed -- 6 = Blocked -- 102 = Clean failed -- 103 = Quarantine failed -- 104 = Remove failed -- 105 = Allow failed -- 106 = Abandoned -- 107 = Block failed +- 0 = Active +- 1 = Action failed +- 2 = Manual steps required +- 3 = Full scan required +- 4 = Reboot required +- 5 = Remediated with non critical failures +- 6 = Quarantined +- 7 = Removed +- 8 = Cleaned +- 9 = Allowed +- 10 = No Status ( Cleared) Supported operation is Get. @@ -175,6 +178,57 @@ An interior node to group information about Windows Defender health status. Supported operation is Get. +**Health/ProductStatus** +Added in Windows 10, next major version. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. + +Data type is integer. Supported operation is Get. + +Supported product status values: +- No status = 0 +- Service not running = 1 << 0 +- Service started without any malware protection engine = 1 << 1 +- Pending full scan due to threat action = 1 << 2 +- Pending reboot due to threat action = 1 << 3 +- ending manual steps due to threat action = 1 << 4 +- AV signatures out of date = 1 << 5 +- AS signatures out of date = 1 << 6 +- No quick scan has happened for a specified period = 1 << 7 +- No full scan has happened for a specified period = 1 << 8 +- System initiated scan in progress = 1 << 9 +- System initiated clean in progress = 1 << 10 +- There are samples pending submission = 1 << 11 +- Product running in evaluation mode = 1 << 12 +- Product running in non-genuine Windows mode = 1 << 13 +- Product expired = 1 << 14 +- Off-line scan required = 1 << 15 +- Service is shutting down as part of system shutdown = 1 << 16 +- Threat remediation failed critically = 1 << 17 +- Threat remediation failed non-critically = 1 << 18 +- No status flags set (well initialized state) = 1 << 19 +- Platform is out of date = 1 << 20 +- Platform update is in progress = 1 << 21 +- Platform is about to be outdated = 1 << 22 +- Signature or platform end of life is past or is impending = 1 << 23 +- Windows SMode signatures still in use on non-Win10S install = 1 << 24 + +Example: + +``` syntax + + + + 1 + + + ./Vendor/MSFT/Defender/Health/ProductStatus + + + + + + +``` + **Health/ComputerState** Provide the current state of the device. @@ -185,9 +239,9 @@ The following list shows the supported values: - 0 = Clean - 1 = Pending full scan - 2 = Pending reboot -- 4 = Pending manual steps +- 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) - 8 = Pending offline scan -- 16 = Pending critical failure +- 16 = Pending critical failure (Windows Defender has failed critically and an Adminsitrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) Supported operation is Get. @@ -311,7 +365,7 @@ Node that can be used to perform signature updates for Windows Defender. Supported operations are Get and Execute. **OfflineScan** -Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. This command causes the computer reboot and start in Windows Defender offline mode to begin the scan. +Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. After the next OS reboot, the device will start in Windows Defender offline mode to begin the scan. Supported operations are Get and Execute. @@ -320,12 +374,3 @@ Supported operations are Get and Execute. [Configuration service provider reference](configuration-service-provider-reference.md) -  - -  - - - - - - diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index c0f90952b5..afd02d79f2 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 01/29/20178 +ms.date: 07/12/2018 --- # Defender DDF file @@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Defende Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -43,7 +43,7 @@ The XML below is the current version for this CSP. - com.microsoft/1.1/MDM/Defender + com.microsoft/1.2/MDM/Defender @@ -286,6 +286,26 @@ The XML below is the current version for this CSP. + + ProductStatus + + + + + + + + + + + + + + + text/plain + + + ComputerState diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 4537f2c630..27dd7bead4 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -7,11 +7,14 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/25/2017 +ms.date: 07/11/2018 --- # DevDetail CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands. > [!NOTE] @@ -140,7 +143,12 @@ The following diagram shows the DevDetail configuration service provider managem **Ext/Microsoft/TotalRAM**

Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory). -

Supported operation is Get. +Supported operation is Get. + +**Ext/Microsoft/SMBIOSSerialNumber** +Added in Windows 10, next major version. SMBIOS Serial Number of the device. + +Value type is string. Supported operation is Get. **Ext/WLANMACAddress**

The MAC address of the active WLAN connection, as a 12-digit hexadecimal number. diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 7a3c0a14cc..737bb65143 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -7,16 +7,19 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 12/05/2017 +ms.date: 07/11/2018 --- # DevDetail DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **DevDetail** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -42,7 +45,7 @@ The XML below is the current version for this CSP. - urn:oma:mo:oma-dm-devdetail:1.1 + urn:oma:mo:oma-dm-devdetail:1.2 @@ -525,6 +528,27 @@ The XML below is the current version for this CSP. + + SMBIOSSerialNumber + + + + + SMBIOS Serial Number of the device. + + + + + + + + + + + text/plain + + + WLANMACAddress @@ -676,19 +700,4 @@ The XML below is the current version for this CSP. -``` - -## Related topics - - -[DevDetail configuration service provider](devdetail-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 89a798ab13..a20317c21f 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 07/26/2018 --- # DeviceStatus CSP @@ -178,11 +178,24 @@ Supported operation is Get. **DeviceStatus/Antispyware/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the antispyware signature. +Valid values: + +- 0 - The security software reports that it is not the most recent version. +- 1 - The security software reports that it is the most recent version. +- 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) + Supported operation is Get. **DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the antispyware. +Valid values: + +- 0 - The status of the security provider category is good and does not need user attention. +- 1 - The status of the security provider category is not monitored by Windows Security Center (WSC). +- 2 - The status of the security provider category is poor and the computer may be at risk. +- 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer. + Supported operation is Get. **DeviceStatus/Firewall** diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index bde1f8c70d..a33799474c 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -658,7 +658,7 @@ Required. Added in Windows 10, version 1709. This node contains a list of LocURI Supported operations are Add, Delete, Get, and Replace. Value type is string. **Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the the management service provider expects to provision, delimited by the character L"\xF000". +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to provision, delimited by the character L"\xF000". Supported operations are Add, Delete, Get, and Replace. Value type is string. diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 5e60eb85a2..010ca41cad 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -30,7 +30,7 @@ Here is a partial screenshot of the result: The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. > [!Note] -> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation. +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. @@ -106,7 +106,7 @@ Requirements: - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. -1. Create a Group Policy Object (GPO) and enable the Group Policy **Auto MDM enrollment with AAD token**. +1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. 2. Create a Security Group for the PCs. 3. Link the GPO. 4. Filter using Security Groups. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index b4f3ce2304..6d9a0e4458 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -7,11 +7,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/01/2018 +ms.date: 07/24/2018 --- # EnterpriseModernAppManagement CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). @@ -23,30 +25,30 @@ The following image shows the EnterpriseModernAppManagement configuration servic ![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png) **Device or User context** -

For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. +For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. > [!Note] > Windows Holographic and Windows 10 Mobile only support per-user configuration of the EnterpriseModernAppManagement CSP. **AppManagement** -

Required. Used for inventory and app management (post-install). +Required. Used for inventory and app management (post-install). **AppManagement/UpdateScan** -

Required. Used to start the Windows Update scan. +Required. Used to start the Windows Update scan. -

Supported operation is Execute. +Supported operation is Execute. **AppManagement/LastScanError** -

Required. Reports the last error code returned by the update scan. +Required. Reports the last error code returned by the update scan. -

Supported operation is Get. +Supported operation is Get. **AppManagement/AppInventoryResults** -

Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation. +Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation. -

Supported operation is Get. +Supported operation is Get. -

Here's an example of AppInventoryResults operation. +Here's an example of AppInventoryResults operation. ``` syntax @@ -60,9 +62,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` **AppManagement/AppInventoryQuery** -

Added in Windows 10, version 1511. Required. Specifies the query for app inventory. +Added in Windows 10, version 1511. Required. Specifies the query for app inventory. -

Query parameters: +Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Mutiple value must be separate by |. Valid values are: - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. @@ -92,9 +94,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic If you do not specify this value, then all publishers are returned. -

Supported operation is Get and Replace. +Supported operation is Get and Replace. -

The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. +The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. ``` syntax @@ -109,9 +111,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` **AppManagement/RemovePackage** -

Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT. +Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT. -

Parameters: +Parameters:

  • Package
      @@ -128,9 +130,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic
    -

    Supported operation is Execute. +Supported operation is Execute. -

    The following example removes a package for all users: +The following example removes a package for all users: ````XML @@ -148,30 +150,30 @@ The following image shows the EnterpriseModernAppManagement configuration servic ```` **AppManagement/nonStore** -

    Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store. +Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store. -

    Supported operation is Get. +Supported operation is Get. **AppManagement/System** -

    Reports apps installed as part of the operating system. +Reports apps installed as part of the operating system. -

    Supported operation is Get. +Supported operation is Get. **AppManagement/AppStore** -

    Required. Used for managing apps from the Microsoft Store. +Required. Used for managing apps from the Microsoft Store. -

    Supported operations are Get and Delete. +Supported operations are Get and Delete. **.../****_PackageFamilyName_** -

    Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. +Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. -

    Supported operations are Get and Delete. +Supported operations are Get and Delete. > [!Note] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. -

    Here's an example for uninstalling an app: +Here's an example for uninstalling an app: ``` syntax @@ -191,79 +193,76 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` **.../*PackageFamilyName*/****_PackageFullName_** -

    Optional. Full name of the package installed. +Optional. Full name of the package installed. -

    Supported operations are Get and Delete. +Supported operations are Get and Delete. > [!Note] > XAP files use a product ID in place of PackageFullName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.   **.../*PackageFamilyName*/*PackageFullName*/Name** -

    Required. Name of the app. Value type is string. +Required. Name of the app. Value type is string. -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Version** -

    Required. Version of the app. Value type is string. +Required. Version of the app. Value type is string. -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Publisher** -

    Required. Publisher name of the app. Value type is string. +Required. Publisher name of the app. Value type is string. -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Architecture** -

    Required. Architecture of installed package. Value type is string. +Required. Architecture of installed package. Value type is string. > [!Note] > Not applicable to XAP files.   -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/InstallLocation** -

    Required. Install location of the app on the device. Value type is string. +Required. Install location of the app on the device. Value type is string. > [!Note] > Not applicable to XAP files.   - -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsFramework** -

    Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. +Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. > [!Note] > Not applicable to XAP files. -  -

    Supported operation is Get. + Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsBundle** -

    Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. +Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/InstallDate** -

    Required. Date the app was installed. Value type is string. +Required. Date the app was installed. Value type is string. -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/ResourceID** -

    Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string. +Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string. > [!Note] > Not applicable to XAP files. -   -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/PackageStatus** -

    Required. Provides information about the status of the package. Value type is int. Valid values are: +Required. Provides information about the status of the package. Value type is int. Valid values are: - OK (0) - The package is usable. - LicenseIssue (1) - The license of the package is not valid. @@ -274,50 +273,47 @@ The following image shows the EnterpriseModernAppManagement configuration servic > [!Note] > Not applicable to XAP files. -  - -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall** -

    Required. Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int. +Required. Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int. > [!Note] > Not applicable to XAP files. -   -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Users** -

    Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string. +Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string. - Not Installed = 0 - Staged = 1 - Installed = 2 - Paused = 6 -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsProvisioned** -

    Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. +Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. -

    Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/DoNotUpdate** -

    Required. Specifies whether you want to block a specific app from being updated via auto-updates. +Required. Specifies whether you want to block a specific app from being updated via auto-updates. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. **.../*PackageFamilyName*/AppSettingPolicy** (only for ./User/Vendor/MSFT) -

    Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context. +Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context. **.../*PackageFamilyName*/AppSettingPolicy/****_SettingValue_** (only for ./User/Vendor/MSFT) -

    Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. +Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. -

    This setting only works for apps that support the feature and it is only supported in the user context. +This setting only works for apps that support the feature and it is only supported in the user context. -

    Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. Supported operations are Add, Get, Replace, and Delete. -

    The following example sets the value for the 'Server' +The following example sets the value for the 'Server' ``` syntax @@ -335,7 +331,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` -

    The following example gets all managed app settings for a specific app. +The following example gets all managed app settings for a specific app. ``` syntax @@ -349,7 +345,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` -**.../*PackageFamilyName*/MaintainProcessorArchitectureOnUpdate** +**.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate** Added in Windows 10, version 1803. Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. Supported operations are Add, Get, Delete, and Replace. Value type is integer. @@ -363,32 +359,108 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M |True |Disabled |X86 flavor is picked | |False (not set) |Not configured |X64 flavor is picked | +**.../_PackageFamilyName_/NonRemovable** +Added in Windows 10, next major version. Specifies if an app is nonremovable by the user. + +This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users. + +NonRemovable requires admin permission. This can only be set per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. + +Value type is integer. Supported operations are Add, Get, and Replace. + +Valid values: +- 0 – app is not in the nonremovable app policy list +- 1 – app is included in the nonremovable app policy list + +**Examples:** + +Add an app to the nonremovable app policy list +``` + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + int + + 1 + + + + + +``` + +Get the status for a particular app +``` + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + + + + +``` + +Replace an app in the nonremovable app policy list +Data 0 = app is not in the app policy list +Data 1 = app is in the app policy list +``` + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + int + + 0 + + + + + +``` + **AppInstallation** -

    Required node. Used to perform app installation. +Required node. Used to perform app installation. **AppInstallation/****_PackageFamilyName_** -

    Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. +Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. -

    Supported operations are Get and Add. +Supported operations are Get and Add. > [!Note] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.   **AppInstallation/*PackageFamilyName*/StoreInstall** -

    Required. Command to perform an install of an app and a license from the Microsoft Store. +Required. Command to perform an install of an app and a license from the Microsoft Store. -

    Supported operation is Execute, Add, Delete, and Get. +Supported operation is Execute, Add, Delete, and Get. **AppInstallation/*PackageFamilyName*/HostedInstall** -

    Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). +Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). -

    Supported operation is Execute, Add, Delete, and Get. +Supported operation is Execute, Add, Delete, and Get. **AppInstallation/*PackageFamilyName*/LastError** -

    Required. Last error relating to the app installation. +Required. Last error relating to the app installation. -

    Supported operation is Get. +Supported operation is Get. > [!Note] > This element is not present after the app is installed. @@ -396,50 +468,50 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M   **AppInstallation/*PackageFamilyName*/LastErrorDescription** -

    Required. Description of last error relating to the app installation. +Required. Description of last error relating to the app installation. -

    Supported operation is Get. +Supported operation is Get. > [!Note] > This element is not present after the app is installed.   **AppInstallation/*PackageFamilyName*/Status** -

    Required. Status of app installation. The following values are returned: +Required. Status of app installation. The following values are returned: - NOT\_INSTALLED (0) - The node was added, but the execution has not completed. - INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. - INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear. -

    Supported operation is Get. +Supported operation is Get. > [!Note] > This element is not present after the app is installed.   **AppInstallation/*PackageFamilyName*/ProgessStatus** -

    Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). +Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). -

    Supported operation is Get. +Supported operation is Get. > [!Note] > This element is not present after the app is installed.   **AppLicenses** -

    Required node. Used to manage licenses for app scenarios. +Required node. Used to manage licenses for app scenarios. **AppLicenses/StoreLicenses** -

    Required node. Used to manage licenses for store apps. +Required node. Used to manage licenses for store apps. **AppLicenses/StoreLicenses/****_LicenseID_** -

    Optional node. License ID for a store installed app. The license ID is generally the PFN of the app. +Optional node. License ID for a store installed app. The license ID is generally the PFN of the app. -

    Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory** -

    Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value: +Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value: - Unknown - unknown license category - Retail - license sold through retail channels, typically from the Microsoft Store @@ -447,39 +519,39 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M - OEM - license issued to an OEM - Developer - developer license, typically installed during the app development or side-loading scernarios. -

    Supported operation is Get. +Supported operation is Get. **AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage** -

    Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values: +Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values: - Unknown - usage is unknown - Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. - Offline - license is valid for use offline. You don't need a connection to the internet to use this license. - Enterprise Root - -

    Supported operation is Get. +Supported operation is Get. **AppLicenses/StoreLicenses/*LicenseID*/RequesterID** -

    Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. +Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. -

    Supported operation is Get. +Supported operation is Get. **AppLicenses/StoreLicenses/*LicenseID*/AddLicense** -

    Required. Command to add license. +Required. Command to add license. -

    Supported operation is Execute. +Supported operation is Execute. **AppLicenses/StoreLicenses/*LicenseID*/GetLicenseFromStore** -

    Added in Windows 10, version 1511. Required. Command to get license from the store. +Added in Windows 10, version 1511. Required. Command to get license from the store. -

    Supported operation is Execute. +Supported operation is Execute. ## Examples -

    For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). +For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). -

    Query the device for a specific app subcategory, such as nonStore apps. +Query the device for a specific app subcategory, such as nonStore apps. ``` syntax @@ -492,9 +564,9 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M ``` -

    The result contains a list of apps, such as <Data>App1/App2/App3</Data>. +The result contains a list of apps, such as <Data>App1/App2/App3</Data>. -

    Subsequent query for a specific app for its properties. +Subsequent query for a specific app for its properties. ``` syntax diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 08075cd45e..fe58f406bd 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -7,17 +7,19 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/01/2018 +ms.date: 07/23/2018 --- # EnterpriseModernAppManagement DDF +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **EnterpriseModernAppManagement** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, version 1803. +The XML below is for Windows 10, next major version. ``` syntax @@ -26,41 +28,85 @@ The XML below is for Windows 10, version 1803. []> 1.2 + + EnterpriseModernAppManagement + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + AppManagement + + + + + + + + + + + + + + + + + - EnterpriseModernAppManagement - ./Vendor/MSFT + + + - + - + + EnterpriseID - AppManagement + + + - + - + + PackageFamilyName @@ -76,632 +122,19 @@ The XML below is for Windows 10, version 1803. - - - - - - - EnterpriseID - - - - - - - - - - - - - - - - - - - - - - PackageFamilyName - - - - - - - - - - - - - - - - - - - - - - PackageFullName - - - - - - Name - - - - - - - - - - - - - - - text/plain - - - - - Version - - - - - - - - - - - - - - - text/plain - - - - - Publisher - - - - - - - - - - - - - - - text/plain - - - - - Architecture - - - - - - - - - - - - - - - text/plain - - - - - InstallLocation - - - - - - - - - - - - - - - text/plain - - - - - IsFramework - - - - - - - - - - - - - - - text/plain - - - - - IsBundle - - - - - - - - - - - - - - - text/plain - - - - - InstallDate - - - - - - - - - - - - - - - text/plain - - - - - ResourceID - - - - - - - - - - - - - - - text/plain - - - - - PackageStatus - - - - - - - - - - - - - - - text/plain - - - - - RequiresReinstall - - - - - - - - - - - - - - - text/plain - - - - - Users - - - - - - - - - - - - - - - text/plain - - - - - IsProvisioned - - - - - - - - - - - - - - - text/plain - - - - - - DoNotUpdate - - - - - - - - - - - - - - - - - DoNotUpdate - - text/plain - - - - - AppSettingPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SettingValue - - text/plain - - - - - - MaintainProcessorArchitectureOnUpdate - - - - - - - - - - - - - - - - - MaintainProcessorArchitectureOnUpdate - - text/plain - - - - - - - UpdateScan - - - - - - - - - - - - - - - text/plain - - - - - LastScanError - - - - - - - - - - - - - - - text/plain - - - - - AppInventoryResults - - - - - - - - - - - - - - - text/plain - - - - - AppInventoryQuery - - - - - - - - - - - - - - - - text/plain - - - - - RemovePackage - - - - - - - - - - - - - - - - text/plain - - - - - - AppInstallation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PackageFamilyName + PackageFullName - StoreInstall - - - - - - - - - - - - - - - - - - text/plain - - - - - HostedInstall - - - - - - - - - - - - - - - - - - text/plain - - - - - LastError - - - - - - - - - - - - - - - text/plain - - - - - LastErrorDesc + Name @@ -721,7 +154,87 @@ The XML below is for Windows 10, version 1803. - Status + Version + + + + + + + + + + + + + + + text/plain + + + + + Publisher + + + + + + + + + + + + + + + text/plain + + + + + Architecture + + + + + + + + + + + + + + + text/plain + + + + + InstallLocation + + + + + + + + + + + + + + + text/plain + + + + + IsFramework @@ -741,7 +254,127 @@ The XML below is for Windows 10, version 1803. - ProgressStatus + IsBundle + + + + + + + + + + + + + + + text/plain + + + + + InstallDate + + + + + + + + + + + + + + + text/plain + + + + + ResourceID + + + + + + + + + + + + + + + text/plain + + + + + PackageStatus + + + + + + + + + + + + + + + text/plain + + + + + RequiresReinstall + + + + + + + + + + + + + + + text/plain + + + + + Users + + + + + + + + + + + + + + + text/plain + + + + + IsProvisioned @@ -761,31 +394,38 @@ The XML below is for Windows 10, version 1803. - - - AppLicenses - - - - - - - - - - - - - - - - - - StoreLicenses + DoNotUpdate + + + + + + + + + + + + + + DoNotUpdate + + text/plain + + + + + AppSettingPolicy + + + + + + @@ -794,7 +434,7 @@ The XML below is for Windows 10, version 1803. - + @@ -807,9 +447,10 @@ The XML below is for Windows 10, version 1803. + - + @@ -817,13 +458,171 @@ The XML below is for Windows 10, version 1803. - LicenseID + SettingValue + + text/plain + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + + + + + + + + + + + + + MaintainProcessorArchitectureOnUpdate + + text/plain + + + + + NonRemovable + + + + + + + + + + + + + + + + NonRemovable + + text/plain + + + + + + ReleaseManagement + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ReleaseManagementKey + + + + + + ChannelId + + + + + + + + + + + + + + + + + + text/plain + + + + + ReleaseId + + + + + + + + + + + + + + + + + + text/plain + + + + + EffectiveRelease + + + + + + + + + + + + + - LicenseCategory + ChannelId @@ -832,7 +631,7 @@ The XML below is for Windows 10, version 1803. - + @@ -843,7 +642,7 @@ The XML below is for Windows 10, version 1803. - LicenseUsage + ReleaseId @@ -852,67 +651,7 @@ The XML below is for Windows 10, version 1803. - - - - - - - text/plain - - - - - RequesterID - - - - - - - - - - - - - - - text/plain - - - - - AddLicense - - - - - - - - - - - - - - - text/plain - - - - - GetLicenseFromStore - - - - - - - - - + @@ -926,19 +665,442 @@ The XML below is for Windows 10, version 1803. + + UpdateScan + + + + + + + + + + + + + + + text/plain + + + + + LastScanError + + + + + + + + + + + + + + + text/plain + + + + + AppInventoryResults + + + + + + + + + + + + + + + text/plain + + + + + AppInventoryQuery + + + + + + + + + + + + + + + + text/plain + + + + + RemovePackage + + + + + + + + + + + + + + + + text/plain + + + + + + AppInstallation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PackageFamilyName + + + + + + StoreInstall + + + + + + + + + + + + + + + + + + text/plain + + + + + HostedInstall + + + + + + + + + + + + + + + + + + text/plain + + + + + LastError + + + + + + + + + + + + + + + text/plain + + + + + LastErrorDesc + + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + ProgressStatus + + + + + + + + + + + + + + + text/plain + + + + + + + AppLicenses + + + + + + + + + + + + + + + + + + + StoreLicenses + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + LicenseID + + + + + + LicenseCategory + + + + + + + + + + + + + + + text/plain + + + + + LicenseUsage + + + + + + + + + + + + + + + text/plain + + + + + RequesterID + + + + + + + + + + + + + + + text/plain + + + + + AddLicense + + + + + + + + + + + + + + + text/plain + + + + + GetLicenseFromStore + + + + + + + + + + + + + + + text/plain + + + + + + + -``` - -## Related topics - -[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 1a552c057a..2a75d65c24 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -14,7 +14,7 @@ ms.date: 01/26/2018 The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. -Firewall configuration commands must be wrapped in an Atomic block in SyncML. +Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively. For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/en-us/library/mt620101.aspx). @@ -284,7 +284,7 @@ Sample syncxml to provision the firewall settings to evaluate **FirewallRules/_FirewallRuleName_/Enabled**

    Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -

    If not specified - a new rule is disabled by default.

    +

    If not specified - a new rule is enabled by default.

    Boolean value. Supported operations are Get and Replace.

    **FirewallRules/_FirewallRuleName_/Profiles** @@ -310,7 +310,7 @@ Sample syncxml to provision the firewall settings to evaluate
    • IN - the rule applies to inbound traffic.
    • OUT - the rule applies to outbound traffic.
      • -
    • If not specified, the default is IN.
      • +
    • If not specified, the default is Out.

    Value type is string. Supported operations are Get and Replace.

    @@ -331,7 +331,7 @@ Sample syncxml to provision the firewall settings to evaluate

    New rules have the EdgeTraversal property disabled by default.

    Value type is bool. Supported operations are Add, Get, Replace, and Delete.

    -**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList** +**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList**

    Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    diff --git a/windows/client-management/mdm/images/provisioning-csp-bitlocker.png b/windows/client-management/mdm/images/provisioning-csp-bitlocker.png index e19bae9106..cc7920f7f5 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-bitlocker.png and b/windows/client-management/mdm/images/provisioning-csp-bitlocker.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png index 4d90f1b6f2..fa27e9baf2 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-defender.png and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png index 3145a82ea4..f5cf62ff0f 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png index a28f41fe6a..95d2fcf840 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png index f12f2fbd44..af267f4f6d 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png and b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png index 69effac5fd..be91906aa3 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png index 58ee388b92..a066d9261e 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-tenantlockdown.png b/windows/client-management/mdm/images/provisioning-csp-tenantlockdown.png new file mode 100644 index 0000000000..e788aebb52 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-tenantlockdown.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-wifi.png b/windows/client-management/mdm/images/provisioning-csp-wifi.png index 463a784f95..f5891084ea 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-wifi.png and b/windows/client-management/mdm/images/provisioning-csp-wifi.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-win32compatibilityappraiser.png b/windows/client-management/mdm/images/provisioning-csp-win32compatibilityappraiser.png new file mode 100644 index 0000000000..a15961bbcc Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-win32compatibilityappraiser.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png index c8f2721143..0f5e318d8f 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png and b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png b/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png index 82d66f6742..3345eb730c 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png and b/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-wirednetwork.png b/windows/client-management/mdm/images/provisioning-csp-wirednetwork.png new file mode 100644 index 0000000000..2fd93631ff Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-wirednetwork.png differ diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 9b846e226a..fcc6d7386e 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/12/2018 +ms.date: 08/08/2018 --- # NetworkProxy CSP @@ -34,7 +34,10 @@ The following diagram shows the NetworkProxy configuration service provider in t The root node for the NetworkProxy configuration service provider..

    **ProxySettingsPerUser** -Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide; set to 1 for proxy configuratio per user. +Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide. + +> [!Note] +> Per user proxy configuration setting is not supported. **AutoDetect** Automatically detect settings. If enabled, the system tries to find the path to a PAC script.

    diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index f90211d1ae..4e9a8c5b10 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2018 +ms.date: 08/14/2018 --- # What's new in MDM enrollment and management @@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What's new in Windows 10, version 1703](#whatsnew10) - [What's new in Windows 10, version 1709](#whatsnew1709) - [What's new in Windows 10, version 1803](#whatsnew1803) +- [What's new in Windows 10, next major version](#whatsnewnext) - [Change history in MDM documentation](#change-history-in-mdm-documentation) - [Breaking changes and known issues](#breaking-changes-and-known-issues) - [Get command inside an atomic command is not supported](#getcommand) @@ -934,7 +935,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
  • DomainName - fully qualified domain name if the device is domain-joined.
-

For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.

+

For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

[Firewall CSP](firewall-csp.md) @@ -1357,6 +1358,124 @@ For details about Microsoft mobile device management protocols for Windows 10 s +## What's new in Windows 10, next major version + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies in Windows 10, next major version:

+
    +
  • ApplicationManagement/LaunchAppAfterLogOn
    • +
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
    • +
  • Authentication/EnableFastFirstSignIn
    • +
  • Authentication/EnableWebSignIn
    • +
  • Authentication/PreferredAadTenantDomainName
    • +
  • Browser/AllowFullScreenMode
    • +
  • Browser/AllowPrelaunch
    • +
  • Browser/AllowPrinting
    • +
  • Browser/AllowSavingHistory
    • +
  • Browser/AllowSideloadingOfExtensions
    • +
  • Browser/AllowTabPreloading
    • +
  • Browser/AllowWebContentOnNewTabPage
    • +
  • Browser/ConfigureFavoritesBar
    • +
  • Browser/ConfigureHomeButton
    • +
  • Browser/ConfigureKioskMode
    • +
  • Browser/ConfigureKioskResetAfterIdleTimeout
    • +
  • Browser/ConfigureOpenMicrosoftEdgeWith
    • +
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
    • +
  • Browser/PreventCertErrorOverrides
    • +
  • Browser/SetHomeButtonURL
    • +
  • Browser/SetNewTabPageURL
    • +
  • Browser/UnlockHomeButton
    • +
  • Defender/CheckForSignaturesBeforeRunningScan
    • +
  • Defender/DisableCatchupFullScan
    • +
  • Defender/DisableCatchupQuickScan
    • +
  • Defender/EnableLowCPUPriority
    • +
  • Defender/SignatureUpdateFallbackOrder
    • +
  • Defender/SignatureUpdateFileSharesSources
    • +
  • DeviceGuard/EnableSystemGuard
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    • +
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
    • +
  • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    • +
  • DmaGuard/DeviceEnumerationPolicy
    • +
  • Experience/AllowClipboardHistory
    • +
  • Experience/DoNotSyncBrowserSettings
    • +
  • Experience/PreventUsersFromTurningOnBrowserSyncing
    • +
  • Privacy/AllowCrossDeviceClipboard
    • +
  • Privacy/UploadUserActivities
    • +
  • Security/RecoveryEnvironmentAuthentication
    • +
  • TaskManager/AllowEndTask
    • +
  • Update/EngagedRestartDeadlineForFeatureUpdates
    • +
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
    • +
  • Update/EngagedRestartTransitionScheduleForFeatureUpdates
    • +
  • Update/SetDisablePauseUXAccess
    • +
  • Update/SetDisableUXWUAccess
    • +
  • WindowsDefenderSecurityCenter/DisableClearTpmButton
    • +
  • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
    • +
  • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
    • +
  • WindowsLogon/DontDisplayNetworkSelectionUI
    • +
+
[PassportForWork CSP](passportforwork-csp.md)

Added new settings in Windows 10, next major version.

+
[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

Added NonRemovable setting under AppManagement node in Windows 10, next major version.

+
[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)

Added new configuration service provider in Windows 10, next major version.

+
[WindowsLicensing CSP](windowslicensing-csp.md)

Added S mode settings and SyncML examples in Windows 10, next major version.

+
[SUPL CSP](supl-csp.md)

Added 3 new certificate nodes in Windows 10, next major version.

+
[Defender CSP](defender-csp.md)

Added a new node Health/ProductStatus in Windows 10, next major version.

+
[BitLocker CSP](bitlocker-csp.md)

Added a new node AllowStandardUserEncryption in Windows 10, next major version.

+
[DevDetail CSP](devdetail-csp.md)

Added a new node SMBIOSSerialNumber in Windows 10, next major version.

+
[Wifi CSP](wifi-csp.md)

Added a new node WifiCost in Windows 10, next major version.

+
[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)

Added new settings in Windows 10, next major version.

+
[TenantLockdown CSP](\tenantlockdown--csp.md)

Added new CSP in Windows 10, next major version.

+
+ + ## Breaking changes and known issues ### Get command inside an atomic command is not supported @@ -1623,6 +1742,153 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### August 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[TenantLockdown CSP](\tenantlockdown--csp.md)

Added new CSP in Windows 10, next major version.

+
[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)

Added new settings in Windows 10, next major version.

+
[Policy DDF file](policy-ddf-file.md)

Posted an updated version of the Policy DDF for Windows 10, next major version.

+
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies in Windows 10, next major version:

+
    +
  • Browser/AllowFullScreenMode
    • +
  • Browser/AllowPrelaunch
    • +
  • Browser/AllowPrinting
    • +
  • Browser/AllowSavingHistory
    • +
  • Browser/AllowSideloadingOfExtensions
    • +
  • Browser/AllowTabPreloading
    • +
  • Browser/AllowWebContentOnNewTabPage
    • +
  • Browser/ConfigureFavoritesBar
    • +
  • Browser/ConfigureHomeButton
    • +
  • Browser/ConfigureKioskMode
    • +
  • Browser/ConfigureKioskResetAfterIdleTimeout
    • +
  • Browser/ConfigureOpenMicrosoftEdgeWith
    • +
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
    • +
  • Browser/PreventCertErrorOverrides
    • +
  • Browser/SetHomeButtonURL
    • +
  • Browser/SetNewTabPageURL
    • +
  • Browser/UnlockHomeButton
    • +
  • Experience/DoNotSyncBrowserSettings
    • +
  • Experience/PreventUsersFromTurningOnBrowserSyncing
    • +
  • Privacy/AllowCrossDeviceClipboard
    • +
  • Privacy/UploadUserActivities
    • +
  • Update/UpdateNotificationLevel
    • +
+
+ +### July 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[AssignedAccess CSP](assignedaccess-csp.md)

Added the following note:

+
    +
  • You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
    • +
+
[PassportForWork CSP](passportforwork-csp.md)

Added new settings in Windows 10, next major version.

+
[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

Added NonRemovable setting under AppManagement node in Windows 10, next major version.

+
[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)

Added new configuration service provider in Windows 10, next major version.

+
[WindowsLicensing CSP](windowslicensing-csp.md)

Added S mode settings and SyncML examples in Windows 10, next major version.

+
[SUPL CSP](supl-csp.md)

Added 3 new certificate nodes in Windows 10, next major version.

+
[Defender CSP](defender-csp.md)

Added a new node Health/ProductStatus in Windows 10, next major version.

+
[BitLocker CSP](bitlocker-csp.md)

Added a new node AllowStandardUserEncryption in Windows 10, next major version.

+
[DevDetail CSP](devdetail-csp.md)

Added a new node SMBIOSSerialNumber in Windows 10, next major version.

+
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies in Windows 10, next major version:

+
    +
  • ApplicationManagement/LaunchAppAfterLogOn
    • +
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
    • +
  • Authentication/EnableFastFirstSignIn
    • +
  • Authentication/EnableWebSignIn
    • +
  • Authentication/PreferredAadTenantDomainName
    • +
  • Defender/CheckForSignaturesBeforeRunningScan
    • +
  • Defender/DisableCatchupFullScan
    • +
  • Defender/DisableCatchupQuickScan
    • +
  • Defender/EnableLowCPUPriority
    • +
  • Defender/SignatureUpdateFallbackOrder
    • +
  • Defender/SignatureUpdateFileSharesSources
    • +
  • DeviceGuard/EnableSystemGuard
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    • +
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
    • +
  • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    • +
  • DmaGuard/DeviceEnumerationPolicy
    • +
  • Experience/AllowClipboardHistory
    • +
  • Security/RecoveryEnvironmentAuthentication
    • +
  • TaskManager/AllowEndTask
    • +
  • WindowsDefenderSecurityCenter/DisableClearTpmButton
    • +
  • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
    • +
  • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
    • +
  • WindowsLogon/DontDisplayNetworkSelectionUI
    • +
+

Recent changes:

+
    +
  • DataUsage/SetCost3G - deprecated in Windows 10, next major version.
    • +
+
+ ### June 2018 @@ -1638,6 +1904,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware + + + + + + + + +
[Wifi CSP](wifi-csp.md)

Added a new node WifiCost in Windows 10, next major version.

+
[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)

Recent changes:

    @@ -1646,6 +1916,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
[Bitlocker CSP](bitlocker-csp.md)

Added new node AllowStandardUserEncryption in Windows 10, next major version.

+
[Policy CSP](policy-configuration-service-provider.md)

Recent changes:

    @@ -1658,6 +1932,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Start/StartLayout - added a table of SKU support information.
  • Start/ImportEdgeAssets - added a table of SKU support information.
+

Added the following new policies in Windows 10, next major version:

+
    +
  • Update/EngagedRestartDeadlineForFeatureUpdates
    • +
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
    • +
  • Update/EngagedRestartTransitionScheduleForFeatureUpdates
    • +
  • Update/SetDisablePauseUXAccess
    • +
  • Update/SetDisableUXWUAccess
    • +
+
[WiredNetwork CSP](wirednetwork-csp.md)New CSP added in Windows 10, next major version.
@@ -2188,7 +2474,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
  • DomainName - fully qualified domain name if the device is domain-joined.
    • -

    For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.

    +

    For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

    [EntepriseAPN CSP](enterpriseapn-csp.md) diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index ec53302d3c..3dd02f716d 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -7,11 +7,14 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2017 +ms.date: 07/26/2018 --- # PassportForWork CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. > [!IMPORTANT] @@ -30,204 +33,243 @@ The following diagram shows the PassportForWork configuration service provider i ![passportforwork diagram](images/provisioning-csp-passportforwork2.png) **PassportForWork** -

    Root node for PassportForWork configuration service provider. +Root node for PassportForWork configuration service provider. ***TenantId*** -

    A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. +A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. ***TenantId*/Policies** -

    Node for defining the Windows Hello for Business policy settings. +Node for defining the Windows Hello for Business policy settings. ***TenantId*/Policies/UsePassportForWork** -

    Boolean value that sets Windows Hello for Business as a method for signing into Windows. +Boolean value that sets Windows Hello for Business as a method for signing into Windows. -

    Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required. +Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/RequireSecurityDevice** -

    Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices. +Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices. -

    Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable. +Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT) -

    Added in Windows 10, version 1703. Root node for excluded security devices. -

    *Not supported on Windows Holographic and Windows Holographic for Business.* +Added in Windows 10, version 1703. Root node for excluded security devices. +*Not supported on Windows Holographic and Windows Holographic for Business.* ***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT) -

    Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). +Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). -

    Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. +Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. -

    If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. +If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/EnablePinRecovery** -

    Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service. +Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret, which is stored locally on the client, and can be decrypted only by the cloud service. -

    Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed. +Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed. -

    If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. +If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT) -

    Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources. +Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources. -

    If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. +If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. -

    If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. +If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity** -

    Node for defining PIN settings. +Node for defining PIN settings. ***TenantId*/Policies/PINComplexity/MinimumPINLength** -

    Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. +Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. -

    If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4. +If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4. > [!NOTE] > If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.   -

    Value type is int. Supported operations are Add, Get, Delete, and Replace. +Value type is int. Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/MaximumPINLength** -

    Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. +Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. -

    If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127. +If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127. > [!NOTE] > If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.   -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/UppercaseLetters** -

    Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. +Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. -

    Valid values: +Valid values: - 0 - Allows the use of uppercase letters in PIN. - 1 - Requires the use of at least one uppercase letters in PIN. - 2 - Does not allow the use of uppercase letters in PIN. -

    Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/LowercaseLetters** -

    Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. +Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. -

    Valid values: +Valid values: - 0 - Allows the use of lowercase letters in PIN. - 1 - Requires the use of at least one lowercase letters in PIN. - 2 - Does not allow the use of lowercase letters in PIN. -

    Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/SpecialCharacters** -

    Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ . +Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ . -

    Valid values: +Valid values: - 0 - Allows the use of special characters in PIN. - 1 - Requires the use of at least one special character in PIN. - 2 - Does not allow the use of special characters in PIN. -

    Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/Digits** -

    Integer value that configures the use of digits in the Windows Hello for Business PIN. +Integer value that configures the use of digits in the Windows Hello for Business PIN. -

    Valid values: +Valid values: - 0 - Allows the use of digits in PIN. - 1 - Requires the use of at least one digit in PIN. - 2 - Does not allow the use of digits in PIN. -

    Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/History** -

    Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511. +Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511. -

    The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset. +The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset. -

    Default value is 0. +Default value is 0. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/Expiration** -

    Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511. +Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511. -

    Default is 0. +Default is 0. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT) -

    Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511. -

    *Not supported on Windows Holographic and Windows Holographic for Business.* +Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511. +*Not supported on Windows Holographic and Windows Holographic for Business.* ***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT) -

    Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511. +Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511. -

    Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled. +Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled. +Supported operations are Add, Get, Delete, and Replace. +*Not supported on Windows Holographic and Windows Holographic for Business.* -

    Supported operations are Add, Get, Delete, and Replace. +***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT) +Added in Windows 10, next major version. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. -

    *Not supported on Windows Holographic and Windows Holographic for Business.* +If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. + +Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in. + +Value type is bool. Supported operations are Add, Get, Replace, and Delete. **UseBiometrics** -

    This node is deprecated. Use **Biometrics/UseBiometrics** node instead. +This node is deprecated. Use **Biometrics/UseBiometrics** node instead. **Biometrics** (only for ./Device/Vendor/MSFT) -

    Node for defining biometric settings. This node was added in Windows 10, version 1511. -

    *Not supported on Windows Holographic and Windows Holographic for Business.* +Node for defining biometric settings. This node was added in Windows 10, version 1511. +*Not supported on Windows Holographic and Windows Holographic for Business.* **Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) -

    Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. +Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. -

    Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. +Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -

    *Not supported on Windows Holographic and Windows Holographic for Business.* +*Not supported on Windows Holographic and Windows Holographic for Business.* **Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT) -

    Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511. +Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511. -

    Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. +Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. -

    If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing. +If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing. -

    Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. +Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. -

    Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -

    *Not supported on Windows Holographic and Windows Holographic for Business.* +*Not supported on Windows Holographic and Windows Holographic for Business.* + +**DeviceUnlock** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. Interior node. + +**DeviceUnlock/GroupA** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the first step of authentication. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**DeviceUnlock/GroupB** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the second step of authentication. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**DeviceUnlock/Plugins** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user presence. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**DynamicLock** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. Interior node. + + +**DynamicLock/DynamicLock** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. Enables the dynamic lock. + +Value type is bool. Supported operations are Add, Get, Replace, and Delete. + +**DynamicLock/Plugins** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user absence. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. ## Examples -

    Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM. +Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM. ``` syntax diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 63c6b7819f..06eabcf651 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -7,16 +7,19 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 12/05/2017 +ms.date: 07/26/2017 --- # PassportForWork DDF +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **PassportForWork** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -42,7 +45,7 @@ The XML below is the current version for this CSP. - com.microsoft/1.3/MDM/PassportForWork + com.microsoft/1.5/MDM/PassportForWork @@ -565,58 +568,58 @@ If you disable or do not configure this policy setting, the TPM is still preferr - ExcludeSecurityDevices + ExcludeSecurityDevices + + + + + + + Root node for excluded security devices. + + + + + + + + + + ExcludeSecurityDevices + + + + + + TPM12 - - - - - - Root node for excluded security devices. - - - - - - - - - - ExcludeSecurityDevices - - - - - - TPM12 - - - - - - - - False - Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). + + + + + + + False + Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. - - - - - - - - - - - text/plain - - - - + + + + + + + + + + + text/plain + + + + EnablePinRecovery @@ -657,7 +660,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret False - Windows Hello for Business can use certificates to authenticate to on-premises resources. + Windows Hello for Business can use certificates to authenticate to on-premise resources. If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. @@ -985,6 +988,35 @@ Default value is false. If you enable this setting, a desktop device will allow + + UseHelloCertificatesAsSmartCardCertificates + + + + + + + + False + If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. + +If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. + +Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in. + + + + + + + + + + + text/plain + + + @@ -1083,9 +1115,9 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device False This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication. -If you enable or don't configure this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing. +If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing. -If you disable this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. +If you disable or do not configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. @@ -1100,19 +1132,176 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re text/plain + + + + + + + + + DeviceUnlock + + + + + Device Unlock + + + + + + + + + + + + + + + GroupA + + + + + + + + Contains a list of providers by GUID that are to be considered for the first step of authentication + + + + + + + + + + + text/plain + + + + + GroupB + + + + + + + + Contains a list of providers by GUID that are to be considered for the second step of authentication + + + + + + + + + + + text/plain + + + + + Plugins + + + + + + + + List of plugins that the passive provider monitors to detect user presence + + + + + + + + + + + text/plain + + + + + + DynamicLock + + + + + Dynamic Lock + + + + + + + + + + + + + + + DynamicLock + + + + + + + + False + Enables/Disables Dyanamic Lock + + + + + + + + + + + text/plain + + + + + Plugins + + + + + + + + List of plugins that the passive provider monitors to detect user absence + + + + + + + + + + + text/plain + -``` - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index c37bf5cc29..f8c256c163 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/03/2018 +ms.date: 08/14/2018 --- # Policy CSP @@ -365,6 +365,15 @@ The following diagram shows the Policy configuration service provider in tree fo

    Authentication/AllowSecondaryAuthenticationDevice
    +
    + Authentication/EnableFastFirstSignIn +
    +
    + Authentication/EnableWebSignIn +
    +
    + Authentication/PreferredAadTenantDomainName +
    ### Autoplay policies @@ -389,6 +398,29 @@ The following diagram shows the Policy configuration service provider in tree fo +### BITS policies + +
    +
    + BITS/BandwidthThrottlingEndTime +
    +
    + BITS/BandwidthThrottlingStartTime +
    +
    + BITS/BandwidthThrottlingTransferRate +
    +
    + BITS/CostedNetworkBehaviorBackgroundPriority +
    +
    + BITS/CostedNetworkBehaviorForegroundPriority +
    +
    + BITS/JobInactivityTimeout +
    +
    + ### Bluetooth policies
    @@ -445,6 +477,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Browser/AllowFlashClickToRun
    +
    + Browser/AllowFullScreenMode +
    Browser/AllowInPrivate
    @@ -457,15 +492,33 @@ The following diagram shows the Policy configuration service provider in tree fo
    Browser/AllowPopups
    +
    + Browser/AllowPrelaunch +
    +
    + Browser/AllowPrinting +
    +
    + Browser/AllowSavingHistory +
    Browser/AllowSearchEngineCustomization
    Browser/AllowSearchSuggestionsinAddressBar
    +
    + Browser/AllowSideloadingOfExtensions +
    Browser/AllowSmartScreen
    +
    + Browser/AllowTabPreloading +
    +
    + Browser/AllowWebContentOnNewTabPage +
    Browser/AlwaysEnableBooksLibrary
    @@ -475,6 +528,24 @@ The following diagram shows the Policy configuration service provider in tree fo
    Browser/ConfigureAdditionalSearchEngines
    +
    + Browser/ConfigureFavoritesBar +
    +
    + Browser/ConfigureHomeButton +
    +
    + Browser/ConfigureKioskMode +
    +
    + Browser/ConfigureKioskResetAfterIdleTimeout +
    +
    + Browser/ConfigureOpenMicrosoftEdgeWith +
    +
    + Browser/ConfigureTelemetryForMicrosoft365Analytics +
    Browser/DisableLockdownOfStartPages
    @@ -499,6 +570,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Browser/PreventAccessToAboutFlagsInMicrosoftEdge
    +
    + Browser/PreventCertErrorOverrides +
    Browser/PreventFirstRunPage
    @@ -511,9 +585,6 @@ The following diagram shows the Policy configuration service provider in tree fo
    Browser/PreventSmartScreenPromptOverrideForFiles
    -
    - Browser/PreventTabPreloading -
    Browser/PreventUsingLocalHostIPAddressForWebRTC
    @@ -526,12 +597,21 @@ The following diagram shows the Policy configuration service provider in tree fo
    Browser/SetDefaultSearchEngine
    +
    + Browser/SetHomeButtonURL +
    +
    + Browser/SetNewTabPageURL +
    Browser/ShowMessageWhenOpeningSitesInInternetExplorer
    Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
    +
    + Browser/UnlockHomeButton +
    Browser/UseSharedFolderForBooks
    @@ -740,6 +820,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Defender/AvgCPULoadFactor
    +
    + Defender/CheckForSignaturesBeforeRunningScan +
    Defender/CloudBlockLevel
    @@ -755,9 +838,18 @@ The following diagram shows the Policy configuration service provider in tree fo
    Defender/DaysToRetainCleanedMalware
    +
    + Defender/DisableCatchupFullScan +
    +
    + Defender/DisableCatchupQuickScan +
    Defender/EnableControlledFolderAccess
    +
    + Defender/EnableLowCPUPriority +
    Defender/EnableNetworkProtection
    @@ -788,6 +880,12 @@ The following diagram shows the Policy configuration service provider in tree fo
    Defender/ScheduleScanTime
    +
    + Defender/SignatureUpdateFallbackOrder +
    +
    + Defender/SignatureUpdateFileSharesSources +
    Defender/SignatureUpdateInterval
    @@ -808,6 +906,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    DeliveryOptimization/DOAllowVPNPeerCaching
    +
    + DeliveryOptimization/DOCacheHost +
    DeliveryOptimization/DODelayBackgroundDownloadFromHttp
    @@ -887,6 +988,9 @@ The following diagram shows the Policy configuration service provider in tree fo ### DeviceGuard policies
    +
    + DeviceGuard/EnableSystemGuard +
    DeviceGuard/EnableVirtualizationBasedSecurity
    @@ -901,6 +1005,18 @@ The following diagram shows the Policy configuration service provider in tree fo ### DeviceInstallation policies
    +
    + DeviceInstallation/AllowInstallationOfMatchingDeviceIDs +
    +
    + DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses +
    +
    + DeviceInstallation/PreventDeviceMetadataFromNetwork +
    +
    + DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings +
    DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
    @@ -988,6 +1104,14 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### DmaGuard policies + +
    +
    + DmaGuard/DeviceEnumerationPolicy +
    +
    + ### Education policies
    @@ -1065,6 +1189,9 @@ The following diagram shows the Policy configuration service provider in tree fo ### Experience policies
    +
    + Experience/AllowClipboardHistory +
    Experience/AllowCopyPaste
    @@ -1131,6 +1258,12 @@ The following diagram shows the Policy configuration service provider in tree fo
    Experience/DoNotShowFeedbackNotifications
    +
    + Experience/DoNotSyncBrowserSettings +
    +
    + Experience/PreventUsersFromTurningOnBrowserSyncing +
    ### ExploitGuard policies @@ -2334,6 +2467,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Privacy/DisableAdvertisingId
    +
    + Privacy/DisablePrivacyExperience +
    Privacy/EnableActivityFeed
    @@ -2782,6 +2918,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
    +
    + Security/RecoveryEnvironmentAuthentication +
    Security/RequireDeviceEncryption
    @@ -2895,6 +3034,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Start/AllowPinnedFolderVideos
    +
    + Start/DisableContextMenus +
    Start/ForceStartSize
    @@ -3044,6 +3186,14 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### TaskManager policies + +
    +
    + TaskManager/AllowEndTask +
    +
    + ### TaskScheduler policies
    @@ -3167,6 +3317,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Update/AutoRestartDeadlinePeriodInDays
    +
    + Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates +
    Update/AutoRestartNotificationSchedule
    @@ -3200,12 +3353,21 @@ The following diagram shows the Policy configuration service provider in tree fo
    Update/EngagedRestartDeadline
    +
    + Update/EngagedRestartDeadlineForFeatureUpdates +
    Update/EngagedRestartSnoozeSchedule
    +
    + Update/EngagedRestartSnoozeScheduleForFeatureUpdates +
    Update/EngagedRestartTransitionSchedule
    +
    + Update/EngagedRestartTransitionScheduleForFeatureUpdates +
    Update/ExcludeWUDriversInQualityUpdate
    @@ -3275,9 +3437,18 @@ The following diagram shows the Policy configuration service provider in tree fo
    Update/SetAutoRestartNotificationDisable
    +
    + Update/SetDisablePauseUXAccess +
    +
    + Update/SetDisableUXWUAccess +
    Update/SetEDURestart
    +
    + Update/UpdateNotificationLevel +
    Update/UpdateServiceUrl
    @@ -3424,6 +3595,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    WindowsDefenderSecurityCenter/DisableAppBrowserUI
    +
    + WindowsDefenderSecurityCenter/DisableClearTpmButton +
    WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
    @@ -3442,6 +3616,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    WindowsDefenderSecurityCenter/DisableNotifications
    +
    + WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning +
    WindowsDefenderSecurityCenter/DisableVirusUI
    @@ -3466,6 +3643,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    WindowsDefenderSecurityCenter/HideTPMTroubleshooting
    +
    + WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl +
    WindowsDefenderSecurityCenter/Phone
    @@ -3592,11 +3772,14 @@ The following diagram shows the Policy configuration service provider in tree fo - [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) - [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) - [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) -- [DataUsage/SetCost3G](./policy-csp-datausage.md#datausage-setcost3g) - [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) - [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) - [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) - [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) @@ -3983,6 +4166,12 @@ The following diagram shows the Policy configuration service provider in tree fo - [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) - [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) - [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) +- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime) +- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime) +- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate) +- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority) +- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority) +- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout) - [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown) - [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill) - [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies) @@ -3991,33 +4180,49 @@ The following diagram shows the Policy configuration service provider in tree fo - [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions) - [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash) - [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun) +- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode) - [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate) - [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist) - [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager) - [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups) +- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch) +- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting) +- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory) - [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization) - [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions) - [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen) +- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading) +- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage) - [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary) - [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit) - [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines) +- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar) +- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton) +- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode) +- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout) +- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith) +- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics) - [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages) - [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry) - [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist) - [Browser/HomePages](./policy-csp-browser.md#browser-homepages) - [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites) - [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge) +- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides) - [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage) - [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection) - [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride) - [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/PreventTabPreloading](./policy-csp-browser.md#browser-preventtabpreloading) - [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc) - [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites) - [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer) - [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine) +- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl) +- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl) - [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer) - [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge) +- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton) - [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks) - [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera) - [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata) @@ -4039,7 +4244,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) - [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) - [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) -- [DataUsage/SetCost3G](./policy-csp-datausage.md#datausage-setcost3g) - [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) - [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning) - [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring) @@ -4055,12 +4259,16 @@ The following diagram shows the Policy configuration service provider in tree fo - [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions) - [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules) - [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor) +- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan) - [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel) - [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout) - [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications) - [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders) - [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware) +- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan) +- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan) - [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess) +- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority) - [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection) - [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions) - [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths) @@ -4070,11 +4278,14 @@ The following diagram shows the Policy configuration service provider in tree fo - [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime) - [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday) - [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime) +- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder) +- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources) - [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval) - [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent) - [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction) - [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) - [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) - [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) - [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) - [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) @@ -4097,9 +4308,14 @@ The following diagram shows the Policy configuration service provider in tree fo - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceGuard/EnableSystemGuard](./policy-csp-deviceguard.md#deviceguard-enablesystemguard) - [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) - [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) - [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) - [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) - [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) - [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage) @@ -4110,6 +4326,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps) - [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps) - [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps) +- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy) - [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters) - [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) - [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) @@ -4120,6 +4337,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) - [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) - [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) +- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory) - [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana) - [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice) - [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata) @@ -4132,6 +4350,8 @@ The following diagram shows the Policy configuration service provider in tree fo - [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) - [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) - [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) +- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting) +- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) - [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) @@ -4482,6 +4702,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard) - [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization) - [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid) +- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) - [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed) - [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) @@ -4610,6 +4831,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell) - [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell) - [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate) +- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus) - [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar) - [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps) - [Start/StartLayout](./policy-csp-start.md#start-startlayout) @@ -4643,6 +4865,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice) - [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice) - [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays) +- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates) - [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule) - [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal) - [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel) @@ -4653,8 +4876,11 @@ The following diagram shows the Policy configuration service provider in tree fo - [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency) - [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan) - [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline) +- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates) - [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule) +- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates) - [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule) +- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates) - [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate) - [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls) - [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds) @@ -4674,7 +4900,10 @@ The following diagram shows the Policy configuration service provider in tree fo - [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek) - [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime) - [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable) +- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess) +- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess) - [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart) +- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel) - [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl) - [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate) - [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller) @@ -4712,12 +4941,14 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname) - [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui) - [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui) +- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton) - [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui) - [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications) - [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui) - [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui) - [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui) - [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications) +- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning) - [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui) - [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride) - [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email) @@ -4726,6 +4957,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery) - [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot) - [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting) +- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol) - [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone) - [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) - [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 64e6764b0a..7b0ad06974 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Accounts @@ -248,9 +248,4 @@ Footnote: - -## Accounts policies supported by Windows Holographic for Business - -- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) - diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 1698ec45a7..3961d870d8 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -80,7 +80,7 @@ ADMX Info: -To create create the SyncML, follow these steps: +To create the SyncML, follow these steps:
    1. Install a few apps and change your defaults.
    2. From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
      3. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 39546190c2..1c06c38801 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/03/2018 +ms.date: 08/08/2018 --- # Policy CSP - ApplicationManagement @@ -353,9 +353,8 @@ The following list shows the supported values: -Specifies whether multiple users of the same app can share data. -Most restricted value is 0. +[!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../../../browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)] @@ -369,9 +368,10 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Not allowed. -- 1 – Allowed. +- 0 (default) – Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. +- 1 – Allowed. Microsoft Edge downloads book files into a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. +Most restricted value: 0 @@ -511,7 +511,7 @@ Value evaluation rule - The information for PolicyManager is opaque. There is no cross mark cross mark - check mark1 + cross mark check mark1 check mark1 cross mark @@ -590,6 +590,17 @@ The following list shows the supported values: List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after logon. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device. +For this policy to work, the Windows apps need to declare in their manifest that they will use the start up task. Example of the declaration here: + +``` syntax + + + +``` + +> [!Note] +> This policy only works on modern apps. + @@ -621,7 +632,7 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window cross mark check mark4 - check mark4 + cross mark check mark4 check mark4 cross mark @@ -684,7 +695,7 @@ This setting supports a range of values between 0 and 1. cross mark check mark4 - check mark4 + cross mark check mark4 check mark4 cross mark @@ -748,7 +759,7 @@ This setting supports a range of values between 0 and 1. cross mark cross mark - check mark + cross mark check mark check mark check mark @@ -1039,17 +1050,3 @@ Footnote: - -## ApplicationManagement policies supported by Windows Holographic for Business - -- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) - - - -## ApplicationManagement policies supported by IoT Core - -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) - - diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index ed8ae05a5c..d3d1e3c5a4 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/08/2018 --- # Policy CSP - AppVirtualization @@ -124,8 +124,8 @@ ms.date: 03/12/2018 cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -182,8 +182,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -240,8 +240,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -298,8 +298,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -356,8 +356,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -414,8 +414,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -482,8 +482,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -540,8 +540,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -598,8 +598,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -656,8 +656,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -714,8 +714,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -772,8 +772,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -830,8 +830,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -906,8 +906,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -982,8 +982,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1058,8 +1058,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1134,8 +1134,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1210,8 +1210,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1268,8 +1268,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1326,8 +1326,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1384,8 +1384,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1442,8 +1442,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1500,8 +1500,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1558,8 +1558,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1616,8 +1616,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1674,8 +1674,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1732,8 +1732,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1790,8 +1790,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 1b134ed0ff..7578533727 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Authentication +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
      @@ -34,6 +36,15 @@ ms.date: 05/14/2018
      Authentication/AllowSecondaryAuthenticationDevice
      +
      + Authentication/EnableFastFirstSignIn +
      +
      + Authentication/EnableWebSignIn +
      +
      + Authentication/PreferredAadTenantDomainName +
    @@ -302,6 +313,182 @@ The following list shows the supported values: + +
    + + +**Authentication/EnableFastFirstSignIn** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts. + +Value type is integer. Supported values: + +- 0 - (default) The feature defaults to the existing SKU and device capabilities. +- 1 - Enabled. Auto connect new non-admin AZure AD accounts to pre-configured candidate local accounts +- 2 - Disabled. Do not auto connect new non-admin Azure AD accounts to pre-configured local accounts + + + + + + + + + + + + + +
    + + +**Authentication/EnableWebSignIn** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). + +> [!Note] +> Web Sign-in is only supported on Azure AD Joined PCs. + +Value type is integer. Supported values: + +- 0 - (default) The feature defaults to the existing SKU and device capabilities. +- 1 - Enabled. Web Credential Provider will be enabled for Sign In +- 2 - Disabled. Web Credential Provider will not be enabled for Sign In + + + + + + + + + + + + + +
    + + +**Authentication/PreferredAadTenantDomainName** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Specifies the preferred domain among available domains in the Azure AD tenant. + +Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", she would then be able to sign in using "abby" in the username field instead of "abby@contoso.com". + + +Value type is string. + + + + + + + + + + + +
    Footnote: @@ -310,18 +497,6 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - - -## Authentication policies supported by Windows Holographic for Business - -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) - - - -## Authentication policies supported by IoT Core - -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) - - diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md new file mode 100644 index 0000000000..c9fdf5ff82 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -0,0 +1,504 @@ +--- +title: Policy CSP - BITS +description: Policy CSP - BITS +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/29/2018 +--- + +# Policy CSP - BITS + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate. + +- BITS/BandwidthThrottlingEndTime +- BITS/BandwidthThrottlingStartTime +- BITS/BandwidthThrottlingTransferRate + +If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT defined, but BITS/BandwidthThrottlingTransferRate IS defined, then default values will be used for StartTime and EndTime (8am and 5pm respectively). The time policies are based on the 24-hour clock. + +
    + + +## BITS policies + +
    +
    + BITS/BandwidthThrottlingEndTime +
    +
    + BITS/BandwidthThrottlingStartTime +
    +
    + BITS/BandwidthThrottlingTransferRate +
    +
    + BITS/CostedNetworkBehaviorBackgroundPriority +
    +
    + BITS/CostedNetworkBehaviorForegroundPriority +
    +
    + BITS/JobInactivityTimeout +
    +
    + + +
    + + +**BITS/BandwidthThrottlingEndTime** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5cross markcheck mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy specifies the bandwidth throttling **end time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. + +Value type is integer. Default value is 17 (5 pm). + +Supported value range: 0 - 23 + +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. + +Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. + +Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth for BITS background transfers* +- GP name: *BITS_MaxBandwidth* +- GP element: *BITS_BandwidthLimitSchedTo* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
    + + +**BITS/BandwidthThrottlingStartTime** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5cross markcheck mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy specifies the bandwidth throttling **start time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. + +Value type is integer. Default value is 8 (8 am). + +Supported value range: 0 - 23 + +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. + +Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. + +Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth for BITS background transfers* +- GP name: *BITS_MaxBandwidth* +- GP element: *BITS_BandwidthLimitSchedFrom* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
    + + +**BITS/BandwidthThrottlingTransferRate** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5cross markcheck mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy specifies the bandwidth throttling **transfer rate** in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. + +Value type is integer. Default value is 1000. + +Supported value range: 0 - 4294967200 + +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. + +Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. + +Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth for BITS background transfers* +- GP name: *BITS_MaxBandwidth* +- GP element: *BITS_MaxTransferRateText* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
    + + +**BITS/CostedNetworkBehaviorBackgroundPriority** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5cross markcheck mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers. + +If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. + +For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: +- 1 - Always transfer +- 2 - Transfer unless roaming +- 3 - Transfer unless surcharge applies (when not roaming or overcap) +- 4 - Transfer unless nearing limit (when not roaming or nearing cap) +- 5 - Transfer only if unconstrained + + + +ADMX Info: +- GP English name: *Set default download behavior for BITS jobs on costed networks* +- GP name: *BITS_SetTransferPolicyOnCostedNetwork* +- GP element: *BITS_TransferPolicyNormalPriorityValue* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
    + + +**BITS/CostedNetworkBehaviorForegroundPriority** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5cross markcheck mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of foreground transfers. + +If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. + +For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: +- 1 - Always transfer +- 2 - Transfer unless roaming +- 3 - Transfer unless surcharge applies (when not roaming or overcap) +- 4 - Transfer unless nearing limit (when not roaming or nearing cap) +- 5 - Transfer only if unconstrained + + + +ADMX Info: +- GP English name: *Set default download behavior for BITS jobs on costed networks* +- GP name: *BITS_SetTransferPolicyOnCostedNetwork* +- GP element: *BITS_TransferPolicyForegroundPriorityValue* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
    + + +**BITS/JobInactivityTimeout** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5cross markcheck mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk. + +> [!Note] +> Any property changes to the job or any successful download action will reset this timeout. + +Value type is integer. Default is 90 days. + +Supported values range: 0 - 999 + +Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. +Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. + +If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. + + + +ADMX Info: +- GP English name: *Timeout for inactive BITS jobs* +- GP name: *BITS_Job_Timeout* +- GP element: *BITS_Job_Timeout_Time* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +Value type is integer. Default is 90 days. + +Supported values range: 0 - 999 + + + + + + + + + + +
    + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 1fb3b009d6..592beedb9a 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/08/2018 --- # Policy CSP - Bluetooth @@ -219,7 +219,7 @@ The following list shows the supported values: check mark4 check mark4 check mark4 - cross mark + check mark4 cross mark cross mark @@ -439,30 +439,4 @@ Footnote: * The Surface pen uses the HID over GATT profile {00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} - -## Bluetooth policies supported by Windows Holographic for Business - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) - - - -## Bluetooth policies supported by IoT Core - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) - - - -## Bluetooth policies supported by Microsoft Surface Hub - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) - diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index e4a66aaaa6..e025ffe2fc 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -6,11 +6,13 @@ ms.prod: w10 ms.technology: windows author: shortpatti ms.author: pashort -ms.date: 06/21/2018 +ms.date: 08/08/2018 --- # Policy CSP - Browser +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    @@ -49,6 +51,9 @@ ms.date: 06/21/2018
    Browser/AllowFlashClickToRun
    +
    + Browser/AllowFullScreenMode +
    Browser/AllowInPrivate
    @@ -61,15 +66,33 @@ ms.date: 06/21/2018
    Browser/AllowPopups
    +
    + Browser/AllowPrelaunch +
    +
    + Browser/AllowPrinting +
    +
    + Browser/AllowSavingHistory +
    Browser/AllowSearchEngineCustomization
    Browser/AllowSearchSuggestionsinAddressBar
    +
    + Browser/AllowSideloadingOfExtensions +
    Browser/AllowSmartScreen
    +
    + Browser/AllowTabPreloading +
    +
    + Browser/AllowWebContentOnNewTabPage +
    Browser/AlwaysEnableBooksLibrary
    @@ -79,6 +102,24 @@ ms.date: 06/21/2018
    Browser/ConfigureAdditionalSearchEngines
    +
    + Browser/ConfigureFavoritesBar +
    +
    + Browser/ConfigureHomeButton +
    +
    + Browser/ConfigureKioskMode +
    +
    + Browser/ConfigureKioskResetAfterIdleTimeout +
    +
    + Browser/ConfigureOpenMicrosoftEdgeWith +
    +
    + Browser/ConfigureTelemetryForMicrosoft365Analytics +
    Browser/DisableLockdownOfStartPages
    @@ -103,6 +144,9 @@ ms.date: 06/21/2018
    Browser/PreventAccessToAboutFlagsInMicrosoftEdge
    +
    + Browser/PreventCertErrorOverrides +
    Browser/PreventFirstRunPage
    @@ -115,10 +159,7 @@ ms.date: 06/21/2018
    Browser/PreventSmartScreenPromptOverrideForFiles
    -
    - Browser/PreventTabPreloading -
    -
    +
    Browser/PreventUsingLocalHostIPAddressForWebRTC
    @@ -130,12 +171,21 @@ ms.date: 06/21/2018
    Browser/SetDefaultSearchEngine
    +
    + Browser/SetHomeButtonURL +
    +
    + Browser/SetNewTabPageURL +
    Browser/ShowMessageWhenOpeningSitesInInternetExplorer
    Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
    +
    + Browser/UnlockHomeButton +
    Browser/UseSharedFolderForBooks
    @@ -181,11 +231,10 @@ ms.date: 06/21/2018 -Added in Windows 10, version 1703. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* -By default, Microsoft Edge shows the Address bar drop-down list and makes it available. When enabled (default setting), this policy takes precedence over the [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) policy. If you want to minimize network connections from Microsoft Edge to Microsoft service, we recommend disabling this policy, which hides the Address bar drop-down list functionality. When disabled, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings.   +[!INCLUDE [allow-address-bar-drop-down-shortdesc](../../../browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md)] -Most restricted value is 0. @@ -197,11 +246,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."  -- 1 (default) – Allowed. Address bar drop-down is enabled. +- 0 – Prevented/not allowed. Hide the Address bar drop-down functionality and disable the _Show search and site suggestions as I type_ toggle in Settings.  +- 1 (default) – Allowed. Show the Address bar drop-down list and make it available. +Most restricted value: 0 @@ -244,9 +294,8 @@ The following list shows the supported values: -By default, users can choose to use Autofill for filling in form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. -Most restricted value is 0. +[!INCLUDE [configure-autofill-shortdesc](../../../browsers/edge/shortdesc/configure-autofill-shortdesc.md)] @@ -258,11 +307,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. +- Blank - Users can choose to use AutoFill. +- 0 – Prevented/not allowed. - 1 (default) – Allowed. +Most restricted value: 0 To verify AllowAutofill is set to 0 (not allowed): @@ -317,17 +368,18 @@ To verify AllowAutofill is set to 0 (not allowed): > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. -By default, the device allows Microsoft Edge on Windows 10 Mobile. Disabling this policy disables the Microsoft Edge tile, and when clicking the tile, a message opens indicating that the administrator disabled Internet browsing. +The device allows Microsoft Edge on Windows 10 Mobile by default. With this policy, you can disable the Microsoft Edge tile, and when clicking the tile, a message opens indicating that the administrator disabled Internet browsing. + -Most restricted value is 0. -The following list shows the supported values: +Supported values: -- 0 – Not allowed. +- 0 – Prevented/not allowed. - 1 (default) – Allowed. +Most restricted value: 0 @@ -370,14 +422,15 @@ The following list shows the supported values: -By default, Microsoft Edge automatically updates the configuration data for the Books Library. Enabling this policy prevents Microsoft Edge from updating the configuration data. + +[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../../../browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] -The following list shows the supported values: +Supported values: -- 0 - Disable. Microsoft Edge cannot retrieve a configuration -- 1 - Enable (default). Microsoft Edge can retrieve a configuration for Books Library +- 0 - Prevented/not allowed. +- 1 (default). Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. @@ -421,10 +474,10 @@ The following list shows the supported values: -By default, Microsoft Edge allows all cookies from all websites. With this policy, however, you can configure Microsoft to block only 3rd-party cookies or block all cookies. +[!INCLUDE [configure-cookies-shortdesc](../../../browsers/edge/shortdesc/configure-cookies-shortdesc.md)] + -Most restricted value is 0. @@ -437,12 +490,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Block all cookies from all sites. -- 1 – Block only cookies from third party websites. -- 2 - Allow all cookies from all sites. +- 0 – Block all cookies from all sites +- 1 – Block only cookies from third party websites +- 2 - Allow all cookies from all sites +Most restricted value: 0 To verify AllowCookies is set to 0 (not allowed): @@ -497,9 +551,7 @@ To verify AllowCookies is set to 0 (not allowed): > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -By default, Microsoft Edge allows users to use the F12 developer tools to build and debug web pages. Disabling this policy prevents users from using the F12 developer tools. - -Most restricted value is 0. +[!INCLUDE [allow-developer-tools-shortdesc](../../../browsers/edge/shortdesc/allow-developer-tools-shortdesc.md)] @@ -511,11 +563,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. +- 0 – Prevented/not allowed. - 1 (default) – Allowed. +Most restricted value: 0 @@ -558,9 +611,7 @@ The following list shows the supported values: -By default, Microsoft Edge does not send Do Not Track requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. - -Most restricted value is 1. +[!INCLUDE [configure-do-not-track-shortdesc](../../../browsers/edge/shortdesc/configure-do-not-track-shortdesc.md)] @@ -572,13 +623,13 @@ ADMX Info: -The following list shows the supported values: - -- Blank/Null (default) Not configured - Does not send tracking information, but allow users to choose whether to send tracking information to sites they visit. -- 0 (Disabled) - Never sends tracking information. -- 1 (Enabled) - Sends tracking information, including to the third parties whose content may be hosted on the sites visited. +Supported values: +- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit. +- 0 - Never send tracking information. +- 1 - Send tracking information. +Most restricted value: 1 To verify AllowDoNotTrack is set to 0 (not allowed): @@ -630,7 +681,9 @@ To verify AllowDoNotTrack is set to 0 (not allowed): -Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. +>*Supported versions: Microsoft Edge on Windows 10, version 1607* + +[!INCLUDE [allow-extensions-shortdesc](../../../browsers/edge/shortdesc/allow-extensions-shortdesc.md)] @@ -642,9 +695,9 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. +- 0 – Prevented/not allowed. - 1 (default) – Allowed. @@ -689,7 +742,9 @@ The following list shows the supported values: -Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. + + +[!INCLUDE [allow-adobe-flash-shortdesc](../../../browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md)] @@ -701,9 +756,9 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. +- 0 – Prevented/not allowed. - 1 (default) – Allowed. @@ -748,7 +803,10 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + + +[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../../../browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] @@ -760,16 +818,85 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge. -- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. +- 0 – Load and run Adobe Flash content automatically. +- 1 (default) – Do not load or run Adobe Flash content automatically. Requires user action. +Most restricted value: 1
    + +**Browser/AllowFullScreenMode** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-fullscreen-mode-shortdesc](../../../browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow FullScreen Mode* +- GP name: *AllowFullScreenMode* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: +- 0 - Prevented/not allowed +- 1 (default) - Allowed + +Most restricted value: 0 + + + + + + + + + +
    + **Browser/AllowInPrivate** @@ -785,7 +912,7 @@ The following list shows the supported values: Mobile Enterprise - check mark + cross mark check mark check mark check mark @@ -807,9 +934,9 @@ The following list shows the supported values: -Specifies whether InPrivate browsing is allowed on corporate networks. +[!INCLUDE [allow-inprivate-browsing-shortdesc](../../../browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md)] -Most restricted value is 0. +Most restricted value: 0 @@ -821,10 +948,10 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Prevented/not allowed +- 1 (default) – Allowed @@ -868,12 +995,12 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. -By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". +>*Supported versions: Microsoft Edge on Windows 10, version 1703* -If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation. -Most restricted value is 0. +[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../../../browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] + +Most restricted value: 0 @@ -885,10 +1012,10 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not enabled. -- 1 (default) – Enabled. +- 0 – Prevented/not allowed +- 1 (default) – Allowed @@ -932,9 +1059,8 @@ The following list shows the supported values: -Specifies whether saving and managing passwords locally on the device is allowed. +[!INCLUDE [configure-password-manager-shortdesc](../../../browsers/edge/shortdesc/configure-password-manager-shortdesc.md)] -Most restricted value is 0. @@ -946,10 +1072,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- Blank - Users can shoose to save and manage passwords locally. +- 0 – Not allowed. +- 1 (default) – Allowed. + +Most restricted value: 0 @@ -1002,9 +1131,8 @@ To verify AllowPasswordManager is set to 0 (not allowed): -Specifies whether pop-up blocker is allowed or enabled. -Most restricted value is 1. +[!INCLUDE [configure-pop-up-blocker-shortdesc](../../../browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md)] @@ -1016,11 +1144,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed. -- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked. +- Blank - Users can choose to use Pop-up Blocker. +- 0 (default) – Turn off Pop-up Blocker letting pop-up windows open. +- 1 – Turn on Pop-up Blocker stopping pop-up windows from opening. +Most restricted value: 1 To verify AllowPopups is set to 0 (not allowed): @@ -1035,6 +1165,211 @@ To verify AllowPopups is set to 0 (not allowed):
    + +**Browser/AllowPrelaunch** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + +[!INCLUDE [allow-prelaunch-shortdesc](../../../browsers/edge/shortdesc/allow-prelaunch-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed* +- GP name: *AllowPrelaunch* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: +- 0 - Prevented/not allowed +- 1 (default) - Allowed + +Most restricted value: 0 + + + + + + + + + +
    + + +**Browser/AllowPrinting** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-printing-shortdesc](../../../browsers/edge/shortdesc/allow-printing-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow printing* +- GP name: *AllowPrinting* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: +- 0 - Prevented/not allowed +- 1 (default) - Allowed + +Most restricted value: 0 + + + + + + + + + +
    + + +**Browser/AllowSavingHistory** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-saving-history-shortdesc](../../../browsers/edge/shortdesc/allow-saving-history-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow Saving History* +- GP name: *AllowSavingHistory* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: +- 0 - Prevented/not allowed +- 1 (default) - Allowed + +Most restricted value: 0 + + + + + + + + + +
    + **Browser/AllowSearchEngineCustomization** @@ -1072,11 +1407,13 @@ To verify AllowPopups is set to 0 (not allowed): -Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.  -   -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).  -Most restricted value is 0. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + + +[!INCLUDE [allow-search-engine-customization-shortdesc](../../../browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md)] + + @@ -1088,10 +1425,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Prevented/not allowed +- 1 (default) – Allowed + +Most restricted value: 0 @@ -1135,9 +1474,7 @@ The following list shows the supported values: -Specifies whether search suggestions are allowed in the address bar. - -Most restricted value is 0. +[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../../../browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] @@ -1149,16 +1486,87 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- Blank (default) - Users can choose to see search suggestions. +- 0 – Prevented/not allowed. Hide the search suggestions. +- 1 – Allowed. Show the search suggestions. +Most restricted value: 0
    + +**Browser/AllowSideloadingOfExtensions** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../../../browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow Sideloading of extension* +- GP name: *AllowSideloadingOfExtensions* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 - Prevented, but does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). +- 1 (default) - Allowed. + +Most restricted value: 0 + + + + + + + + + +
    + **Browser/AllowSmartScreen** @@ -1196,9 +1604,7 @@ The following list shows the supported values: -Specifies whether Windows Defender SmartScreen is allowed. - -Most restricted value is 1. +[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../../../browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] @@ -1210,11 +1616,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- Blank - Users can choose to use Windows Defender SmartScreen or not. +- 0 – Turned off. Do not protect users from potential threats and prevent users from turning it on. +- 1 (default) – Turned on. Protect users from potential threats and prevent users from turning it off. +Most restricted value: 1 To verify AllowSmartScreen is set to 0 (not allowed): @@ -1229,6 +1637,143 @@ To verify AllowSmartScreen is set to 0 (not allowed):
    + +**Browser/AllowTabPreloading** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-tab-preloading-shortdesc](../../../browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow Microsoft Edge to start and load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed* +- GP name: *AllowTabPreloading* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) - Allowed. Preload Start and New tab pages. +- 1 - Prevented/not allowed. + +Most restricted value: 1 + + + + + + + + + +
    + + +**Browser/AllowWebContentOnNewTabPage** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../../../browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + + +ADMX Info: +- GP English name: *Allow web content on New Tab page* +- GP name: *AllowWebContentOnNewTabPage* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank - Users can choose what loads on the New tab page. +- 0 - Load a blank page instead of the default New tab page and prevent users from changing it. +- 1 (default) - Load the default New tab page. + + + + + + + + + + +
    + **Browser/AlwaysEnableBooksLibrary** @@ -1266,7 +1811,10 @@ To verify AllowSmartScreen is set to 0 (not allowed): -Added in Windows 10, next majot update. Always show the Books Library in Microsoft Edge + +[!INCLUDE [always-show-books-library-shortdesc](../../../browsers/edge/shortdesc/always-show-books-library-shortdesc.md)] + + @@ -1278,11 +1826,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) - Disable. Use default visibility of the Books Library. The Library will be only visible in countries or regions where it’s available. -- 1 - Enable. Always show the Books Library, regardless of countries or region of activation. +- 0 (default) - Show the Books Library only in countries or regions where supported. +- 1 - Show the Books Library, regardless of the device’s country or region. +Most restricted value: 0 @@ -1325,9 +1874,9 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge. +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* -Most restricted value is 1. +[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../../../browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] @@ -1339,18 +1888,20 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings. -- 1 – Browsing data is cleared on exit. +- 0 – (default) Prevented/not allowed. Users can configure the _Clear browsing data_ option in Settings. +- 1 – Allowed. Clear the browsing data upon exit automatically. +Most restricted value: 1 To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): -1. Open Microsoft Edge and browse to websites. -2. Close the Microsoft Edge window. -3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. +1. Open Microsoft Edge and browse to websites. +2. Close the Microsoft Edge window. +3. Open Microsoft Edge and start typing the same URL in address bar. +4. Verify that it does not auto-complete from history. @@ -1394,19 +1945,14 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set -Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.  -  -If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). -Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine.  +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + +[!INCLUDE [configure-additional-search-engines-shortdesc](../../../browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md)] -If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine. -  > [!IMPORTANT] > Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.  -Most restricted value is 0. - ADMX Info: @@ -1418,12 +1964,460 @@ ADMX Info: -The following list shows the supported values: +Supported values: + +- 0 (default) – Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.

    If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. +- 1 – Allowed. Add up to five additional search engines and set any one of them as the default.

    For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). + +Most restricted value: 0 + + + +

    + + +**Browser/ConfigureFavoritesBar** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-favorites-bar-shortdesc](../../../browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Configure Favorites Bar* +- GP name: *ConfigureFavoritesBar* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank (default) - Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. +- 0 - Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. +- 1 - Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. -- 0 (default) – Additional search engines are not allowed. -- 1 – Additional search engines are allowed. + + + + + + + + +
    + + +**Browser/ConfigureHomeButton** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-home-button-shortdesc](../../../browsers/edge/shortdesc/configure-home-button-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Configure Home Button* +- GP name: *ConfigureHomeButton* +- GP element: *ConfigureHomeButtonDropdown* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) - Show home button and load the Start page. +- 1 - Show home button and load the New tab page. +- 2 - Show home button and load the custom URL defined in the Set Home Button URL policy. +- 3 - Hide home button. + +>[!TIP] +>If you want to make changes to this policy:
    1. Set the **Unlock Home Button** policy to 1 (enabled).
    2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
    3. Set the **Unlock Home Button** policy to 0 (disabled).
    + + + + + + + + + + + +
    + + +**Browser/ConfigureKioskMode** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-kiosk-mode-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md)] + +For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). + + + + + +ADMX Info: +- GP English name: *Configure kiosk mode* +- GP name: *ConfigureKioskMode* +- GP element: *ConfigureKioskMode_TextBox* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +**0 (Default or not configured)**: +- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. +- If it’s one of many apps, Microsoft Edge runs as normal. + +**1**: +- • If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. +- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. + + + + + + + + + +
    + + +**Browser/ConfigureKioskResetAfterIdleTimeout** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] + +You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). + + + +ADMX Info: +- GP English name: *Configure kiosk reset after idle timeout* +- GP name: *ConfigureKioskResetAfterIdleTimeout* +- GP element: *ConfigureKioskResetAfterIdleTimeout_TextBox* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: +- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. + +- **0** – No idle timer. + + + + + + + + + +
    + + +**Browser/ConfigureOpenMicrosoftEdgeWith** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../../../browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +**Version 1703 or later**:
    +If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. + + +**Version 1810**:
    +When you enable this policy and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy. + + + +ADMX Info: +- GP English name: *Configure Open Microsoft Edge With* +- GP name: *ConfigureOpenEdgeWith* +- GP element: *ConfigureOpenEdgeWithListBox* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank - If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. +- 0 - Load the Start page. +- 1 - Load the New tab page. +- 2 - Load the previous pages. +- 3 (default) - Load a specific page or pages. + +>[!TIP] +>If you want to make changes to this policy:
    1. Set the Disabled Lockdown of Start Pages policy to 0 (not configured).
    2. Make changes to the Configure Open Microsoft With policy.
    3. Set the Disabled Lockdown of Start Pages policy to 1 (enabled).
    + + + + + + + + + + + +
    + + +**Browser/ConfigureTelemetryForMicrosoft365Analytics** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../../../browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Configure collection of browsing data for Microsoft 365 Analytics* +- GP name: *ConfigureTelemetryForMicrosoft365Analytics* +- GP element: *ZonesListBox* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) - No data collected or sent +- 1 - Send intranet history only +- 2 - Send Internet history only +- 3 - Send both intranet and Internet history + +Most restricted value: 0 + + + + + + +
    @@ -1465,15 +2459,17 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.  +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + +[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../../../browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]    > [!NOTE] > This policy has no effect when the Browser/HomePages policy is not configured.    > [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). -Most restricted value is 0. +Most restricted value: 0 @@ -1485,11 +2481,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.  -- 1 – Disable lockdown of the Start pages and allow users to modify them. +- 0 – Locked. Lockdown the Start pages configured in either the Configure Open Microsoft Edge With policy or Configure Start Pages policy.  +- 1 (default) – Unlocked. Users can make changes to all configured start pages.

    When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. +Most restricted value: 0 @@ -1532,9 +2529,8 @@ The following list shows the supported values: -This policy setting lets you decide how much data to send to Microsoft about the book you're reading from the Books tab in Microsoft Edge. -If you enable this setting, Microsoft Edge sends additional diagnostic data, on top of the basic diagnostic data, from the Books tab. If you disable or don't configure this setting, Microsoft Edge only sends basic diagnostic data, depending on your device configuration. +[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../../../browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] @@ -1546,11 +2542,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) - Disable. No additional diagnostic data. -- 1 - Enable. Additional diagnostic data for schools. +- 0 (default) - Gather and send only basic diagnotic data, depending on the device configuration. +- 1 - Gather both basic and additional data, such as usage data. +Most restricted value: 0 @@ -1593,11 +2590,14 @@ The following list shows the supported values: + +[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../../../browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.   -Allows the user to specify an URL of an enterprise site list. + @@ -1610,10 +2610,10 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL location of the enterprise site list. +- 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. +- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box. @@ -1635,7 +2635,7 @@ The following list shows the supported values: Mobile Enterprise - check mark + cross mark check mark check mark check mark @@ -1658,7 +2658,7 @@ The following list shows the supported values: > [!IMPORTANT] -> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). +> We discontinued this policy in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead. @@ -1705,12 +2705,9 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. +Enter a URL in string format for the site you want to load when Microsoft Edge for Windows 10 Mobile opens for the first time, for example, contoso.com. -Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time. - -The data type is a string. - -The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”. +Data type = String @@ -1757,11 +2754,18 @@ The default value is an empty string. Otherwise, the string should contain the U > [!NOTE] > This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. -Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>" -Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users. +[!INCLUDE [configure-start-pages-shortdesc](../../../browsers/edge/shortdesc/configure-start-pages-shortdesc.md)] + +**Version 1607**
    +Starting with this version, the HomePages policy enforces that users cannot change the Start pages settings. + +**Version 1703**
    +If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL. + +**Next Windows 10 major release**
    +When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages your want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy. -Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.  > [!NOTE] > Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. @@ -1776,6 +2780,13 @@ ADMX Info: - GP ADMX file name: *MicrosoftEdge.admx* + +Supported values: + +- Blank (default) - Load the pages specified in App settings as the default Start pages. +- String - Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

          \ \ + +

    @@ -1817,16 +2828,10 @@ ADMX Info: -Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. +>*Supported versions: Microsoft Edge on Windows 10, version 1709* -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +[!INCLUDE [prevent-changes-to-favorites-shortdesc](../../../browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md)] -> [!Important] -> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - -Data type is integer. @@ -1838,11 +2843,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 - Disabled. Do not lockdown Favorites. -- 1 - Enabled. Lockdown Favorites. +- 0 (default) - Allowed/not locked down. Users can add, import, and make changes to the favorites. +- 1 - Prevented/locked down. +Most restricted value: 1 @@ -1863,7 +2869,7 @@ The following list shows the supported values: Mobile Enterprise - check mark + cross mark check mark check mark check mark @@ -1885,7 +2891,8 @@ The following list shows the supported values: -Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. + +[!INCLUDE [prevent-changes-to-favorites-shortdesc](../../../browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md)] @@ -1897,16 +2904,85 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Users can access the about:flags page in Microsoft Edge. -- 1 – Users can't access the about:flags page in Microsoft Edge. +- 0 (default) – Allowed. +- 1 – Prevented/not allowed. Users cannot access the about:flags page. +Most restricted value: 1
    + +**Browser/PreventCertErrorOverrides** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + +[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../../../browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Prevent certificate error overrides* +- GP name: *PreventCertErrorOverrides* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) - Allowed/turned on. Override the security warning to sites that have SSL errors. +- 1 - Prevented/turned on. + +Most restricted value: 1 + + + + + + + + + +
    + **Browser/PreventFirstRunPage** @@ -1944,9 +3020,9 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* -Most restricted value is 1. +[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../../../browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)] @@ -1958,11 +3034,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Employees see the First Run webpage. -- 1 – Employees don't see the First Run webpage. +- 0 (default) – Allowed. Microsoft Edge loads the First Run webpage. +- 1 – Prevented/not allowed. +Most restricted value: 1 @@ -2005,9 +3082,9 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* -Most restricted value is 1. +[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../../../browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] @@ -2019,11 +3096,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge. -- 1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge. +- 0 (default) – Collect and send Live Tile metadata to Microsoft. +- 1 – No data collected. +Most restricted value: 1 @@ -2066,9 +3144,7 @@ The following list shows the supported values: -Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. - -Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site. +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../../../browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] @@ -2080,11 +3156,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Off. -- 1 – On. +- 0 (default) – Allowed/turned off. Users can ignore the warning and continue to the site. +- 1 – Prevented/turned on. +Most restricted value: 1 @@ -2127,7 +3204,8 @@ The following list shows the supported values: -Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. + +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../../../browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] @@ -2139,70 +3217,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Off. -- 1 – On. - - - - -
    - - -**Browser/PreventTabPreloading** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark4check mark4check mark4check mark4
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -Added in Windows 10, version 1803. This is only a placeholder. Do not use in production code. - - - -ADMX Info: -- GP English name: *Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed* -- GP name: *PreventTabPreloading* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -The following list shows the supported values: - -- 0 (default) – Allow pre-launch and preload. -- 1 – Prevent pre-launch and preload. +- 0 (default) – Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). +- 1 – Prevented/turned on. +Most restricted value: 1 @@ -2248,8 +3268,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an user’s localhost IP address while making phone calls using WebRTC. +[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../../../browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] @@ -2261,11 +3280,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – The localhost IP address is shown. -- 1 – The localhost IP address is hidden. +- 0 (default) – Allowed. Show localhost IP addresses. +- 1 – Prevented/not allowed. +Most restricted value: 1 @@ -2308,20 +3328,24 @@ The following list shows the supported values: -Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines. -  -URL can be specified as: +>*Supported versions: Microsoft Edge on Windows 10, version 1709* + +[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../../../browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] +  + +Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off. + +To define a default list of favorites: +1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**. +2. Click **Import from another browser**, click **Export to file** and save the file. +3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.

    Specify the URL as:

    • HTTP location: "SiteList"="http://localhost:8080/URLs.html"
    • Local network: "SiteList"="\\network\\shares\\URLs.html"
    • Local file: "SiteList"="file:///c:\\Users\\\\Documents\\URLs.html"
    -- HTTP location: "SiteList"="http://localhost:8080/URLs.html" -- Local network: "SiteList"="\\network\shares\URLs.html" -- Local file: "SiteList"="file:///c:\\Users\\\\Documents\\URLs.html" > [!Important] -> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. -Data type is string. +Data type = string @@ -2374,14 +3398,13 @@ ADMX Info: + +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../../../browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. - -Most restricted value is 0. - ADMX Info: @@ -2392,12 +3415,12 @@ ADMX Info: -The following list shows the supported values: - -- 0 (default) - All websites, including intranet sites, open in Microsoft Edge automatically. -- 1 - Only intranet sites open in Internet Explorer 11 automatically. +Supported values: +- 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically. +- 1 - Only intranet sites open in Internet Explorer 11 automatically. Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser. +Most restricted value: 0 @@ -2440,17 +3463,15 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + +[!INCLUDE [set-default-search-engine-shortdesc](../../../browsers/edge/shortdesc/set-default-search-engine-shortdesc.md)] -You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.  -  -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.    -  > [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). -Most restricted value is 0. +Most restricted value: 0 @@ -2463,12 +3484,151 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) - The default search engine is set to the one specified in App settings. -- 1 - Allows you to configure the default search engine for your employees. +- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the AllowSearchEngineCustomization policy, users cannot make changes. +- 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. +- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

    Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

    If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.

    If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. + +Most restricted value: 1 + + + +

    + + +**Browser/SetHomeButtonURL** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [set-home-button-url-shortdesc](../../../browsers/edge/shortdesc/set-home-button-url-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Set Home Button URL* +- GP name: *SetHomeButtonURL* +- GP element: *SetHomeButtonURLPrompt* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank (default) - Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. +- String - Load a custom URL for the home button. You must also enable the Configure Home Button policy and select the _Show home button & set a specific page_ option.

    Enter a URL in string format, for example, https://www.msn.com. + + + + + + + + +

    + + +**Browser/SetNewTabPageURL** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [set-new-tab-url-shortdesc](../../../browsers/edge/shortdesc/set-new-tab-url-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Set New Tab page URL* +- GP name: *SetNewTabPageURL* +- GP element: *SetNewTabPageURLPrompt* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank (default) - Load the default New tab page. +- String - Prevent users from changing the New tab page.

    Enter a URL in string format, for example, https://www.msn.com. + + + + + + +

    @@ -2488,7 +3648,7 @@ The following list shows the supported values: Mobile Enterprise - check mark + cross mark check mark check mark check mark @@ -2510,14 +3670,12 @@ The following list shows the supported values: +[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../../../browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. - -Most restricted value is 0. - ADMX Info: @@ -2528,11 +3686,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Interstitial pages are not shown. -- 1 – Interstitial pages are shown. +- 0 (default) – No additional message displays. +- 1 – Show an additional message stating that a site has opened in IE11. +- 2 - Show an additional message with a "Keep going in Microsoft Edge" link. +Most restricted value: 0 @@ -2575,12 +3735,13 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + + +[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../../../browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -> -> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. @@ -2592,10 +3753,10 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Synchronization is off. -- 1 – Synchronization is on. +- 0 (default) – Turned off/not syncing +- 1 – Turned on/syncing @@ -2603,7 +3764,7 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
    1. Open Internet Explorer and add some favorites. -
    2. Open Microsoft Edge, then select Hub > Favorites. +
    3. Open Microsoft Edge, then select **Hub > Favorites**.
    4. Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
    @@ -2612,6 +3773,74 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
    + +**Browser/UnlockHomeButton** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [unlock-home-button-shortdesc](../../../browsers/edge/shortdesc/unlock-home-button-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Unlock Home Button* +- GP name: *UnlockHomeButton* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) - Lock down the home button to prevent users from making changes to the settings. +- 1 - Let users make changes. + + + + + + + + + + +
    + **Browser/UseSharedFolderForBooks** @@ -2649,7 +3878,8 @@ To verify that favorites are in synchronized between Internet Explorer and Micro -This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. + +[!INCLUDE [allow-a-shared-books-folder-shortdesc](../../../browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md)] @@ -2661,75 +3891,23 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 - No shared folder. -- 1 - Use a shared folder. +- 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. +- 1 - Allowed. Microsoft Edge downloads book files into a shared folder. +Most restricted value: 0
    Footnote: -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. +- 1 - Supported versions, version 1607. +- 2 - Supported versions, version 1703. +- 3 - Supported versions, version 1709. +- 4 - Supported versions, version 1803. +- 5 - Added in the next major update to Windows of Windows 10. - -## Browser policies that can be set using Exchange Active Sync (EAS) - -- [Browser/AllowBrowser](#browser-allowbrowser) - - - -## Browser policies supported by Windows Holographic for Business - -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) - - - -## Browser policies supported by IoT Core - -- [Browser/AllowAutofill](#browser-allowautofill) -- [Browser/AllowBrowser](#browser-allowbrowser) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowInPrivate](#browser-allowinprivate) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) -- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) -- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) - - - -## Browser policies supported by Microsoft Surface Hub - -- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) -- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit) -- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines) -- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages) -- [Browser/HomePages](#browser-homepages) -- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine) - - diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index b44471df4c..0712d689ac 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/16/2018 +ms.date: 08/08/2018 --- # Policy CSP - Cellular @@ -54,7 +54,7 @@ ms.date: 04/16/2018 Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 @@ -126,7 +126,7 @@ The following list shows the supported values: Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 @@ -178,7 +178,7 @@ ADMX Info: Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 @@ -230,7 +230,7 @@ ADMX Info: Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 26bd1f5d3e..0806fb596a 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Connectivity @@ -142,11 +142,11 @@ The following list shows the supported values: Mobile Enterprise - cross mark cross mark check mark - cross mark - cross mark + check mark + check mark + check mark check mark check mark @@ -264,7 +264,7 @@ To validate on mobile devices, do the following: Mobile Enterprise - check mark2 + check mark check mark2 check mark2 check mark2 @@ -972,40 +972,5 @@ Footnote: - -## Connectivity policies that can be set using Exchange Active Sync (EAS) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) - - - -## Connectivity policies supported by Windows Holographic for Business - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) - - - -## Connectivity policies supported by IoT Core - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowNFC](#connectivity-allownfc) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) -- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) -- [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge) - - - -## Connectivity policies supported by Microsoft Surface Hub - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices) - diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 0cef60bd72..1295ab27a3 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -67,7 +67,8 @@ Added in Windows 10, version 1803. This policy allows the IT admin to control wh > [!Note] > MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers. -This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. +This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. +Note: This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. In Windows 10, next major version, Delete command and setting the value to be 0 again if it was previously set to 1 will be supported. The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 3fa83ab1c8..285c21097a 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 07/13/2018 --- # Policy CSP - DataUsage @@ -33,67 +33,11 @@ ms.date: 03/12/2018 **DataUsage/SetCost3G** - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcross markcross mark
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - -This policy setting configures the cost of 3G connections on the local machine. - -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: - -- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - -- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - -- Variable: This connection is costed on a per byte basis. - -If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. +This policy is deprecated in Windows 10, next major version. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set 3G Cost* -- GP name: *SetCost3G* -- GP path: *Network/WWAN Service/WWAN Media Cost* -- GP ADMX file name: *wwansvc.admx* - -
    diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index e9f70080d3..78c970b208 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/08/2018 --- # Policy CSP - Defender +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    @@ -67,6 +69,9 @@ ms.date: 05/14/2018
    Defender/AvgCPULoadFactor
    +
    + Defender/CheckForSignaturesBeforeRunningScan +
    Defender/CloudBlockLevel
    @@ -82,9 +87,18 @@ ms.date: 05/14/2018
    Defender/DaysToRetainCleanedMalware
    +
    + Defender/DisableCatchupFullScan +
    +
    + Defender/DisableCatchupQuickScan +
    Defender/EnableControlledFolderAccess
    +
    + Defender/EnableLowCPUPriority +
    Defender/EnableNetworkProtection
    @@ -115,6 +129,12 @@ ms.date: 05/14/2018
    Defender/ScheduleScanTime
    +
    + Defender/SignatureUpdateFallbackOrder +
    +
    + Defender/SignatureUpdateFileSharesSources +
    Defender/SignatureUpdateInterval
    @@ -935,8 +955,8 @@ The following list shows the supported values: Mobile Enterprise - cross mark - cross mark + check mark3 + check mark3 check mark3 check mark3 check mark3 @@ -993,8 +1013,8 @@ ADMX Info: Mobile Enterprise - cross mark - cross mark + check mark3 + check mark3 check mark3 check mark3 check mark3 @@ -1101,6 +1121,78 @@ Valid values: 0–100
    + +**Defender/CheckForSignaturesBeforeRunningScan** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. + +This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface. + +If you enable this setting, a check for new definitions will occur before running a scan. + +If you disable this setting or do not configure this setting, the scan will start using the existing definitions. + +Supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP English name: *Check for the latest virus and spyware definitions before running a scheduled scan* +- GP name: *CheckForSignaturesBeforeRunningScan* +- GP element: *CheckForSignaturesBeforeRunningScan* +- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
    + **Defender/CloudBlockLevel** @@ -1116,7 +1208,7 @@ Valid values: 0–100 Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1188,7 +1280,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1250,7 +1342,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1305,7 +1397,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1408,6 +1500,146 @@ Valid values: 0–90
    + +**Defender/DisableCatchupFullScan** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. + +If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. + +If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. + +Supported values: + +- 0 - Disabled +- 1 - Enabled (default) + + + +ADMX Info: +- GP English name: *Turn on catch-up full scan* +- GP name: *Scan_DisableCatchupFullScan* +- GP element: *Scan_DisableCatchupFullScan* +- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
    + + +**Defender/DisableCatchupQuickScan** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. + +If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. + +If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. + +Supported values: + +- 0 - Disabled +- 1 - Enabled (default) + + + +ADMX Info: +- GP English name: *Turn on catch-up quick scan* +- GP name: *Scan_DisableCatchupQuickScan* +- GP element: *Scan_DisableCatchupQuickScan* +- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
    + **Defender/EnableControlledFolderAccess** @@ -1423,7 +1655,7 @@ Valid values: 0–90 Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1471,6 +1703,76 @@ The following list shows the supported values:
    + +**Defender/EnableLowCPUPriority** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows you to enable or disable low CPU priority for scheduled scans. + +If you enable this setting, low CPU priority will be used during scheduled scans. + +If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. + +Supported values: + +- 0 - Disabled (default) +- 1 - Enabled + + + +ADMX Info: +- GP English name: *Configure low CPU priority for scheduled scans* +- GP name: *Scan_LowCpuPriority* +- GP element: *Scan_LowCpuPriority* +- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
    + **Defender/EnableNetworkProtection** @@ -1486,7 +1788,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -2110,6 +2412,145 @@ Valid values: 0–1380.
    + +**Defender/SignatureUpdateFallbackOrder** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. + +Possible values are: + +- InternalDefinitionUpdateServer +- MicrosoftUpdateServer +- MMPC +- FileShares + +For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } + +If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, definition update sources will be contacted in a default order. + + + +ADMX Info: +- GP English name: *Define the order of sources for downloading definition updates* +- GP name: *SignatureUpdate_FallbackOrder* +- GP element: *SignatureUpdate_FallbackOrder* +- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
    + + +**Defender/SignatureUpdateFileSharesSources** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. + +If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. + + + +ADMX Info: +- GP English name: *Define file shares for downloading definition updates* +- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* +- GP element: *SignatureUpdate_DefinitionUpdateFileSharesSources* +- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
    + **Defender/SignatureUpdateInterval** @@ -2319,6 +2760,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 104c932ccf..7c7ed13b63 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/06/2018 --- # Policy CSP - DeliveryOptimization +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    @@ -25,6 +27,9 @@ ms.date: 05/14/2018
    DeliveryOptimization/DOAllowVPNPeerCaching
    +
    + DeliveryOptimization/DOCacheHost +
    DeliveryOptimization/DODelayBackgroundDownloadFromHttp
    @@ -217,6 +222,67 @@ The following list shows the supported values:
    + +**DeliveryOptimization/DOCacheHost** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +[Reserved for future use] + + + +ADMX Info: +- GP English name: *[Reserved for future use] Cache Server Hostname* +- GP name: *CacheHost* +- GP element: *CacheHost* +- GP path: *Windows Components/Delivery Optimization* +- GP ADMX file name: *DeliveryOptimization.admx* + + + + + + + + + + + + + +
    + **DeliveryOptimization/DODelayBackgroundDownloadFromHttp** @@ -1231,7 +1297,6 @@ ADMX Info: **DeliveryOptimization/DOPercentageMaxDownloadBandwidth** - [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -1501,6 +1566,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 8e395ec5f7..ac8fca65ac 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/08/2018 --- # Policy CSP - Desktop @@ -44,7 +44,7 @@ ms.date: 03/12/2018 cross mark check mark - check mark + cross mark check mark check mark cross mark diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 345a36f617..cacbb2acc6 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 07/30/2018 --- # Policy CSP - DeviceGuard +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    @@ -19,6 +21,9 @@ ms.date: 03/12/2018 ## DeviceGuard policies
    +
    + DeviceGuard/EnableSystemGuard +
    DeviceGuard/EnableVirtualizationBasedSecurity
    @@ -31,6 +36,75 @@ ms.date: 03/12/2018
    +
    + + +**DeviceGuard/EnableSystemGuard** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcross markcross markcheck mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy allows the IT admin to configure the launch of System Guard. + +Secure Launch configuration: + +- 0 - Unmanaged, configurable by Administrative user +- 1 - Enables Secure Launch if supported by hardware +- 2 - Disables Secure Launch. + +For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows). + + + +ADMX Info: +- GP English name: *Turn On Virtualization Based Security* +- GP name: *VirtualizationBasedSecurity* +- GP element: *SystemGuardDrop* +- GP path: *System/Device Guard* +- GP ADMX file name: *DeviceGuard.admx* + + + + + + + + + + + + +
    @@ -215,6 +289,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 7fd6d96493..5dabbc96ab 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 07/23/2018 --- # Policy CSP - DeviceInstallation +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    @@ -19,6 +21,18 @@ ms.date: 03/12/2018 ## DeviceInstallation policies
    +
    + DeviceInstallation/AllowInstallationOfMatchingDeviceIDs +
    +
    + DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses +
    +
    + DeviceInstallation/PreventDeviceMetadataFromNetwork +
    +
    + DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings +
    DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
    @@ -28,6 +42,290 @@ ms.date: 03/12/2018
    +
    + + +**DeviceInstallation/AllowInstallationOfMatchingDeviceIDs** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. + +If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow installation of devices that match any of these device IDs* +- GP name: *DeviceInstall_IDs_Allow* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + + + + + + + + +
    + + +**DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. + +If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow installation of devices using drivers that match these device setup classes* +- GP name: *DeviceInstall_Classes_Allow* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + + + + + + + + +
    + + +**DeviceInstallation/PreventDeviceMetadataFromNetwork** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. + +If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab). + +If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent device metadata retrieval from the Internet* +- GP name: *DeviceMetadata_PreventDeviceMetadataFromNetwork* +- GP path: *System/Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + + + + + + + + + + + +
    + + +**DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. + +If you enable this policy setting, Windows is prevented from installing or updating the device driver for any device that is not described by either the "Allow installation of devices that match any of these device IDs" or the "Allow installation of devices for these device classes" policy setting. + +If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent installation of devices not described by other policy settings* +- GP name: *DeviceInstall_Unspecified_Deny* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + + + + + + + +
    @@ -159,6 +457,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 46a6862046..94e15bf96e 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/08/2018 --- # Policy CSP - DeviceLock @@ -150,11 +150,11 @@ The following list shows the supported values: Mobile Enterprise - cross mark - cross mark check mark - cross mark - cross mark + check mark + check mark + check mark + check mark check mark check mark @@ -180,8 +180,6 @@ Specifies whether to show a user-configurable setting to control the screen time > [!NOTE] > This policy must be wrapped in an Atomic command. - - > [!IMPORTANT] > If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. @@ -508,8 +506,6 @@ Specifies how many passwords can be stored in the history that can’t be used. > [!NOTE] > This policy must be wrapped in an Atomic command. - - The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords. Max policy value is the most restricted. @@ -543,8 +539,8 @@ The following list shows the supported values: Mobile Enterprise - cross mark - cross mark + check mark1 + check mark1 check mark1 check mark1 check mark1 @@ -993,7 +989,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1046,7 +1042,7 @@ GP Info: Mobile Enterprise - cross mark + check mark check mark check mark check mark @@ -1108,7 +1104,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark check mark check mark check mark @@ -1217,32 +1213,3 @@ Footnote: - -## DeviceLock policies that can be set using Exchange Active Sync (EAS) - -- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) -- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow) - - - -## DeviceLock policies supported by Windows Holographic for Business - -- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) - - diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 060689251b..7e1be2a448 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/08/2018 --- # Policy CSP - Display @@ -53,7 +53,7 @@ ms.date: 03/12/2018 Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 @@ -105,7 +105,7 @@ ADMX Info: Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 @@ -177,7 +177,7 @@ The following list shows the supported values: Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md new file mode 100644 index 0000000000..2960d7874f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -0,0 +1,111 @@ +--- +title: Policy CSP - DmaGuard +description: Policy CSP - DmaGuard +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/29/2018 +--- + +# Policy CSP - DmaGuard + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
    + + +## DmaGuard policies + +
    +
    + DmaGuard/DeviceEnumerationPolicy +
    +
    + + +
    + + +**DmaGuard/DeviceEnumerationPolicy** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. + +> [!Note] +> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. + +Supported values: + +0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time. + +1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen + +2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time + + + +ADMX Info: +- GP English name: *Enumeration policy for external devices incompatible with Kernel DMA Protection* +- GP name: *DmaGuardEnumerationPolicy* +- GP path: *System/Kernel DMA Protection* +- GP ADMX file name: *dmaguard.admx* + + + + + + + + + + + + +
    + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index e8f2b997fc..472aa8161b 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -246,10 +246,10 @@ The default value is an empty string. Otherwise, the value should contain the UR cross mark - cross mark - cross mark - cross mark - cross mark + check mark2 + check mark2 + check mark2 + check mark2 check mark2 check mark2 diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index aca458292c..96f63a2056 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Experience +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    @@ -19,6 +21,9 @@ ms.date: 05/14/2018 ## Experience policies
    +
    + Experience/AllowClipboardHistory +
    Experience/AllowCopyPaste
    @@ -85,9 +90,86 @@ ms.date: 05/14/2018
    Experience/DoNotShowFeedbackNotifications
    +
    + Experience/DoNotSyncBrowserSettings +
    +
    + Experience/PreventUsersFromTurningOnBrowserSyncing +
    +
    + + +**Experience/AllowClipboardHistory** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Allows history of clipboard items to be stored in memory. + +Value type is integer. Supported values: +- 0 - Not allowed +- 1 - Allowed (default) + + + +ADMX Info: +- GP English name: *Allow Clipboard History* +- GP name: *AllowClipboardHistory* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + + + + + + + +**Validation procedure** + +1. Configure Experiences/AllowClipboardHistory to 0. +1. Open Notepad (or any editor app), select a text, and copy it to the clipboard. +1. Press Win+V to open the clipboard history UI. +1. You should not see any clipboard item including current item you copied. +1. The setting under Settings App->System->Clipboard should be grayed out with policy warning. + + + +
    @@ -276,7 +358,7 @@ The following list shows the supported values: cross mark check mark2 - check mark2 + cross mark check mark2 check mark2 check mark2 @@ -594,9 +676,9 @@ The following list shows the supported values: cross mark check mark2 - check mark2 - check mark2 cross mark + check mark2 + check mark2 cross mark cross mark @@ -717,7 +799,7 @@ The following list shows the supported values: check mark1 check mark1 check mark1 - cross mark + check mark1 cross mark cross mark @@ -833,9 +915,9 @@ The following list shows the supported values: cross mark cross mark - check mark - check mark cross mark + check mark + check mark cross mark cross mark @@ -897,9 +979,9 @@ The following list shows the supported values: cross mark cross mark - check mark1 - check mark1 cross mark + check mark1 + check mark1 cross mark cross mark @@ -961,9 +1043,9 @@ The following list shows the supported values: cross mark cross mark - check mark2 - check mark2 cross mark + check mark2 + check mark2 cross mark cross mark @@ -1024,9 +1106,9 @@ The following list shows the supported values: cross mark cross mark - check mark4 - check mark4 cross mark + check mark4 + check mark4 @@ -1086,9 +1168,9 @@ The following list shows the supported values: cross mark cross mark - check mark2 - check mark2 cross mark + check mark2 + check mark2 cross mark cross mark @@ -1150,9 +1232,9 @@ The following list shows the supported values: cross mark cross mark - check mark - check mark cross mark + check mark + check mark cross mark cross mark @@ -1208,9 +1290,9 @@ The following list shows the supported values: cross mark cross mark - check mark1 - check mark1 cross mark + check mark1 + check mark1 cross mark cross mark @@ -1269,7 +1351,7 @@ The following list shows the supported values: Mobile Enterprise - check mark1 + cross mark check mark1 check mark1 check mark1 @@ -1313,6 +1395,159 @@ The following list shows the supported values: + +
    + + +**Experience/DoNotSyncBrowserSettings** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcross markcross markcheck mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +[!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)] + +Related policy: + PreventUsersFromTurningOnBrowserSyncing + + + +ADMX Info: +- GP English name: *Do not sync browser settings* +- GP name: *DisableWebBrowserSettingSync* +- GP path: *Windows Components/Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +Supported values: + +- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes. +- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option. + +Value type is integer. + + + + + + + + + +
    + + +**Experience/PreventUsersFromTurningOnBrowserSyncing** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcross markcross markcheck mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + +Related policy: + DoNotSyncBrowserSettings + + +If you want to prevent syncing of browser settings and prevent users from turning it on: +1. Set Experience/DoNotSyncBrowserSettings to 2 (enabled). +1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured). + +If you want to prevent syncing of browser settings but give users a choice to turn on syncing: +1. Set Experience/DoNotSyncBrowserSettings to 2 (enabled). +1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled). + + + + +ADMX Info: +- GP English name: *Do not sync browser settings* +- GP name: *DisableWebBrowserSettingSync* +- GP element: *CheckBox_UserOverride* +- GP path: *Windows Components/Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +Supported values: + +- 0 - Allowed/turned on. Users can sync the browser settings. +- 1 (default) - Prevented/turned off. + +Value type is integer. + + + + + +**Validation procedure:** + +Microsoft Edge on your PC: +1. Select **More > Settings**. +1. See if the setting is enabled or disabled based on your setting. + + + +
    Footnote: @@ -1321,13 +1556,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - -## Experience policies supported by Windows Holographic for Business - -- [Experience/AllowCortana](#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) - diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 07582f80bf..a74fbeccf3 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/09/2018 --- # Policy CSP - Handwriting @@ -44,7 +44,7 @@ ms.date: 03/12/2018 cross mark check mark3 - check mark3 + cross mark check mark3 check mark3 cross mark diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md index 10663ef1ad..8745836c59 100644 --- a/windows/client-management/mdm/policy-csp-location.md +++ b/windows/client-management/mdm/policy-csp-location.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/09/2018 --- # Policy CSP - Location @@ -42,7 +42,7 @@ ms.date: 03/12/2018 Mobile Enterprise - check mark2 + cross mark check mark2 check mark2 check mark2 diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index e5f9888352..9e96723b2f 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/09/2018 --- # Policy CSP - Messaging @@ -102,10 +102,10 @@ The following list shows the supported values: cross mark + check mark1 cross mark - - cross mark - cross mark + check mark1 + check mark1 check mark1 check mark1 diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 23a98eaa7b..f45615badd 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,4886 +1,4865 @@ ---- -title: Policy CSP - Privacy -description: Policy CSP - Privacy -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 06/05/2018 ---- - -# Policy CSP - Privacy - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
    - - -## Privacy policies - -
    -
    - Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts -
    -
    - Privacy/AllowCrossDeviceClipboard -
    -
    - Privacy/AllowInputPersonalization -
    -
    - Privacy/DisableAdvertisingId -
    -
    - Privacy/EnableActivityFeed -
    -
    - Privacy/LetAppsAccessAccountInfo -
    -
    - Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCalendar -
    -
    - Privacy/LetAppsAccessCalendar_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCalendar_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory -
    -
    - Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCamera -
    -
    - Privacy/LetAppsAccessCamera_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCamera_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCamera_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessContacts -
    -
    - Privacy/LetAppsAccessContacts_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessContacts_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessContacts_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessEmail -
    -
    - Privacy/LetAppsAccessEmail_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessEmail_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessEmail_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput -
    -
    - Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessLocation -
    -
    - Privacy/LetAppsAccessLocation_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessLocation_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessLocation_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMessaging -
    -
    - Privacy/LetAppsAccessMessaging_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMessaging_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone -
    -
    - Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMotion -
    -
    - Privacy/LetAppsAccessMotion_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMotion_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMotion_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessNotifications -
    -
    - Privacy/LetAppsAccessNotifications_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessNotifications_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessPhone -
    -
    - Privacy/LetAppsAccessPhone_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessPhone_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessPhone_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessRadios -
    -
    - Privacy/LetAppsAccessRadios_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessRadios_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessRadios_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessTasks -
    -
    - Privacy/LetAppsAccessTasks_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessTasks_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessTasks_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices -
    -
    - Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsGetDiagnosticInfo -
    -
    - Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps -
    -
    - Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps -
    -
    - Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsRunInBackground -
    -
    - Privacy/LetAppsRunInBackground_ForceAllowTheseApps -
    -
    - Privacy/LetAppsRunInBackground_ForceDenyTheseApps -
    -
    - Privacy/LetAppsRunInBackground_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices -
    -
    - Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps -
    -
    - Privacy/PublishUserActivities -
    -
    - Privacy/UploadUserActivities -
    -
    - - -
    - - -**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3check mark3check mark3
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. - -> [!Note] -> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. - - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 (default)– Not allowed. -- 1 – Allowed. - - - - -
    - - -**Privacy/AllowCrossDeviceClipboard** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, next major version. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow Clipboard synchronization across devices* -- GP name: *AllowCrossDeviceClipboard* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -0 – Not allowed. -1 (default) – Allowed. - - - - - - - - - - -
    - - -**Privacy/AllowInputPersonalization** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcheck markcheck mark
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow input personalization* -- GP name: *AllowInputPersonalization* -- GP path: *Control Panel/Regional and Language Options* -- GP ADMX file name: *Globalization.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Privacy/DisableAdvertisingId** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Enables or disables the Advertising ID. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Turn off the advertising ID* -- GP name: *DisableAdvertisingId* -- GP path: *System/User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 – Enabled. -- 65535 (default)- Not configured. - - - - -
    - - -**Privacy/EnableActivityFeed** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3check mark3check mark3
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. - - - -ADMX Info: -- GP English name: *Enables Activity Feed* -- GP name: *EnableActivityFeed* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). -- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. - - - - -
    - - -**Privacy/LetAppsAccessAccountInfo** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessCalendar** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessCallHistory** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessCamera** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessContacts** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessEmail** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access email. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessGazeInput** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether Windows apps can access the eye tracker. - - - - - - - - - - - - - -
    - - -**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - - - -
    - - -**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - - - -
    - - -**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - - - -
    - - -**Privacy/LetAppsAccessLocation** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access location. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessMessaging** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessMicrophone** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessMotion** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessNotifications** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessPhone** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessRadios** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessTasks** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessTrustedDevices** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsRunInBackground** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. - - -Most restricted value is 2. -> [!WARNING] -> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control (default). -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsSyncWithDevices** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/PublishUserActivities** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3check mark3check mark3
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. - - - -ADMX Info: -- GP English name: *Allow publishing of User Activities* -- GP name: *PublishUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the *user activities*. -- 1 – (default) Enabled. Apps/OS can publish the *user activities*. - - - - -
    - - -**Privacy/UploadUserActivities** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows ActivityFeed to upload published 'User Activities'. - - - -ADMX Info: -- GP English name: *Allow upload of User Activities* -- GP name: *UploadUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - - - - - - - - - - -
    - -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - - -## Privacy policies supported by Windows Holographic for Business - -- [Privacy/AllowCrossDeviceClipboard](#privacy-allowcrossdeviceclipboard) -- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) -- [Privacy/LetAppsAccessGazeInput](#privacy-letappsaccessgazeinput) -- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](#privacy-letappsaccessgazeinput-forceallowtheseapps) -- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](#privacy-letappsaccessgazeinput-forcedenytheseapps) -- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](#privacy-letappsaccessgazeinput-userincontroloftheseapps) -- [Privacy/UploadUserActivities](#privacy-uploaduseractivities) - - - -## Privacy policies supported by IoT Core - -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) - - - -## Privacy policies supported by Microsoft Surface Hub - -- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Privacy/PublishUserActivities](#privacy-publishuseractivities) - - +--- +title: Policy CSP - Privacy +description: Policy CSP - Privacy +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/14/2018 +--- + +# Policy CSP - Privacy + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
    + + +## Privacy policies + +
    +
    + Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts +
    +
    + Privacy/AllowCrossDeviceClipboard +
    +
    + Privacy/AllowInputPersonalization +
    +
    + Privacy/DisableAdvertisingId +
    +
    + Privacy/DisablePrivacyExperience +
    +
    + Privacy/EnableActivityFeed +
    +
    + Privacy/LetAppsAccessAccountInfo +
    +
    + Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessCalendar +
    +
    + Privacy/LetAppsAccessCalendar_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessCalendar_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessCallHistory +
    +
    + Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessCamera +
    +
    + Privacy/LetAppsAccessCamera_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessCamera_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessCamera_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessContacts +
    +
    + Privacy/LetAppsAccessContacts_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessContacts_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessContacts_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessEmail +
    +
    + Privacy/LetAppsAccessEmail_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessEmail_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessEmail_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessGazeInput +
    +
    + Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessLocation +
    +
    + Privacy/LetAppsAccessLocation_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessLocation_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessLocation_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessMessaging +
    +
    + Privacy/LetAppsAccessMessaging_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessMessaging_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessMicrophone +
    +
    + Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessMotion +
    +
    + Privacy/LetAppsAccessMotion_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessMotion_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessMotion_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessNotifications +
    +
    + Privacy/LetAppsAccessNotifications_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessNotifications_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessPhone +
    +
    + Privacy/LetAppsAccessPhone_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessPhone_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessPhone_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessRadios +
    +
    + Privacy/LetAppsAccessRadios_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessRadios_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessRadios_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessTasks +
    +
    + Privacy/LetAppsAccessTasks_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessTasks_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessTasks_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsAccessTrustedDevices +
    +
    + Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps +
    +
    + Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps +
    +
    + Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsGetDiagnosticInfo +
    +
    + Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps +
    +
    + Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps +
    +
    + Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsRunInBackground +
    +
    + Privacy/LetAppsRunInBackground_ForceAllowTheseApps +
    +
    + Privacy/LetAppsRunInBackground_ForceDenyTheseApps +
    +
    + Privacy/LetAppsRunInBackground_UserInControlOfTheseApps +
    +
    + Privacy/LetAppsSyncWithDevices +
    +
    + Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps +
    +
    + Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps +
    +
    + Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps +
    +
    + Privacy/PublishUserActivities +
    +
    + Privacy/UploadUserActivities +
    +
    + + +
    + + +**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3check mark3check mark3
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. + +> [!Note] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. + + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 (default)– Not allowed. +- 1 – Allowed. + + + + +
    + + +**Privacy/AllowCrossDeviceClipboard** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, next major version. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow Clipboard synchronization across devices* +- GP name: *AllowCrossDeviceClipboard* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +0 – Not allowed. +1 (default) – Allowed. + + + + +
    + + +**Privacy/AllowInputPersonalization** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check markcheck markcheck markcheck markcheck markcheck markcheck mark
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Updated in Windows 10, next major version. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow input personalization* +- GP name: *AllowInputPersonalization* +- GP path: *Control Panel/Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Choice deferred to user's preference. + + + + +
    + + +**Privacy/DisableAdvertisingId** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Enables or disables the Advertising ID. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Turn off the advertising ID* +- GP name: *DisableAdvertisingId* +- GP path: *System/User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. +- 1 – Enabled. +- 65535 (default)- Not configured. + + + + +
    + + +**Privacy/DisablePrivacyExperience** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + +Value type is integer. +- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. +- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade. + +In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings. + + + +ADMX Info: +- GP English name: *Don't launch privacy settings experience on user logon* +- GP name: *DisablePrivacyExperience* +- GP path: *Windows Components/OOBE* +- GP ADMX file name: *OOBE.admx* + + + + + + + + + + + + + +
    + + +**Privacy/EnableActivityFeed** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3check mark3check mark3
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. + + + +ADMX Info: +- GP English name: *Enables Activity Feed* +- GP name: *EnableActivityFeed* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). +- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. + + + + +
    + + +**Privacy/LetAppsAccessAccountInfo** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessCalendar** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessCallHistory** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessCamera** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessContacts** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessEmail** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access email. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessGazeInput** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting specifies whether Windows apps can access the eye tracker. + + + + +
    + + +**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
    + + +**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
    + + +**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
    + + +**Privacy/LetAppsAccessLocation** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access location. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessMessaging** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessMicrophone** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessMotion** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessNotifications** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessPhone** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessRadios** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessTasks** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessTrustedDevices** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsGetDiagnosticInfo** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsRunInBackground** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. + + +Most restricted value is 2. +> [!WARNING] +> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control (default). +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsSyncWithDevices** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
    + + +**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark1check mark1check mark1check mark1check mark1check mark1check mark1
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
    + + +**Privacy/PublishUserActivities** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3check mark3check mark3
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. + + + +ADMX Info: +- GP English name: *Allow publishing of User Activities* +- GP name: *PublishUserActivities* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. Apps/OS can't publish the *user activities*. +- 1 – (default) Enabled. Apps/OS can publish the *user activities*. + + + + +
    + + +**Privacy/UploadUserActivities** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Allows ActivityFeed to upload published 'User Activities'. + + + +ADMX Info: +- GP English name: *Allow upload of User Activities* +- GP name: *UploadUserActivities* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +
    + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 90d61b4f33..f51a32f819 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Search @@ -860,15 +860,5 @@ Footnote: - -## Search policies that can be set using Exchange Active Sync (EAS) -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - - - -## Search policies supported by Windows Holographic for Business - -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 923b4a3d8a..e6171c839d 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2018 +ms.date: 08/09/2018 --- # Policy CSP - Security +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    @@ -43,6 +45,9 @@ ms.date: 06/26/2018
    Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
    +
    + Security/RecoveryEnvironmentAuthentication +
    Security/RequireDeviceEncryption
    @@ -393,7 +398,7 @@ The following list shows the supported values: Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 @@ -488,6 +493,87 @@ The following list shows the supported values:
    + +**Security/RecoveryEnvironmentAuthentication** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +Added in Windows 10, next major version. This policy controls the Admin Authentication requirement in RecoveryEnvironment. + +Supported values: +- 0 - Default: Keep using default(current) behavior +- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment +- 2 - NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment + + + + + + + + + +**Validation procedure** + +The validation requires a check whether Refresh ("Keep my files") and Reset ("Remove everything") requires admin authentication in WinRE. +The process of starting Push Button Reset (PBR) in WinRE: + +1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE. +1. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything". + +If the MDM policy is set to "Default" (0) or does not exist, the admin authentication flow should work as default behavior: + +1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. +1. Click "<-" (right arrow) button and choose "Remove everything", it should not pop up admin authentication and just go to PBR options. + +If the MDM policy is set to "RequireAuthentication" (1) + +1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. +1. Click "<-" (right arrow) button and choose "Remove everything", it should also pop up admin authentication. + +If the MDM policy is set to "NoRequireAuthentication" (2) + +1. Start PBR in WinRE, choose "Keep my files", it should not pop up admin authentication. +1. Go through PBR options and click "cancel" at final confirmation page, wait unit the UI is back. +1. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it should not pop up admin authentication neither. + + + + +
    + **Security/RequireDeviceEncryption** @@ -661,34 +747,9 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - -## Security policies that can be set using Exchange Active Sync (EAS) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - - - -## Security policies supported by Windows Holographic for Business - -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - - - -## Security policies supported by IoT Core - -- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) -- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) - - - -## Security policies supported by Microsoft Surface Hub - -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) - diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index ba5cc1e9ef..a88b2464f6 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/09/2018 --- # Policy CSP - Settings @@ -239,10 +239,10 @@ The following list shows the supported values: cross mark - cross mark - cross mark - cross mark - cross mark + check mark1 + check mark1 + check mark1 + check mark1 check mark1 check mark1 @@ -849,10 +849,5 @@ Footnote: - -## Settings policies supported by Windows Holographic for Business -- [Settings/AllowDateTime](#settings-allowdatetime) -- [Settings/AllowVPN](#settings-allowvpn) - diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index 20b484e71e..e7bdc48ee7 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -185,7 +185,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. +Added in Windows 10, version 1703. Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files. diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index f499ec5037..43023aecdc 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/09/2018 --- # Policy CSP - Speech @@ -42,7 +42,7 @@ ms.date: 05/14/2018 Mobile Enterprise - check mark1 + cross mark check mark1 check mark1 check mark1 diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 080a8fa8c1..5c8db780af 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2018 +ms.date: 08/14/2018 --- # Policy CSP - Start +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    @@ -49,6 +51,9 @@ ms.date: 06/26/2018
    Start/AllowPinnedFolderVideos
    +
    + Start/DisableContextMenus +
    Start/ForceStartSize
    @@ -621,6 +626,67 @@ The following list shows the supported values:
    + +**Start/DisableContextMenus** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark4check mark4check mark4check mark4
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +Enabling this policy prevents context menus from being invoked in the Start Menu. + + + +ADMX Info: +- GP English name: *Disable context menus in the Start Menu* +- GP name: *DisableContextMenusInStart* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + + + + + + + + + + + +
    + **Start/ForceStartSize** @@ -637,7 +703,7 @@ The following list shows the supported values: cross mark - cross mark + check mark check mark check mark check mark @@ -1726,7 +1792,7 @@ To validate on Desktop, do the following: cross mark - cross mark + check mark check mark check mark check mark @@ -1780,6 +1846,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index b7f8fb114a..63649af40c 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/05/2018 +ms.date: 07/30/2018 --- # Policy CSP - System @@ -1194,34 +1194,5 @@ Footnote: - -## System policies that can be set using Exchange Active Sync (EAS) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) - - - -## System policies supported by Windows Holographic for Business - -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) - - - -## System policies supported by IoT Core - -- [System/AllowEmbeddedMode](#system-allowembeddedmode) -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) - - - -## System policies supported by Microsoft Surface Hub - -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) - diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md new file mode 100644 index 0000000000..7001fe088f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -0,0 +1,99 @@ +--- +title: Policy CSP - TaskManager +description: Policy CSP - TaskManager +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 07/05/2018 +--- + +# Policy CSP - TaskManager + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
    + + +## TaskManager policies + +
    +
    + TaskManager/AllowEndTask +
    +
    + + +
    + + +**TaskManager/AllowEndTask** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5cross markcheck mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This setting determines whether non-administrators can use Task Manager to end tasks. + +Value type is integer. Supported values: + - 0 - Disabled. EndTask functionality is blocked in TaskManager. + - 1 - Enabled (default). Users can perform EndTask in TaskManager. + + + + + + + + + +**Validation procedure:** +When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager +When the policy is set to 0 - users CANNOT execute 'End task' on processes in TaskManager + + + +
    + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 2b295a2044..e96eb5340c 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/05/2018 +ms.date: 08/09/2018 --- # Policy CSP - TextInput @@ -650,6 +650,30 @@ The following list shows the supported values: **TextInput/AllowLinguisticDataCollection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcross markcross mark
    + + + [Scope](./policy-configuration-service-provider.md#policy-scope): diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 85e5983698..df68eeee47 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/10/2018 --- # Policy CSP - Update +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    @@ -46,6 +48,9 @@ ms.date: 05/14/2018
    Update/AutoRestartDeadlinePeriodInDays
    +
    + Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates +
    Update/AutoRestartNotificationSchedule
    @@ -79,12 +84,21 @@ ms.date: 05/14/2018
    Update/EngagedRestartDeadline
    +
    + Update/EngagedRestartDeadlineForFeatureUpdates +
    Update/EngagedRestartSnoozeSchedule
    +
    + Update/EngagedRestartSnoozeScheduleForFeatureUpdates +
    Update/EngagedRestartTransitionSchedule
    +
    + Update/EngagedRestartTransitionScheduleForFeatureUpdates +
    Update/ExcludeWUDriversInQualityUpdate
    @@ -154,9 +168,18 @@ ms.date: 05/14/2018
    Update/SetAutoRestartNotificationDisable
    +
    + Update/SetDisablePauseUXAccess +
    +
    + Update/SetDisableUXWUAccess +
    Update/SetEDURestart
    +
    + Update/UpdateNotificationLevel +
    Update/UpdateServiceUrl
    @@ -690,11 +713,21 @@ The following list shows the supported values: -Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory. +For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. -Supported values are 2-30 days. +Value type is integer. Default is 7 days. -The default value is 7 days. +Supported values range: 2-30. + +Note that the PC must restart for certain updates to take effect. + +If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. + +If you disable or do not configure this policy, the PC will restart according to the default schedule. + +If any of the following two policies are enabled, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. @@ -710,6 +743,72 @@ ADMX Info:
    + +**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. + +Value type is integer. Default is 7 days. + +Supported values range: 2-30. + +Note that the PC must restart for certain updates to take effect. + +If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. + +If you disable or do not configure this policy, the PC will restart according to the default schedule. + +If any of the following two policies are enabled, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. + + + +ADMX Info: +- GP English name: *Specify deadline before auto-restart for update installation* +- GP name: *AutoRestartDeadline* +- GP element: *AutoRestartDeadlineForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
    + **Update/AutoRestartNotificationSchedule** @@ -1402,11 +1501,20 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). +For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. -Supported values are 2-30 days. +Value type is integer. Default is 14. -The default value is 0 days (not specified). +Supported value range: 2 - 30. + +If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling). + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation @@ -1422,6 +1530,71 @@ ADMX Info:
    + +**Update/EngagedRestartDeadlineForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +Value type is integer. Default is 14. + +Supported value range: 2 - 30. + +If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling). + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartDeadlineForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
    + **Update/EngagedRestartSnoozeSchedule** @@ -1458,11 +1631,18 @@ ADMX Info: -Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. +For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -Supported values are 1-3 days. +Value type is integer. Default is 3 days. -The default value is 3 days. +Supported value range: 1 - 3. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation @@ -1478,6 +1658,69 @@ ADMX Info:
    + +**Update/EngagedRestartSnoozeScheduleForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +Value type is integer. Default is 3 days. + +Supported value range: 1 - 3. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartSnoozeScheduleForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
    + **Update/EngagedRestartTransitionSchedule** @@ -1514,11 +1757,18 @@ ADMX Info: -Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. +For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -Supported values are 2-30 days. +Value type is integer. -The default value is 7 days. +Supported value range: 0 - 30. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation @@ -1534,6 +1784,69 @@ ADMX Info:
    + +**Update/EngagedRestartTransitionScheduleForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +Value type is integer. + +Supported value range: 0 - 30. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartTransitionScheduleForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
    + **Update/ExcludeWUDriversInQualityUpdate** @@ -2871,6 +3184,108 @@ The following list shows the supported values:
    + +**Update/SetDisablePauseUXAccess** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user cannot access the "Pause updates" feature. + +Value type is integer. Default is 0. Supported values 0, 1. + + + +ADMX Info: +- GP name: *SetDisablePauseUXAccess* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
    + + +**Update/SetDisableUXWUAccess** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. + +Value type is integer. Default is 0. Supported values 0, 1. + + + +ADMX Info: +- GP name: *SetDisableUXWUAccess* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
    + **Update/SetEDURestart** @@ -2929,6 +3344,75 @@ The following list shows the supported values:
    + +**Update/UpdateNotificationLevel** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn’t control how and when updates are downloaded and installed. + +Options: + +- 0 (default) – Use the default Windows Update notifications +- 1 – Turn off all notifications, excluding restart warnings +- 2 – Turn off all notifications, including restart warnings + +> [!Important] +> If you choose not to get update notifications and also define other Group policies so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. + + + +ADMX Info: +- GP English name: *Display options for update notifications* +- GP name: *UpdateNotificationLevel* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
    + **Update/UpdateServiceUrl** @@ -3081,49 +3565,6 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - - -## Update policies supported by Windows Holographic for Business - -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Update policies supported by IoT Core - -- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/PauseDeferrals](#update-pausedeferrals) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/ScheduledInstallDay](#update-scheduledinstallday) -- [Update/ScheduledInstallTime](#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Update policies supported by Microsoft Surface Hub - -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule) -- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal) -- [Update/BranchReadinessLevel](#update-branchreadinesslevel) -- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) -- [Update/DetectionFrequency](#update-detectionfrequency) -- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) -- [Update/PauseQualityUpdates](#update-pausequalityupdates) -- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning) -- [Update/ScheduleRestartWarning](#update-schedulerestartwarning) -- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable) -- [Update/UpdateServiceUrl](#update-updateserviceurl) -- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate) - - diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index b8322c4c8e..25ff1652b7 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -6,11 +6,14 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/09/2018 --- # Policy CSP - WindowsDefenderSecurityCenter +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -27,6 +30,9 @@ ms.date: 03/12/2018
    WindowsDefenderSecurityCenter/DisableAppBrowserUI
    +
    + WindowsDefenderSecurityCenter/DisableClearTpmButton +
    WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
    @@ -45,6 +51,9 @@ ms.date: 03/12/2018
    WindowsDefenderSecurityCenter/DisableNotifications
    +
    + WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning +
    WindowsDefenderSecurityCenter/DisableVirusUI
    @@ -69,6 +78,9 @@ ms.date: 03/12/2018
    WindowsDefenderSecurityCenter/HideTPMTroubleshooting
    +
    + WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl +
    WindowsDefenderSecurityCenter/Phone
    @@ -95,7 +107,7 @@ ms.date: 03/12/2018 Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -149,7 +161,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -207,7 +219,7 @@ Valid values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -252,6 +264,80 @@ The following list shows the supported values:
    + +**WindowsDefenderSecurityCenter/DisableClearTpmButton** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Disable the Clear TPM button in Windows Security. + +Enabled: +The Clear TPM button will be unavailable for use. + +Disabled: +The Clear TPM button will be available for use on supported systems. + +Not configured: +Same as Disabled. + +Supported values: + +- 0 - Disabled (default) +- 1 - Enabled + + + +ADMX Info: +- GP English name: *Disable the Clear TPM button* +- GP name: *DeviceSecurity_DisableClearTpmButton* +- GP path: *Windows Components/Windows Security/Device security* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + + + + + + + + + + + + +
    + **WindowsDefenderSecurityCenter/DisableDeviceSecurityUI** @@ -267,7 +353,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -325,7 +411,7 @@ Valid values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -388,7 +474,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -448,7 +534,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -508,7 +594,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -568,7 +654,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -613,6 +699,80 @@ The following list shows the supported values:
    + +**WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. + +Enabled: +Users will not be shown a recommendation to update their TPM Firmware. + +Disabled: +Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware. + +Not configured: +Same as Disabled. + +Supported values: + +- 0 - Disabled (default) +- 1 - Enabled + + + +ADMX Info: +- GP English name: *Hide the TPM Firmware Update recommendation.* +- GP name: *DeviceSecurity_DisableTpmFirmwareUpdateWarning* +- GP path: *Windows Components/Windows Security/Device security* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + + + + + + + + + + + + +
    + **WindowsDefenderSecurityCenter/DisableVirusUI** @@ -628,7 +788,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -688,7 +848,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -748,7 +908,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -802,7 +962,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -862,7 +1022,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -922,7 +1082,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -980,7 +1140,7 @@ Valid values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -1038,7 +1198,7 @@ Valid values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -1081,6 +1241,82 @@ Valid values:
    + +**WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark5check mark5check mark5check mark5check mark5
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting hides the Windows Security notification area control. + +The user needs to either sign out and sign in or reboot the computer for this setting to take effect. + +Enabled: +Windows Security notification area control will be hidden. + +Disabled: +Windows Security notification area control will be shown. + +Not configured: +Same as Disabled. + +Supported values: + +- 0 - Disabled (default) +- 1 - Enabled + + + +ADMX Info: +- GP English name: *Hide Windows Security Systray* +- GP name: *Systray_HideSystray* +- GP path: *Windows Components/Windows Security/Systray* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + + + + + + + + + + + + +
    + **WindowsDefenderSecurityCenter/Phone** @@ -1096,7 +1332,7 @@ Valid values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1150,7 +1386,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1194,6 +1430,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index fe63238f62..07a7954820 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/12/2018 --- # Policy CSP - WindowsLogon @@ -143,6 +143,31 @@ If you enable this policy setting, the PC's network connectivity state cannot be If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. +Here is an example to enable this policy: + +``` syntax + + + + 300 + + 301 + + + ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI + + + chr + + ]]> + + + + + + +``` + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 6c1ca5bd2d..96beff9c33 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/09/2018 --- # Policy CSP - WirelessDisplay @@ -363,6 +363,29 @@ The following list shows the supported values: **WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + [Scope](./policy-configuration-service-provider.md#policy-scope): diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 624c67cddb..d841e29aa4 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/03/2018 +ms.date: 08/09/2018 --- # Policy DDF file @@ -1406,30 +1406,6 @@ Related policy: - - ForceEnabledExtensions - - - - - - - - This setting lets you decide which extensions should be always enabled. - - - - - - - - - - - text/plain - - - HomePages @@ -1654,6 +1630,47 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + PreventTurningOffRequiredExtensions + + + + + + + + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) + + + + + + + + + + + text/plain + + + PreventUsingLocalHostIPAddressForWebRTC @@ -8614,6 +8631,52 @@ Related policy: + + Privacy + + + + + + + + + + + + + + + + + + + + + DisablePrivacyExperience + + + + + + + + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + + Security @@ -10528,34 +10591,6 @@ Related policy: LastWrite - - ForceEnabledExtensions - - - - - - This setting lets you decide which extensions should be always enabled. - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - ForceEnabledExtensions_List - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ForceEnabledExtensions - LastWrite - - HomePages @@ -10806,6 +10841,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on HighestValueMostSecure + + PreventTurningOffRequiredExtensions + + + + + + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + PreventTurningOffRequiredExtensions_Prompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + PreventTurningOffRequiredExtensions + LastWrite + + PreventUsingLocalHostIPAddressForWebRTC @@ -18546,6 +18626,54 @@ Related policy: + + Privacy + + + + + + + + + + + + + + + + + + + DisablePrivacyExperience + + + + + 0 + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + phone + OOBE.admx + OOBE~AT~WindowsComponents~OOBE + DisablePrivacyExperience + LowestValueMostSecure + + + Security @@ -22272,30 +22400,6 @@ Related policy: - - ForceEnabledExtensions - - - - - - - - This setting lets you decide which extensions should be always enabled. - - - - - - - - - - - text/plain - - - HomePages @@ -22520,6 +22624,47 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + PreventTurningOffRequiredExtensions + + + + + + + + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) + + + + + + + + + + + text/plain + + + PreventUsingLocalHostIPAddressForWebRTC @@ -27063,7 +27208,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - DoNotSyncBrowserSetting + DoNotSyncBrowserSettings @@ -27098,7 +27243,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. - Related policy: DoNotSyncBrowserSetting + Related policy: DoNotSyncBrowserSettings 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing @@ -34352,38 +34497,6 @@ Default: Disabled. - - MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession - - - - - - - - Microsoft network server: Amount of idle time required before suspending a session - -This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. - -Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. - -For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. - -Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. - - - - - - - - - - - text/plain - - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways @@ -36623,6 +36736,30 @@ The options are: + + DisablePrivacyExperience + + + + + + + + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + EnableActivityFeed @@ -41468,6 +41605,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + AllowDeviceNameInDiagnosticData + + + + + + + + This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + + + + + + + + + text/plain + + + AllowEmbeddedMode @@ -44073,7 +44234,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - UpdateNotificationKioskMode + UpdateNotificationLevel @@ -49551,34 +49712,6 @@ Related policy: LastWrite - - ForceEnabledExtensions - - - - - - This setting lets you decide which extensions should be always enabled. - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - ForceEnabledExtensions_List - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ForceEnabledExtensions - LastWrite - - HomePages @@ -49829,6 +49962,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on HighestValueMostSecure + + PreventTurningOffRequiredExtensions + + + + + + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + PreventTurningOffRequiredExtensions_Prompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + PreventTurningOffRequiredExtensions + LastWrite + + PreventUsingLocalHostIPAddressForWebRTC @@ -53218,7 +53396,7 @@ Related policy: - EnableSystemGuard + ConfigureSystemGuardLaunch @@ -54899,7 +55077,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - DoNotSyncBrowserSetting + DoNotSyncBrowserSettings @@ -54935,7 +55113,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 1 You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. - Related policy: DoNotSyncBrowserSetting + Related policy: DoNotSyncBrowserSettings 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing @@ -63004,41 +63182,6 @@ Default: Disabled. LastWrite - - MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession - - - - - 15 - Microsoft network server: Amount of idle time required before suspending a session - -This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. - -Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. - -For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. - -Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network server: Amount of idle time required before suspending session - LowestValueMostSecure - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways @@ -63402,7 +63545,7 @@ This setting can affect the ability of computers running Windows 2000 Server, Wi - 0 + 3 Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: @@ -63455,7 +63598,7 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send - 0 + 536870912 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: @@ -63493,7 +63636,7 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - 0 + 536870912 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: @@ -65452,6 +65595,34 @@ The options are: LowestValueMostSecureZeroHasNoLimits + + DisablePrivacyExperience + + + + + 0 + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + phone + OOBE.admx + OOBE~AT~WindowsComponents~OOBE + DisablePrivacyExperience + LowestValueMostSecure + + EnableActivityFeed @@ -69810,12 +69981,12 @@ Caution: If a Restricted Groups policy is applied, any current member not on the text/plain - + phone SmartScreen.admx SmartScreen~AT~WindowsComponents~SmartScreen~Shell ConfigureAppInstallControl - HighestValueMostSecure + LastWrite @@ -70823,6 +70994,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LowestValueMostSecure + + AllowDeviceNameInDiagnosticData + + + + + 0 + This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + + + + + + + + + text/plain + + + DataCollection.admx + AllowDeviceNameInDiagnosticData + DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds + AllowDeviceNameInDiagnosticData + LowestValueMostSecure + + AllowEmbeddedMode @@ -72934,7 +73133,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the text/plain - + WindowsUpdate.admx EngagedRestartTransitionSchedule WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat @@ -72962,7 +73161,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the text/plain - + WindowsUpdate.admx EngagedRestartTransitionScheduleForFeatureUpdates WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat @@ -73677,7 +73876,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - UpdateNotificationKioskMode + UpdateNotificationLevel @@ -73699,7 +73898,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the WindowsUpdate.admx WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - UpdateNotificationKioskMode + UpdateNotificationLevel LastWrite @@ -75931,4 +76130,4 @@ Because of these factors, users do not usually need this user right. Warning: If -``` +``` \ No newline at end of file diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index b5bccdbf85..bfb5dfd307 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -41,7 +41,7 @@ The following diagram shows the Reboot configuration service provider management

    The supported operations are Get, Add, Replace, and Delete.

    **Schedule/DailyRecurrent** -

    This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. For example: 2015-12-15T07:36:25Z

    +

    This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.

    The supported operations are Get, Add, Replace, and Delete.

    diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 366bb79824..82818fd8da 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/23/2018 +ms.date: 08/13/2018 --- # RemoteWipe CSP @@ -44,7 +44,28 @@ Supported operation is Exec. **doWipePersistUserData** Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. -  + +**AutomaticRedeployment** +Added in Windows 10, next major update. Node for the Autopilot Reset operation. + +**AutomaticRedeployment/doAutomaticRedeployment** +Added in Windows 10, next major update. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. + +**AutomaticRedeployment/LastError** +Added in Windows 10, next major update. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT). + +**AutomaticRedeployment/Status** +Added in Windows 10, next major update. Status value indicating current state of an Autopilot Reset operation. + +Supported values: + +- 0: Never run (not started). The default state. +- 1: Complete. +- 10: Reset has been scheduled. +- 20: Reset is scheduled and waiting for a reboot. +- 30: Failed during CSP Execute ("Exec" in SyncML). +- 40: Failed: power requirements not met. +- 50: Failed: reset internals failed during reset attempt. ## Related topics diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index 0f0de9b725..b2adadcfd1 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/23/2018 +ms.date: 08/13/2018 --- # RemoteWipe DDF file @@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the DDF for Windows 10, version 1709. +The XML below is the DDF for Windows 10, next major version. ``` syntax @@ -43,7 +43,7 @@ The XML below is the DDF for Windows 10, version 1709. - + com.microsoft/1.1/MDM/RemoteWipe The root node for remote wipe function. @@ -131,21 +131,91 @@ The XML below is the DDF for Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + + AutomaticRedeployment + + + + + + + + + + + + + + + + + + + doAutomaticRedeployment + + + + + + + + + + + + + + + + text/plain + + + + + LastError + + + + + 0 + Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT). + + + + + + + + + + + text/plain + + + + + Status + + + + + 0 + Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt. + + + + + + + + + + + text/plain + + + + -``` - -## Related topics - - -[RemoteWipe configuration service provider](remotewipe-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index d4fff403d1..3733920512 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -7,11 +7,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2017 +ms.date: 07/20/2018 --- # SUPL CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The SUPL configuration service provider is used to configure the location client, as shown in the following table. @@ -220,18 +222,51 @@ Specifies the name of the H-SLP root certificate as a string, in the format *nam **RootCertificate/Data** The base 64 encoded blob of the H-SLP root certificate. +**RootCertificate2** +Specifies the root certificate for the H-SLP server. + **RootCertificate2/Name** Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. **RootCertificate2/Data** The base 64 encoded blob of the H-SLP root certificate. +**RootCertificate3** +Specifies the root certificate for the H-SLP server. + **RootCertificate3/Name** Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. **RootCertificate3/Data** The base 64 encoded blob of the H-SLP root certificate. +**RootCertificate4** +Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server. + +**RootCertificate4/Name** +Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate4/Data** +Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate. + +**RootCertificate5** +Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server. + +**RootCertificate5/Name** +Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate5/Data** +Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate. + +**RootCertificate6** +Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server. + +**RootCertificate6/Name** +Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate6/Data** +Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate. + **V2UPL1** Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time. diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 0fe52da790..ec126158b6 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -7,17 +7,19 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 12/05/2017 +ms.date: 07/20/2018 --- # SUPL DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **SUPL** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -43,7 +45,7 @@ The XML below is the current version for this CSP. - + com.microsoft/1.1/MDM/SUPL @@ -200,7 +202,7 @@ The XML below is the current version for this CSP. 0 - Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. @@ -477,7 +479,7 @@ The XML below is the current version for this CSP. - + RootCertificate4 @@ -542,7 +544,7 @@ The XML below is the current version for this CSP. - + RootCertificate5 @@ -607,7 +609,7 @@ The XML below is the current version for this CSP. - + RootCertificate6 @@ -672,7 +674,7 @@ The XML below is the current version for this CSP. - + @@ -749,7 +751,7 @@ The XML below is the current version for this CSP. 0 - Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. @@ -858,13 +860,3 @@ The XML below is the current version for this CSP. ``` - -  - -  - - - - - - diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md new file mode 100644 index 0000000000..43449f403a --- /dev/null +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -0,0 +1,39 @@ +--- +title: TenantLockdown CSP +description: +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/13/2018 +--- + +# TenantLockdown CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, next major version. + +The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes. + +> [!Note] +> The forced network connection is only applicable to devices after reset (not new). + +The following diagram shows the TenantLockdown configuration service provider in tree format. + +![TenantLockdown CSP diagram](images/provisioning-csp-tenantlockdown.png) + +**./Vendor/MSFT/TenantLockdown** +The root node. + +**RequireNetworkInOOBE** +Specifies whether to require a network connection during the out-of-box experience (OOBE) at first logon. + +When RequireNetworkInOOBE is true, when the device goes through OOBE at first logon or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option. + +Value type is bool. Supported operations are Get and Replace. + +- true - Require network in OOBE +- false - No network connection requirement in OOBE + +Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account. \ No newline at end of file diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md new file mode 100644 index 0000000000..4c75123a3f --- /dev/null +++ b/windows/client-management/mdm/tenantlockdown-ddf.md @@ -0,0 +1,75 @@ +--- +title: TenantLockdown DDF file +description: XML file containing the device description framework +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/13/2018 +--- + +# TenantLockdown DDF file + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **TenantLockdown** configuration service provider. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +The XML below is for Windows 10, next major version. + +``` syntax + +]> + + 1.2 + + TenantLockdown + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/TenantLockdown + + + + RequireNetworkInOOBE + + + + + + false + true - Require network in OOBE, false - no network connection requirement in OOBE + + + + + + + + + + + text/plain + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index e98cd44400..e7dc68df1b 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -255,7 +255,14 @@ An optional flag to enable Always On mode. This will automatically connect the V > **Note**  Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active. -  +Preserving user Always On preference + +Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. +Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference. +Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config +Value: AutoTriggerDisabledProfilesList +Type: REG_MULTI_SZ + Valid values: diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 6e43514e39..708ac76bd8 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -7,11 +7,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/16/2018 +ms.date: 06/28/2018 --- # WiFi CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it is in range. @@ -59,8 +61,6 @@ If it exists in the blob, the **keyType** and **protected** elements must come b > **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](http://go.microsoft.com/fwlink/p/?LinkId=618963). -  - The supported operations are Add, Get, Delete, and Replace. **Proxy** @@ -96,6 +96,17 @@ Added in Windows 10, version 1607. Optional. When set to true it enables Web Pr Value type is bool. +**WiFiCost** +Added in Windows 10, next major version. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted. + +Supported values: + +- 1 - Unrestricted - unlimited connection +- 2 - Fixed - capacity constraints up to a certain data limit +- 3 - Variable - paid on per byte basic + +Supported operations are Add, Get, Replace and Delete. Value type is integer. + ## Examples diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index b5bcd3d75e..a4ec65ad3c 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -7,15 +7,200 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2017 +ms.date: 06/28/2018 --- # WiFi DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML. -Content under development and will be published soon. +The XML below is for Windows 10, next major version. + +``` syntax + + +]> + + 1.2 + + WiFi + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.1/MDM/WiFi + + + + Profile + + + + + + + + + + + + + + + + + + + + + + + + + + + The Profile name of the Wi-Fi network. This is added when WlanXML node is added and deleted when Wlanxml is deleted. + + + + + + + + + + SSID + + + + + + WlanXml + + + + + + + + + XML describing the network configuration and follows Windows WLAN_profile schema. + Link to schema: http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx + + + + + + + + + + + + text/plain + + + + + Proxy + + + + + + + + Optional node. The format is url:port. Configuration of the network proxy (if any). + + + + + + + + + + + + + + text/plain + + + + + ProxyPacUrl + + + + + + + + Optional node. URL to the PAC file location. + + + + + + + + + + + + + + text/plain + + + + + ProxyWPAD + + + + + + + + Optional node: The presence of the field enables WPAD for proxy lookup. + + + + + + + + + + + text/plain + + + + + + + +``` ## Related topics diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md new file mode 100644 index 0000000000..5718fd4b66 --- /dev/null +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -0,0 +1,615 @@ +--- +title: Win32CompatibilityAppraiser CSP +description: +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 07/19/2018 +--- + +# Win32CompatibilityAppraiser CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health. This CSP was added in Windows 10, next major version. + +The following diagram shows the Win32CompatibilityAppraiser configuration service provider in tree format. + +![Win32CompatibilityAppraiser CSP diagram](images/provisioning-csp-win32compatibilityappraiser.png) + +**./Vendor/MSFT/Win32CompatibilityAppraiser** +The root node for the Win32CompatibilityAppraiser configuration service provider. + +**CompatibilityAppraiser** +This represents the state of the Compatibility Appraiser. + + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis** +This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data. + + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialId** +The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded. + +Value type is string. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialIdSetAndValid** +A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces. + +Value type is bool. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AllTargetOsVersionsRequested** +A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. + +Value type is bool. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/OsSkuIsValidForAppraiser** +A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser. + +Value type is bool. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AppraiserCodeAndDataVersionsAboveMinimum** +An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. + +The values are: +- 0 == Neither the code nor data is of a sufficient version +- 1 == The code version is insufficient but the data version is sufficient +- 2 == The code version is sufficient but the data version is insufficient +- 3 == Both the code and data are of a sufficient version + +Value type is integer. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending** +A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. + +Value type is bool. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserRunResultReport** +This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations. + +For the report XML schema see [Appraiser run result report](#appraiser-run-result-report). + +**UniversalTelemetryClient** +This represents the state of the Universal Telemetry Client, or DiagTrack service. + +**UniversalTelemetryClient/UtcConfigurationDiagnosis** +This represents various settings that affect whether the Universal Telemetry Client can upload data and how much data it can upload. + +**UniversalTelemetryClient/UtcConfigurationDiagnosis/TelemetryOptIn** +An integer value representing what level of telemetry will be uploaded. + +Value type is integer. Supported operation is Get. + +The values are: +- 0 == Security data will be sent +- 1 == Basic telemetry will be sent +- 2 == Enhanced telemetry will be sent +- 3 == Full telemetry will be sent + +**UniversalTelemetryClient/UtcConfigurationDiagnosis/CommercialDataOptIn** +An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. + +Value type is integer. Supported operation is Get. + +The values are: +- 0 == Setting is disabled +- 1 == Setting is enabled +- 2 == Setting is not applicable to this version of Windows + +**UniversalTelemetryClient/UtcConfigurationDiagnosis/DiagTrackServiceRunning** +A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. + +Value type is bool. Supported operation is Get. + +**UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled** +A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. + +Value type is bool. Supported operation is Get. + +**UniversalTelemetryClient/UtcConfigurationDiagnosis/InternetExplorerTelemetryOptIn** +An integer value representing what websites Internet Explorer will collect telemetry data for. + +Value type is integer. Supported operation is Get. + +The values are: +- 0 == Telemetry collection is disabled +- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones +- 2 == Telemetry collection is enabled for internet websites and restricted website zones +- 3 == Telemetry collection is enabled for all websites +- 0x7FFFFFFF == Telemetry collection is not configured + +**UniversalTelemetryClient/UtcConnectionReport** +This provides an XML representation of the UTC connections during the most recent summary period. + +For the report XML schema, see [UTC connection report](#utc-connection-report). + +**WindowsErrorReporting** +This represents the state of the Windows Error Reporting service. + +**WindowsErrorReporting/WerConfigurationDiagnosis** +This represents various settings that affect whether the Windows Error Reporting service can upload data and how much data it can upload. + +**WindowsErrorReporting/WerConfigurationDiagnosis/WerTelemetryOptIn** +An integer value indicating the amount of WER data that will be uploaded. + +Value type integer. Supported operation is Get. + +The values are: +- 0 == Data will not send due to UTC opt-in +- 1 == Data will not send due to WER opt-in +- 2 == Basic WER data will send but not the complete set of data +- 3 == The complete set of WER data will send + + +**WindowsErrorReporting/WerConfigurationDiagnosis/MostRestrictiveSetting** +An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. + +Value type integer. Supported operation is Get. + +The values are: +- 0 == System telemetry settings are restricting uploads +- 1 == WER basic policies are restricting uploads +- 2 == WER advanced policies are restricting uploads +- 3 == WER consent policies are restricting uploads +- 4 == There are no restrictive settings + +**WindowsErrorReporting/WerConnectionReport** +This provides an XML representation of the most recent WER connections of various types. + +For the report XML schema, see [Windows Error Reporting connection report](#windows-error-reporting-connection-report). + +## XML schema for the reports + +### Appraiser run result report + +``` + + + + CSP schema for the Compatibility Appraiser Diagnostic CSP. + Schema defining the Win32CompatibilityAppraiser\CompatibilityAppraiser\AppraiserRunResultReport CSP node. + Copyright (c) Microsoft Corporation, all rights reserved. + + + + Defines a category of Appraiser run. + + + + + LastSecurityModeRunAttempt - The most recent run that was skipped because the "Allow Telemetry" setting was set to "Security". + + + + + LastEnterpriseRun - The most recent run that was invoked with the "ent" command line. + + + + + LastFatallyErroredRun - The most recent run that returned a failed "ErrorCode". + + + + + LastSuccessfulRun - The most recent run that returned a successful "ErrorCode". + + + + + LastFullSyncRun - The most recent run that attempted to upload a complete set of compatibility data (instead of only new data that was found since the previous run). + + + + + LastSuccessfulFullSyncRun - The most recent run that attempted to upload a complete set of compatibility data (instead of only new data that was found since the previous run) and also returned a successful "ErrorCode". + + + + + LastSuccessfulFromEnterprisePerspectiveRun - The most recent run that returned a successful "EnterpriseErrorCode". + + + + + LastSuccessfulFromEnterprisePerspectiveEnterpriseRun - The most recent run that attempted to upload a complete set of compatibility data (instead of only new data that was found since the previous run) and also returned a successful "EnterpriseErrorCode". + + + + + LastSuccessfulFromEnterprisePerspectiveEnterpriseRun - The most recent run that was invoked with the "ent" command line and also returned a successful "EnterpriseErrorCode". + + + + + + + Represents the most recent run of the Compatibility Appraiser. + + + + + CurrentlyRunning - A boolean representing whether the specified Compatibility Appraiser run is still in progress. + + + + + CrashedOrInterrupted - A boolean representing whether the specified Compatibility Appraiser run ended before it finished scanning for compatibility data. + + + + + ErrorCode - An integer which is the HRESULT error code, of a type that is relevant to any computer, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code. + + + + + EnterpriseErrorCode - An integer which is the HRESULT error code, of a type that is relevant mainly to enterprise computers, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code. + + + + + RunStartTimestamp - The time when the specified Compatibility Appraiser run started. + + + + + RunEndTimestamp - The time when the specified Compatibility Appraiser run ended. + + + + + ComponentWhichCausedErrorCode - The name of the internal component, if any, which caused the ErrorCode node to be a failure value during the specified Compatibility Appraiser run. Note that the ErrorCode node might be a failure value for a reason other than an internal component failure. + + + + + ErroredComponent - The name of one of the internal components, if any, which encountered failure HRESULT codes during the specified Compatibility Appraiser run. A failure of an internal component may not necessarily cause the ErrorCode node to contain a failed HRESULT code. + + + + + + + Represents the most recent run of the Compatibility Appraiser that satisfied a particular condition. + + + + + ErrorCode - An integer which is the HRESULT error code, of a type that is relevant to any computer, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code. + + + + + EnterpriseErrorCode - An integer which is the HRESULT error code, of a type that is relevant mainly to enterprise computers, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code. + + + + + RunStartTimestamp - The time when the specified Compatibility Appraiser run started. + + + + + RunEndTimestamp - The time when the specified Compatibility Appraiser run ended. + + + + + ComponentWhichCausedErrorCode - The name of the internal component, if any, which caused the ErrorCode node to be a failure value during the specified Compatibility Appraiser run. Note that the ErrorCode node might be a failure value for a reason other than an internal component failure. + + + + + ErroredComponent - The name of one of the internal components, if any, which encountered failure HRESULT codes during the specified Compatibility Appraiser run. A failure of an internal component may not necessarily cause the ErrorCode node to contain a failed HRESULT code. + + + + + + RunCategory - A string which details the category of Appraiser run. + + + + + + Defines the latest run results for all known categories. + + + + + LastRunResult - Represents the most recent run of the Compatibility Appraiser. + + + + + LastRunResultForCategory - Represents the most recent run of the Compatibility Appraiser that satisfied a particular condition. + + + + + + +``` + +### UTC connection report + +``` + + + + CSP schema for the Compatibility Appraiser Diagnostic CSP. + Schema defining the Win32CompatibilityAppraiser\UniversalTelemetryClient\UtcConnectionReport CSP node. + Copyright (c) Microsoft Corporation, all rights reserved. + + + + Defines the latest UTC connection results, if any. + + + + + ConnectionSummaryStartingTimestamp - The starting time of the most recent UTC summary window. + + + + + ConnectionSummaryEndingTimestamp - The ending time of the most recent UTC summary window. + + + + + TimestampOfLastSuccessfulUpload - The ending time of the most recent UTC summary window that included a successful data upload. + + + + + LastHttpErrorCode - The HTTP error code from the last failed internet connection. + + + + + ProxyDetected - A boolean value representing whether an internet connection during the summary window was directed through a proxy. + + + + + ConnectionsSuccessful - An integer value summarizing the success of internet connections during the summary window. The values are: 0 == "All connections failed", 1 == "Some connections succeeded and some failed", and 2 == "All connections succeeded". + + + + + DataUploaded - An integer value summarizing the success of data uploads during the summary window. The values are: 0 == "All data was dropped", 1 == "Some data was dropped and some was sent successfully", 2 == "All data was sent successfully", and 3 == "No data was present to upload". + + + + + AnyCertificateValidationFailures - A boolean value representing whether there were any failed attempts to validate certificates in the summary window. + + + + + LastCertificateValidationFailureCode - The most recent error code from a failed attempt at validating a certificate. + + + + + + + Lists results of UTC connections. + + + + + Defines the latest UTC connection results, if any. + + + + + + +``` + +### Windows Error Reporting connection report + +``` + + + + CSP schema for the Compatibility Appraiser Diagnostic CSP. + Schema defining the Win32CompatibilityAppraiser\WindowsErrorReporting\WerConnectionReport CSP node. + Copyright (c) Microsoft Corporation, all rights reserved. + + + + LastNormalUploadSuccess - A summary of the last time WER successfully performed a normal data upload, if any. + + + + + Timestamp - The time when WER attempted the upload. + + + + + UploadDuration - The time taken while attempting the upload. + + + + + PayloadSize - The size of the payload that WER attempted to upload. + + + + + Protocol - The communication protocol that WER used during the upload. + + + + + Stage - The processing stage that WER was in when the upload ended. + + + + + BytesUploaded - The number of bytes that WER successfully uploaded. + + + + + ServerName - The name of the server that WER attempted to upload data to. + + + + + + + LastNormalUploadFailure - A summary of the last time WER failed to perform a normal data upload, if any. + + + + + Timestamp - The time when WER attempted the upload. + + + + + HttpExchangeResult - The result of the HTTP connection between WER and the server that it tried to upload to. + + + + + UploadDuration - The time taken while attempting the upload. + + + + + PayloadSize - The size of the payload that WER attempted to upload. + + + + + Protocol - The communication protocol that WER used during the upload. + + + + + Stage - The processing stage that WER was in when the upload ended. + + + + + RequestStatusCode - The status code returned by the server in response to the upload request. + + + + + BytesUploaded - The number of bytes that WER successfully uploaded. + + + + + ServerName - The name of the server that WER attempted to upload data to. + + + + + TransportHr - The HRESULT code encountered when transferring data to the server. + + + + + + + LastResumableUploadSuccess - A summary of the last time WER successfully performed a resumable data upload, if any. + + + + + Timestamp - The time when WER attempted the upload. + + + + + LastBlockId - The identifier of the most recent block of the payload that WER attempted to upload. + + + + + TotalBytesUploaded - The number of bytes that WER successfully uploaded so far, possibly over multiple resumable upload attempts. + + + + + + + LastResumableUploadFailure - A summary of the last time WER failed to perform a resumable data upload, if any. + + + + + Timestamp - The time when WER attempted the upload. + + + + + HttpExchangeResult - The result of the HTTP connection between WER and the server that it tried to upload to. + + + + + LastBlockId - The identifier of the most recent block of the payload that WER attempted to upload. + + + + + TotalBytesUploaded - The number of bytes that WER successfully uploaded so far, possibly over multiple resumable upload attempts. + + + + + + + Defines the latest WER connection results, if any. + + + + + LastNormalUploadSuccess - A summary of the last time WER successfully performed a normal data upload, if any. + + + + + LastNormalUploadFailure - A summary of the last time WER failed to perform a normal data upload, if any. + + + + + LastResumableUploadSuccess - A summary of the last time WER successfully performed a resumable data upload, if any. + + + + + LastResumableUploadFailure - A summary of the last time WER failed to perform a resumable data upload, if any. + + + + + + + Lists results of WER connections. + + + + + Defines the latest WER connection results, if any. + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md new file mode 100644 index 0000000000..9b8a7d81c5 --- /dev/null +++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md @@ -0,0 +1,537 @@ +--- +title: Win32CompatibilityAppraiser DDF file +description: XML file containing the device description framework +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 07/19/2018 +--- + +# Win32CompatibilityAppraiser DDF file + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **Win32CompatibilityAppraiser** configuration service provider. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +The XML below is for Windows 10, next major version. + +``` syntax + +]> + + 1.2 + + Win32CompatibilityAppraiser + ./Device/Vendor/MSFT + + + + + The root node for the Win32CompatibilityAppraiser configuration service provider. + + + + + + + + + + + com.microsoft/1.0/MDM/Win32CompatibilityAppraiser + + + + CompatibilityAppraiser + + + + + This represents the state of the Compatibility Appraiser. + + + + + + + + + + CompatibilityAppraiser + + + + + + AppraiserConfigurationDiagnosis + + + + + This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data. + + + + + + + + + + AppraiserConfigurationDiagnosis + + + + + + CommercialId + + + + + The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded. + + + + + + + + + + CommercialId + + text/plain + + + + + CommercialIdSetAndValid + + + + + A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces. + + + + + + + + + + CommercialIdSetAndValid + + text/plain + + + + + AllTargetOsVersionsRequested + + + + + A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. + + + + + + + + + + AllTargetOsVersionsRequested + + text/plain + + + + + OsSkuIsValidForAppraiser + + + + + A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser. + + + + + + + + + + OsSkuIsValidForAppraiser + + text/plain + + + + + AppraiserCodeAndDataVersionsAboveMinimum + + + + + An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version". + + + + + + + + + + AppraiserCodeVersionAboveMinimum + + text/plain + + + + + RebootPending + + + + + A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. + + + + + + + + + + RebootPending + + text/plain + + + + + + AppraiserRunResultReport + + + + + This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations. + + + + + + + + + + AppraiserRunResultReport + + text/plain + + + + + + UniversalTelemetryClient + + + + + This represents the state of the Universal Telemetry Client, or DiagTrack service. + + + + + + + + + + UniversalTelemetryClient + + + + + + UtcConfigurationDiagnosis + + + + + This represents various settings that affect whether the Universal Telemetry Client can upload data and how much data it can upload. + + + + + + + + + + UtcConfigurationDiagnosis + + + + + + TelemetryOptIn + + + + + An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent". + + + + + + + + + + TelemetryOptIn + + text/plain + + + + + CommercialDataOptIn + + + + + An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows". + + + + + + + + + + CommercialDataOptIn + + text/plain + + + + + DiagTrackServiceRunning + + + + + A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. + + + + + + + + + + DiagTrackServiceRunning + + text/plain + + + + + MsaServiceEnabled + + + + + A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. + + + + + + + + + + MsaServiceEnabled + + text/plain + + + + + InternetExplorerTelemetryOptIn + + + + + An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured". + + + + + + + + + + InternetExplorerTelemetryOptIn + + text/plain + + + + + + UtcConnectionReport + + + + + This provides an XML representation of the UTC connections during the most recent summary period. + + + + + + + + + + UtcConnectionReport + + text/plain + + + + + + WindowsErrorReporting + + + + + This represents the state of the Windows Error Reporting service. + + + + + + + + + + WindowsErrorReporting + + + + + + WerConfigurationDiagnosis + + + + + This represents various settings that affect whether the Windows Error Reporting service can upload data and how much data it can upload. + + + + + + + + + + WerConfigurationDiagnosis + + + + + + WerTelemetryOptIn + + + + + An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send". + + + + + + + + + + WerTelemetryOptIn + + text/plain + + + + + MostRestrictiveSetting + + + + + An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings". + + + + + + + + + + MostRestrictiveSetting + + text/plain + + + + + + WerConnectionReport + + + + + This provides an XML representation of the most recent WER connections of various types. + + + + + + + + + + WerConnectionReport + + text/plain + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index de75c4898d..6f359562af 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/22/2018 +ms.date: 08/02/2018 --- # WindowsDefenderApplicationGuard CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709. @@ -19,20 +21,19 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se ![windowsdefenderapplicationguard csp](images/provisioning-csp-windowsdefenderapplicationguard.png) **./Device/Vendor/MSFT/WindowsDefenderApplicationGuard** -

    Root node. Supported operation is Get.

    -

    +Root node. Supported operation is Get. **Settings** -

    Interior node. Supported operation is Get.

    +Interior node. Supported operation is Get. **Settings/AllowWindowsDefenderApplicationGuard** -

    Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment. - 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container. **Settings/ClipboardFileType** -

    Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Disables content copying. - 1 - Allow text copying. @@ -40,7 +41,7 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se - 3 - Allow text and image copying. **Settings/ClipboardSettings** -

    This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete

    +This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete - 0 (default) - Completely turns Off the clipboard functionality for the Application Guard. - 1 - Turns On clipboard operation from an isolated session to the host @@ -51,7 +52,7 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se > Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. **Settings/PrintingSettings** -

    This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Disables all print functionality (default) - 1 - Enables only XPS printing @@ -70,13 +71,13 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se - 15 - Enables all printing **Settings/BlockNonEnterpriseContent** -

    This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete. -- 0 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard. -- 1 (default) - Non-enterprise sites can open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. +- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.. +- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard. **Settings/AllowPersistence** -

    This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off. - 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. @@ -93,29 +94,62 @@ Added in Windows 10, version 1803. This policy setting allows you to determine w - 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0). - 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system. -**Status** -

    Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get. +**Settings/FileTrustCriteria** +Placeholder for future use. Do not use in production code. -Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode +**Settings/FileTrustOriginRemovableMedia** +Placeholder for future use. Do not use in production code. + +**Settings/FileTrustOriginNetworkShare** +Placeholder for future use. Do not use in production code. + +**Settings/FileTrustOriginMarkOfTheWeb** +Placeholder for future use. Do not use in production code. + +**Settings/CertificateThumbprints** +Added in Windows 10, next major version. This policy setting allows certain Root Certificates to be shared with the Windows Defender Application Guard container. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. You can specify multiple certificates using a comma to separate the thumbprints for each certificate you want to transfer. + +Example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924 + +If you disable or don’t configure this setting, certificates are not shared with the Windows Defender Application Guard container. + +**Settings/AllowCameraMicrophoneRedirection** +Added in Windows 10, next major version. The policy allows you to determine whether applications inside Windows Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +If you enable this policy, applications inside Windows Defender Application Guard will be able to access the camera and microphone on the user’s device. + +If you disable or don't configure this policy, applications inside Windows Defender Application Guard will be unable to access the camera and microphone on the user’s device. + +> [!Important] +> If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed. + +**Status** +Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get. + +Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode Bit 1 - Set to 1 when the client machine is Hyper-V capable Bit 2 - Set to 1 when the client machine has a valid OS license and SKU Bit 3 - Set to 1 when WDAG installed on the client machine Bit 4 - Set to 1 when required Network Isolation Policies are configured Bit 5 - Set to 1 when the client machine meets minimum hardware requirements -

    - **InstallWindowsDefenderApplicationGuard** -

    Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.

    +Initiates remote installation of Application Guard feature. Supported operations are Get and Execute. - Install - Will initiate feature install - Uninstall - Will initiate feature uninstall **Audit** -

    Interior node. Supported operation is Get

    +Interior node. Supported operation is Get **Audit/AuditApplicationGuard** -

    This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.

    +This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete. - 0 (default) - - Audit event logs aren't collected for Application Guard. - 1 - Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard. diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index 33e53da2a3..dfda523b86 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -6,17 +6,19 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/22/2018 +ms.date: 08/02/2018 --- # WindowsDefenderApplicationGuard DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -This XML is for Windows 10, version 1803. +This XML is for Windows 10, next major version. ``` syntax @@ -42,7 +44,7 @@ This XML is for Windows 10, version 1803. - com.microsoft/1.2/MDM/WindowsDefenderApplicationGuard + com.microsoft/1.3/MDM/WindowsDefenderApplicationGuard @@ -248,6 +250,147 @@ This XML is for Windows 10, version 1803. + + FileTrustCriteria + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginRemovableMedia + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginNetworkShare + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginMarkOfTheWeb + + + + + + + + + + + + + + + + + + text/plain + + + + + CertificateThumbprints + + + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCameraMicrophoneRedirection + + + + + + + + + + + + + + + + + + text/plain + + + Status diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 24786700eb..5957967b3e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -7,11 +7,14 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 10/09/2017 +ms.date: 08/15/2018 --- # WindowsLicensing CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 desktop and mobile devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 desktop devices. The following diagram shows the WindowsLicensing configuration service provider in tree format. @@ -157,8 +160,34 @@ The data type is a chr. The supported operation is Get. +**SMode** +Interior node for managing S mode. +**SMode/SwitchingPolicy** +Added in Windows 10, next major version. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete) +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Supported values: +- 0 - No Restriction: The user is allowed to switch the device out of S mode. +- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. + +**SMode/SwitchFromSMode** +Added in Windows 10, next major version. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) + +Supported operation is Execute. + +**SMode/Status** +Added in Windows 10, next major version. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example) + +Value type is integer. Supported operation is Get. + +Values: +- Request fails with error code 404 - no SwitchFromSMode request has been made. +- 0 - The device successfully switched out of S mode +- 1 - The device is processing the request to switch out of S mode +- 3 - The device was already switched out of S mode +- 4 - The device failed to switch out of S mode ## SyncML examples @@ -293,6 +322,140 @@ The supported operation is Get. ``` +**Get S mode status** + +``` + + + + 6 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/Status + + + + + + + +``` + +**Execute SwitchFromSMode** + +``` + + + + 5 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchFromSMode + + + + null + text/plain + + + + + + + +``` + +**Add S mode SwitchingPolicy** + +``` + + + + 4 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + int + text/plain + + 1 + + + + + +``` + +**Get S mode SwitchingPolicy** + +``` + + + + 2 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + + + + +``` + +**Replace S mode SwitchingPolicy** + +``` + + + + 1 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + int + text/plain + + 1 + + + + + +``` + +**Delete S mode SwitchingPolicy** + +``` + + + + 3 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + + + + +``` ## Related topics diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index df272ec6f1..8da5c10b5c 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -7,16 +7,19 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 12/05/2017 +ms.date: 07/16/2017 --- # WindowsLicensing DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -42,7 +45,7 @@ The XML below is the current version for this CSP. - com.microsoft/1.2/MDM/WindowsLicensing + com.microsoft/1.3/MDM/WindowsLicensing @@ -294,21 +297,101 @@ The XML below is the current version for this CSP. + + SMode + + + + + + + + + + + + + + + + + + + SwitchingPolicy + + + + + + + + Policy that determines whether a consumer can switch the device out of S mode + + + + + + + + + + + + + + text/plain + + + + + SwitchFromSMode + + + + + Switches a device out of S mode if possible. Does not reboot. + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + Returns the status of the latest SwitchFromSMode or SwitchingPolicy set request. + + + + + + + + + + + + + + text/plain + + + + -``` - -## Related topics - - -[WindowsLicensing configuration service provider](windowslicensing-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md new file mode 100644 index 0000000000..6a06c59879 --- /dev/null +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -0,0 +1,34 @@ +--- +title: WiredNetwork CSP +description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/27/2018 +--- + +# WiredNetwork CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, next major version. + +The following diagram shows the WiredNetwork configuration service provider in tree format. + +![WiredNetwork CSP diagram](images/provisioning-csp-wirednetwork.png) + +**./Device/Vendor/MSFT/WiredNetwork** +Root node. + +**LanXML** +Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx. + +Supported operations are Add, Get, Replace, and Delete. Value type is string. + +**EnableBlockPeriod** + Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + +Supported operations are Add, Get, Replace, and Delete. Value type is integer. \ No newline at end of file diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md new file mode 100644 index 0000000000..0a156256a0 --- /dev/null +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -0,0 +1,167 @@ +--- +title: WiredNetwork DDF file +description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/28/2018 +--- + +# WiredNetwork DDF file + + +This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. This CSP was added in Windows 10, version 1511. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + WiredNetwork + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + + LanXML + + + + + + + + XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx + + + + + + + + + + + text/plain + + + + + EnableBlockPeriod + + + + + + + + Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + + + + + + + + + + + text/plain + + + + + + WiredNetwork + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + + LanXML + + + + + + + + XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx + + + + + + + + + + + text/plain + + + + + EnableBlockPeriod + + + + + + + + Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + + + + + + + + + + + text/plain + + + + + +``` \ No newline at end of file diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 8c39396225..dad54fdffa 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -1,13 +1,20 @@ # [Configure Windows 10](index.md) ## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) -## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) -### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) -### [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) -### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) -### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) +## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md) +### [Prepare a device for kiosk configuration](kiosk-prepare.md) +### [Set up digital signs on Windows 10](setup-digital-signage.md) +### [Set up a single-app kiosk](kiosk-single-app.md) +### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) +### [More kiosk methods and reference information](kiosk-additional-reference.md) +#### [Validate your kiosk configuration](kiosk-validate.md) +#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) +#### [Policies enforced on kiosk devices](kiosk-policies.md) +#### [Assigned access XML reference](kiosk-xml.md) +#### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) +#### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) +#### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) -#### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md) -### [Assigned Access configuration (kiosk) XML reference](kiosk-xml.md) ## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) ### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md) @@ -122,6 +129,7 @@ #### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md) #### [UsbErrorsOEMOverride](wcd/wcd-usberrorsoemoverride.md) #### [WeakCharger](wcd/wcd-weakcharger.md) +#### [WindowsHelloForBusiness](wcd/wcd-windowshelloforbusiness.md) #### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md) #### [WLAN](wcd/wcd-wlan.md) #### [Workplace](wcd/wcd-workplace.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 333294779e..6ec85f01c1 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,13 +10,25 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 06/27/2018 +ms.date: 08/03/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## August 2018 + +New or changed topic | Description +--- | --- +[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added instructions for specifying multiple URLs in configuration settings for Kiosk Browser. + +## July 2018 + +New or changed topic | Description +--- | --- +[Configure kiosks and child topics](kiosk-methods.md) | Reorganized the information for configuring kiosks into new topics, and moved [Set up shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md). + ## June 2018 New or changed topic | Description @@ -68,7 +80,7 @@ New or changed topic | Description New or changed topic | Description --- | --- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update. -Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and reorganized the information to make the choices clearer. +Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it **Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education** and reorganized the information to make the choices clearer. ## February 2018 diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 844295ad38..a032dc458d 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,6 +1,6 @@ --- title: Guidelines for choosing an app for assigned access (Windows 10) -description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. +description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 ms.mktglfcycl: manage @@ -9,7 +9,7 @@ author: jdeckerms ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/31/2018 +ms.date: 08/15/2018 --- # Guidelines for choosing an app for assigned access (kiosk mode) @@ -45,6 +45,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +>[!NOTE] +>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. + **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education). @@ -55,18 +58,29 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr >[!NOTE] >If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE). -#### Kiosk Browser settings +### Kiosk Browser settings Kiosk Browser settings | Use this setting to --- | --- -Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

    For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. -Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

    If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

    For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

    If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. +>[!IMPORTANT] +>To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: +> +> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. +>2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). +>3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com). +>4. Save the XML file. +>5. Open the project again in Windows Configuration Designer. +>6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. + + >[!TIP] >To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information: >- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton diff --git a/windows/configuration/images/kiosk-desktop.PNG b/windows/configuration/images/kiosk-desktop.PNG new file mode 100644 index 0000000000..cf74c646c7 Binary files /dev/null and b/windows/configuration/images/kiosk-desktop.PNG differ diff --git a/windows/configuration/images/kiosk-fullscreen-sm.png b/windows/configuration/images/kiosk-fullscreen-sm.png new file mode 100644 index 0000000000..b096d6837d Binary files /dev/null and b/windows/configuration/images/kiosk-fullscreen-sm.png differ diff --git a/windows/configuration/images/kiosk-fullscreen.PNG b/windows/configuration/images/kiosk-fullscreen.PNG new file mode 100644 index 0000000000..37ccd4f8a4 Binary files /dev/null and b/windows/configuration/images/kiosk-fullscreen.PNG differ diff --git a/windows/configuration/images/kiosk-intune.PNG b/windows/configuration/images/kiosk-intune.PNG new file mode 100644 index 0000000000..2cbe25c6a5 Binary files /dev/null and b/windows/configuration/images/kiosk-intune.PNG differ diff --git a/windows/configuration/images/kiosk-settings.PNG b/windows/configuration/images/kiosk-settings.PNG new file mode 100644 index 0000000000..51a4338371 Binary files /dev/null and b/windows/configuration/images/kiosk-settings.PNG differ diff --git a/windows/configuration/images/kiosk-wizard.png b/windows/configuration/images/kiosk-wizard.png new file mode 100644 index 0000000000..160e170e5c Binary files /dev/null and b/windows/configuration/images/kiosk-wizard.png differ diff --git a/windows/configuration/images/kiosk.png b/windows/configuration/images/kiosk.png new file mode 100644 index 0000000000..868ea31bb1 Binary files /dev/null and b/windows/configuration/images/kiosk.png differ diff --git a/windows/configuration/images/office-logo.png b/windows/configuration/images/office-logo.png new file mode 100644 index 0000000000..cd6d504301 Binary files /dev/null and b/windows/configuration/images/office-logo.png differ diff --git a/windows/configuration/images/set-assignedaccess.png b/windows/configuration/images/set-assignedaccess.png new file mode 100644 index 0000000000..c2899361eb Binary files /dev/null and b/windows/configuration/images/set-assignedaccess.png differ diff --git a/windows/configuration/images/user.PNG b/windows/configuration/images/user.PNG new file mode 100644 index 0000000000..d1386d4a0d Binary files /dev/null and b/windows/configuration/images/user.PNG differ diff --git a/windows/configuration/images/windows.png b/windows/configuration/images/windows.png new file mode 100644 index 0000000000..e3889eff6a Binary files /dev/null and b/windows/configuration/images/windows.png differ diff --git a/windows/configuration/index.md b/windows/configuration/index.md index 5ed671a894..11ec530a2c 100644 --- a/windows/configuration/index.md +++ b/windows/configuration/index.md @@ -22,7 +22,8 @@ Enterprises often need to apply custom configurations to devices for their users | Topic | Description | | --- | --- | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | -| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. | +| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | +| [Configure kiosk and digital signage devices running Windows 10 desktop editions](kiosk-methods.md) | These topics help you configure Windows 10 devices to run as a kiosk device. | | [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | | [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. | | [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. | diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md new file mode 100644 index 0000000000..8260c569cf --- /dev/null +++ b/windows/configuration/kiosk-additional-reference.md @@ -0,0 +1,37 @@ +--- +title: More kiosk methods and reference information (Windows 10) +description: Find more information for configuring, validating, and troubleshooting kiosk configuration. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# More kiosk methods and reference information + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + +## In this section + +Topic | Description +--- | --- +[Validate your kiosk configuration](kiosk-validate.md) | This topic explain what to expect on a multi-app kiosk. +[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. +[Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. +[Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. +[Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. +[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. +[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. + + + + diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md new file mode 100644 index 0000000000..d2c46dcb4c --- /dev/null +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -0,0 +1,86 @@ +--- +title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10) +description: Environments that use Windows Management Instrumentation (WMI)can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Use MDM Bridge WMI Provider to create a Windows 10 kiosk + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +Environments that use [Windows Management Instrumentation (WMI)](https://msdn.microsoft.com/library/aa394582.aspx) can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. + +Here’s an example to set AssignedAccess configuration: + +1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx). +2. Run `psexec.exe -i -s cmd.exe`. +3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. +4. Execute the following script: + +```ps +$nameSpaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.Configuration = @" +<?xml version="1.0" encoding="utf-8" ?> +<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> + <Profiles> + <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> + <AllAppsList> + <AllowedApps> + <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + <App DesktopAppPath="%windir%\system32\mspaint.exe" /> + <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> + </AllowedApps> + </AllAppsList> + <StartLayout> + <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> + <LayoutOptions StartTileGroupCellWidth="6" /> + <DefaultLayoutOverride> + <StartLayoutCollection> + <defaultlayout:StartLayout GroupCellWidth="6"> + <start:Group Name="Group1"> + <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + </start:Group> + <start:Group Name="Group2"> + <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> + <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> + </start:Group> + </defaultlayout:StartLayout> + </StartLayoutCollection> + </DefaultLayoutOverride> + </LayoutModificationTemplate> + ]]> + </StartLayout> + <Taskbar ShowTaskbar="true"/> + </Profile> + </Profiles> + <Configs> + <Config> + <Account>MultiAppKioskUser</Account> + <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> + </Config> + </Configs> +</AssignedAccessConfiguration> +"@ + +Set-CimInstance -CimInstance $obj +``` diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md new file mode 100644 index 0000000000..a142517a28 --- /dev/null +++ b/windows/configuration/kiosk-methods.md @@ -0,0 +1,77 @@ +--- +title: Configure kiosks and digital signs on Windows desktop editions (Windows 10) +description: Learn about the methods for configuring kiosks. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: jdeckerms +ms.date: 07/30/2018 +--- + +# Configure kiosks and digital signs on Windows desktop editions + +Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use: + +| | | +--- | --- + | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.

    When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

    A single-app kiosk is ideal for public use.

    (Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) + | **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.

    A multi-app kiosk is appropriate for devices that are shared by multiple people.

    When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) + +Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. + +There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. + +| | | +--- | --- +![icon that represents apps](images/office-logo.png) | **Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) +![icon that represents a kiosk](images/kiosk.png) | **Which type of kiosk do you need?** If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). +![icon that represents Windows](images/windows.png) | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. +![icon that represents a user account](images/user.png) | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. + + + +## Methods for a single-app kiosk running a UWP app + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user +[Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD + + +## Methods for a single-app kiosk running a Windows desktop application + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD +[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD + + +## Methods for a multi-app kiosk + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD +[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD + +## Summary of kiosk configuration methods + +Method | App type | Account type | Single-app kiosk | Multi-app kiosk +--- | --- | --- | :---: | :---: +[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | X | +[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | X | +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X +Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X +[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X + + +>[!NOTE] +>For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. + diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md new file mode 100644 index 0000000000..18b9247b19 --- /dev/null +++ b/windows/configuration/kiosk-policies.md @@ -0,0 +1,82 @@ +--- +title: Policies enforced on kiosk devices (Windows 10) +description: Learn about the policies enforced on a device when you configure it as a kiosk. +ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 +keywords: ["lockdown", "app restrictions", "applocker"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: edu, security +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +ms.author: jdecker +--- + +# Policies enforced on kiosk devices + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + + +It is not recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. + +When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. + + +## Group Policy + +The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users. + +| Setting | Value | +| --- | --- | +Remove access to the context menus for the task bar | Enabled +Clear history of recently opened documents on exit | Enabled +Prevent users from customizing their Start Screen | Enabled +Prevent users from uninstalling applications from Start | Enabled +Remove All Programs list from the Start menu | Enabled +Remove Run menu from Start Menu | Enabled +Disable showing balloon notifications as toast | Enabled +Do not allow pinning items in Jump Lists | Enabled +Do not allow pinning programs to the Taskbar | Enabled +Do not display or track items in Jump Lists from remote locations | Enabled +Remove Notifications and Action Center | Enabled +Lock all taskbar settings | Enabled +Lock the Taskbar | Enabled +Prevent users from adding or removing toolbars | Enabled +Prevent users from resizing the taskbar | Enabled +Remove frequent programs list from the Start Menu | Enabled +Remove Pinned programs from the taskbar | Enabled +Remove the Security and Maintenance icon | Enabled +Turn off all balloon notifications | Enabled +Turn off feature advertisement balloon notifications | Enabled +Turn off toast notifications | Enabled +Remove Task Manager | Enabled +Remove Change Password option in Security Options UI | Enabled +Remove Sign Out option in Security Options UI | Enabled +Remove All Programs list from the Start Menu | Enabled – Remove and disable setting +Prevent access to drives from My Computer | Enabled - Restrict all drivers + +>[!NOTE] +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. + + + +## MDM policy + + +Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide). + +Setting | Value | System-wide + --- | --- | --- +[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes +[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +Start/HidePeopleBar | 1 - True (hide) | No +[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes +[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes +[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No +[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes + diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md new file mode 100644 index 0000000000..1a38681d7c --- /dev/null +++ b/windows/configuration/kiosk-prepare.md @@ -0,0 +1,81 @@ +--- +title: Prepare a device for kiosk configuration (Windows 10) +description: Some tips for device settings on kiosks. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Prepare a device for kiosk configuration + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +>[!WARNING] +>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. +> +>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. + + +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: + +Recommendation | How to +--- | --- +Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

    `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`

    [Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)

    You must restart the device after changing the registry. +Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. +Hide **Ease of access** feature on the sign-in screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. +Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. +Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** +Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. +Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. +Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

    **NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. + +In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. + +>[!TIP] +>If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. + + +**How to edit the registry to have an account sign in automatically** + +1. Open Registry Editor (regedit.exe). + + >[!NOTE]   + >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). +   + +2. Go to + + **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** + +3. Set the values for the following keys. + + - *AutoAdminLogon*: set value as **1**. + + - *DefaultUserName*: set value as the account that you want signed in. + + - *DefaultPassword*: set value as the password for the account. + + > [!NOTE] + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + + - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. + +4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically. + +>[!TIP] +>You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). + + + + + + + diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md deleted file mode 100644 index 4627f16d24..0000000000 --- a/windows/configuration/kiosk-shared-pc.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Configure kiosk and shared devices running Windows desktop editions (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: jdeckerms -ms.author: jdecker -ms.topic: article -ms.date: 08/08/2017 ---- - -# Configure kiosk and shared devices running Windows desktop editions - -Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app). - -## In this section - -| Topic | Description | -| --- | --- | -| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | -| [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. | -| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. | -| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. | \ No newline at end of file diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md new file mode 100644 index 0000000000..30bb50f7de --- /dev/null +++ b/windows/configuration/kiosk-shelllauncher.md @@ -0,0 +1,201 @@ +--- +title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10) +description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Use Shell Launcher to create a Windows 10 kiosk + + +**Applies to** +>App type: Windows desktop application +> +>OS edition: Windows 10 Ent, Edu +> +>Account type: Local standard user or administrator, Active Directory, Azure AD + + +Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. + +>[!NOTE] +>You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard). + +>[!WARNING] +>- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. +>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. + +### Requirements + +- A domain or local user account. + +- A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. + +[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) + + +### Configure Shell Launcher + +To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. + +**To turn on Shell Launcher in Windows features** + +1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. + +2. Expand **Device Lockdown**. + +2. Select **Shell Launcher** and **OK**. + +Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. + +**To turn on Shell Launcher using DISM** + +1. Open a command prompt as an administrator. +2. Enter the following command. + + ``` + Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher + ``` + +**To set your custom shell** + +Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. + +``` +# Check if shell launcher license is enabled +function Check-ShellLauncherLicenseEnabled +{ + [string]$source = @" +using System; +using System.Runtime.InteropServices; + +static class CheckShellLauncherLicense +{ + const int S_OK = 0; + + public static bool IsShellLauncherLicenseEnabled() + { + int enabled = 0; + + if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { + enabled = 0; + } + + return (enabled != 0); + } + + static class NativeMethods + { + [DllImport("Slc.dll")] + internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); + } + +} +"@ + + $type = Add-Type -TypeDefinition $source -PassThru + + return $type[0]::IsShellLauncherLicenseEnabled() +} + +[bool]$result = $false + +$result = Check-ShellLauncherLicenseEnabled +"`nShell Launcher license enabled is set to " + $result +if (-not($result)) +{ + "`nThis device doesn't have required license to use Shell Launcher" + exit +} + +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a handle to the class instance so we can call the static methods. +try { + $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" + } catch [Exception] { + write-host $_.Exception.Message; + write-host "Make sure Shell Launcher feature is enabled" + exit + } + + +# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. + +$Admins_SID = "S-1-5-32-544" + +# Create a function to retrieve the SID for a user account on a machine. + +function Get-UsernameSID($AccountName) { + + $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) + $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) + + return $NTUserSID.Value + +} + +# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. + +$Cashier_SID = Get-UsernameSID("Cashier") + +# Define actions to take when the shell program exits. + +$restart_shell = 0 +$restart_device = 1 +$shutdown_device = 2 + +# Examples. You can change these examples to use the program that you want to use as the shell. + +# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. + +$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) + +# Display the default shell to verify that it was added correctly. + +$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() + +"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction + +# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. + +$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) + +# Set Explorer as the shell for administrators. + +$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") + +# View all the custom shells defined. + +"`nCurrent settings for custom shells:" +Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction + +# Enable Shell Launcher + +$ShellLauncherClass.SetEnabled($TRUE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled + +# Remove the new custom shells. + +$ShellLauncherClass.RemoveCustomShell($Admins_SID) + +$ShellLauncherClass.RemoveCustomShell($Cashier_SID) + +# Disable Shell Launcher + +$ShellLauncherClass.SetEnabled($FALSE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled +``` diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md new file mode 100644 index 0000000000..dc55bd5004 --- /dev/null +++ b/windows/configuration/kiosk-single-app.md @@ -0,0 +1,244 @@ +--- +title: Set up a single-app kiosk (Windows 10) +description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Set up a single-app kiosk + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + + +| | | +--- | --- +A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.

    When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | ![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) + +You have several options for configuring your single-app kiosk. + +Method | Description +--- | --- +[Assigned access in Settings](#local) | The **Assigned Access** option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

    This method is supported on Windows 10 Pro, Enterprise, and Education. +[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

    This method is supported on Windows 10 Pro, Enterprise, and Education. +[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.

    This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. +[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.

    This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. + + +>[!TIP] +>You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). + + + + +## Set up a kiosk in local Settings + +>App type: UWP +> +>OS edition: Windows 10 Pro, Ent, Edu +> +>Account type: Local standard user + +You can use **Settings** to quickly configure one or a few devices as a kiosk. When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) + +![The Set up assigned access page in Settings](images/kiosk-settings.png) + +**To set up assigned access in PC settings** + +1. Go to **Start** > **Settings** > **Accounts** > **Other people**. + +2. Choose **Set up assigned access**. + +3. Choose an account. + +4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). + +5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. + +To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. + +When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. + +- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. + +- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. + +![Screenshot of automatic sign-in setting](images/auto-signin.png) + + + + + + +## Set up a kiosk using Windows PowerShell + + +>App type: UWP +> +>OS edition: Windows 10 Pro, Ent, Edu +> +>Account type: Local standard user + +![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png) + +You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. + +Before you run the cmdlet: + +1. Log in as administrator. +2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access. +3. Log in as the Assigned Access user account. +4. Install the Universal Windows app that follows the assigned access/above the lock guidelines. +5. Log out as the Assigned Access user account. +6. Log in as administrator. + +To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. + +**Configure assigned access by AppUserModelID and user name** + +``` +Set-AssignedAccess -AppUserModelId -UserName +``` +**Configure assigned access by AppUserModelID and user SID** + +``` +Set-AssignedAccess -AppUserModelId -UserSID +``` +**Configure assigned access by app name and user name** + +``` +Set-AssignedAccess -AppName -UserName +``` +**Configure assigned access by app name and user SID** + +``` +Set-AssignedAccess -AppName -UserSID +``` + +> [!NOTE] +> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. + +[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). + +[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). + +[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). + +To remove assigned access, using PowerShell, run the following cmdlet. + +``` +Clear-AssignedAccess +``` + + + +## Set up a kiosk using the kiosk wizard in Windows Configuration Designer + +>App type: UWP or Windows desktop application +> +>OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types +> +>Account type: Local standard user, Active Directory + +![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png) + + +>[!IMPORTANT] +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). + +When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. + + +[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. + + + + + + + + + + + + +
    ![step one](images/one.png)![set up device](images/set-up-device.png)

    Enable device setup if you want to configure settings on this page.

    **If enabled:**

    Enter a name for the device.

    (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

    Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

    You can also select to remove pre-installed software from the device.     		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
    ![step two](images/two.png) ![set up network](images/set-up-network.png)

    Enable network setup if you want to configure settings on this page.

    **If enabled:**

    Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.    		![Enter network SSID and type](images/set-up-network-details.png)
    ![step three](images/three.png) ![account management](images/account-management.png)

    Enable account management if you want to configure settings on this page.

    **If enabled:**

    You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

    To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

    Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

    **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

    To create a local administrator account, select that option and enter a user name and password.

    **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.     		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
    ![step four](images/four.png) ![add applications](images/add-applications.png)

    You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

    **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application.     		![add an application](images/add-applications-details.png)
    ![step five](images/five.png) ![add certificates](images/add-certificates.png)

    To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.    		![add a certificate](images/add-certificates-details.png)
    ![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

    You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

    If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

    In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.    		![Configure kiosk account and app](images/kiosk-account-details.png)
    ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

    On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.    		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
    ![finish](images/finish.png)

    You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.    		![Protect your package](images/finish-details.png)
    + + +>[!NOTE] +>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** + +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + + + + +[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) + + + + + +  + + + +## Set up a kiosk or digital sign using Microsoft Intune or other MDM service + +>App type: UWP +> +>OS edition: Windows 10 Pro (version 1709), Ent, Edu +> +>Account type: Local standard user, Azure AD + +![The configuration settings for single-app kiosk in Microsoft Intune](images/kiosk-intune.png) + +Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. + +>[!TIP] +>Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). + +The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. + +**To configure kiosk in Microsoft Intune** + +2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. +3. Select **Device configuration**. +4. Select **Profiles**. +5. Select **Create profile**. +6. Enter a friendly name for the profile. +7. Select **Windows 10 and later** for the platform. +8. Select **Device restrictions** for the profile type. +9. Select **Kiosk**. +10. In **Kiosk Mode**, select **Single app kiosk**. +1. Enter the user account (Azure AD or a local standard user account). +11. Enter the Application User Model ID for an installed app. +14. Select **OK**, and then select **Create**. +18. Assign the profile to a device group to configure the devices in that group as kiosks. + + + +## Sign out of assigned access + +To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. + +If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: + +**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** + +To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. + +  + + + diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md new file mode 100644 index 0000000000..9281f546da --- /dev/null +++ b/windows/configuration/kiosk-validate.md @@ -0,0 +1,94 @@ +--- +title: Validate kiosk configuration (Windows 10) +description: This topic explains what to expect on a multi-app kiosk. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Validate kiosk configuration + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device. + +Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. + +To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. + +>[!NOTE] +>The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. + +The following sections explain what to expect on a multi-app kiosk. + +### App launching and switching experience + +In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. + +The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. + +### Start changes + +When the assigned access user signs in, you should see a restricted Start experience: +- Start gets launched in full screen and prevents the end user from accessing the desktop. +- Start shows the layout aligned with what you defined in the multi-app configuration XML. +- Start prevents the end user from changing the tile layout. + - The user cannot resize, reposition, and unpin the tiles. + - The user cannot pin additional tiles on the start. +- Start hides **All Apps** list. +- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). +- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) +- Start hides **Change account settings** option under **User** button. + +### Taskbar changes + +If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: +- Disables context menu of Start button (Quick Link) +- Disables context menu of taskbar +- Prevents the end user from changing the taskbar +- Disables Cortana and Search Windows +- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace +- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings + +### Blocked hotkeys + +The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. + +| Hotkey | Action | +| --- | --- | +| Windows logo key + A | Open Action center | +| Windows logo key + Shift + C | Open Cortana in listening mode | +| Windows logo key + D | Display and hide the desktop | +| Windows logo key + Alt + D | Display and hide the date and time on the desktop | +| Windows logo key + E | Open File Explorer | +| Windows logo key + F | Open Feedback Hub | +| Windows logo key + G | Open Game bar when a game is open | +| Windows logo key + I | Open Settings | +| Windows logo key + J | Set focus to a Windows tip when one is available. | +| Windows logo key + O | Lock device orientation | +| Windows logo key + Q | Open search | +| Windows logo key + R | Open the Run dialog box | +| Windows logo key + S | Open search | +| Windows logo key + X | Open the Quick Link menu | +| Windows logo key + comma (,) | Temporarily peek at the desktop | +| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | + + + +### Locked-down Ctrl+Alt+Del screen + +The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. + +### Auto-trigger touch keyboard + +In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. + + diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 74cdfe88e1..9be99277a6 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index de93d13008..876d2a663d 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 08/14/2017 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- @@ -37,7 +37,7 @@ This topic describes how to lock down apps on a local device. You can also use A ## Install apps -First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account. +First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account. ## Use AppLocker to set rules for apps diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 8e3162d8d0..7793d23b83 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -1,5 +1,5 @@ --- -title: Create a Windows 10 kiosk that runs multiple apps (Windows 10) +title: Set up a multi-app kiosk (Windows 10) description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 keywords: ["lockdown", "app restrictions", "applocker"] @@ -9,29 +9,29 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 06/21/2018 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- -# Create a Windows 10 kiosk that runs multiple apps +# Set up a multi-app kiosk **Applies to** - Windows 10 Pro, Enterprise, and Education -A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also: + +A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also: - Configure [a single-app kiosk profile](#profile) in your XML file. - Assign [group accounts to a config profile](#config-for-group-accounts). - Configure [an account to sign in automatically](#config-for-autologon-account). - -The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. +The benefit of a kiosk with desktop that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. >[!WARNING] ->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](#policies-set-by-multi-app-kiosk-configuration) are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. +>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). @@ -65,7 +65,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi >Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription. - ## Configure a kiosk using a provisioning package Process: @@ -77,12 +76,12 @@ Watch how to use a provisioning package to configure a multi-app kiosk. >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] -If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge). +If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). ### Prerequisites -- Windows Configuration Designer (Windows 10, version 1709) -- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 +- Windows Configuration Designer (Windows 10, version 1709 or later) +- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later >[!NOTE] >For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. @@ -161,7 +160,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can ##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. @@ -479,10 +478,7 @@ Provisioning packages can be applied to a device during the first-run experience -### Validate provisioning -- Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration. -- Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. @@ -496,147 +492,9 @@ If your device is enrolled with a MDM server which supports applying the assigne The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. - -## Use MDM Bridge WMI Provider to configure assigned access - -Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. - -Here’s an example to set AssignedAccess configuration: - -1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx). -2. Run `psexec.exe -i -s cmd.exe`. -3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. -4. Execute the following script: - -```ps -$nameSpaceName="root\cimv2\mdm\dmmap" -$className="MDM_AssignedAccess" -$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -$obj.Configuration = @" -<?xml version="1.0" encoding="utf-8" ?> -<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> - <Profiles> - <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> - <AllAppsList> - <AllowedApps> - <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - <App DesktopAppPath="%windir%\system32\mspaint.exe" /> - <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> - </AllowedApps> - </AllAppsList> - <StartLayout> - <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> - <LayoutOptions StartTileGroupCellWidth="6" /> - <DefaultLayoutOverride> - <StartLayoutCollection> - <defaultlayout:StartLayout GroupCellWidth="6"> - <start:Group Name="Group1"> - <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - </start:Group> - <start:Group Name="Group2"> - <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> - <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> - </start:Group> - </defaultlayout:StartLayout> - </StartLayoutCollection> - </DefaultLayoutOverride> - </LayoutModificationTemplate> - ]]> - </StartLayout> - <Taskbar ShowTaskbar="true"/> - </Profile> - </Profiles> - <Configs> - <Config> - <Account>MultiAppKioskUser</Account> - <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> - </Config> - </Configs> -</AssignedAccessConfiguration> -"@ - -Set-CimInstance -CimInstance $obj -``` - - -## Validate multi-app kiosk configuration - -Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. - ->[!NOTE] ->The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. - -The following sections explain what to expect on a multi-app kiosk. - -### App launching and switching experience - -In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. - -The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. - -### Start changes - -When the assigned access user signs in, you should see a restricted Start experience: -- Start gets launched in full screen and prevents the end user from accessing the desktop. -- Start shows the layout aligned with what you defined in the multi-app configuration XML. -- Start prevents the end user from changing the tile layout. - - The user cannot resize, reposition, and unpin the tiles. - - The user cannot pin additional tiles on the start. -- Start hides **All Apps** list. -- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). -- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) -- Start hides **Change account settings** option under **User** button. - -### Taskbar changes - -If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: -- Disables context menu of Start button (Quick Link) -- Disables context menu of taskbar -- Prevents the end user from changing the taskbar -- Disables Cortana and Search Windows -- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace -- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings - -### Blocked hotkeys - -The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. - -| Hotkey | Action | -| --- | --- | -| Windows logo key + A | Open Action center | -| Windows logo key + Shift + C | Open Cortana in listening mode | -| Windows logo key + D | Display and hide the desktop | -| Windows logo key + Alt + D | Display and hide the date and time on the desktop | -| Windows logo key + E | Open File Explorer | -| Windows logo key + F | Open Feedback Hub | -| Windows logo key + G | Open Game bar when a game is open | -| Windows logo key + I | Open Settings | -| Windows logo key + J | Set focus to a Windows tip when one is available. | -| Windows logo key + O | Lock device orientation | -| Windows logo key + Q | Open search | -| Windows logo key + R | Open the Run dialog box | -| Windows logo key + S | Open search | -| Windows logo key + X | Open the Quick Link menu | -| Windows logo key + comma (,) | Temporarily peek at the desktop | -| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | -### Locked-down Ctrl+Alt+Del screen - -The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. - -### Auto-trigger touch keyboard - -In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. @@ -756,3 +614,6 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont - Under **CommandLine**, enter `cmd /c *FileName*.bat`. +## Other methods + +Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). \ No newline at end of file diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index d77388e0cb..1628b1c866 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -52,10 +52,10 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

    Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

    -

    [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on

    +

    [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Windows desktop application on sign-on

    [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603)

    Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.

    -

    Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.

    +

    Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Windows desktop application.

    [Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on

    diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md index 0ee82de1b3..6857cf8aac 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/multi-app-kiosk-troubleshoot.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 09/27/2017 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- @@ -31,7 +31,7 @@ For example: **Troubleshooting steps** -1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning). +1. [Verify that the provisioning package is applied successfully](kiosk-validate.md). 2. Verify that the account (config) is mapped to a profile in the configuration XML file. 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 17162822c3..9979020ba7 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -82,7 +82,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L ![step one](../images/one.png)![set up device](../images/set-up-device.png)

    Enter a name for the device.

    (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

    Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)

    You can also select to remove pre-installed software from the device. ![device name, upgrade to enterprise, shared use, remove pre-installed software](../images/set-up-device-details-desktop.png) ![step two](../images/two.png) ![set up network](../images/set-up-network.png)

    Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.![Enter network SSID and type](../images/set-up-network-details-desktop.png) ![step three](../images/three.png) ![account management](../images/account-management.png)

    Enable account management if you want to configure settings on this page.

    You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

    To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

    Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

    To create a local administrator account, select that option and enter a user name and password.

    **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. ![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png) -![step four](../images/four.png) ![add applications](../images/add-applications.png)

    You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). ![add an application](../images/add-applications-details.png) +![step four](../images/four.png) ![add applications](../images/add-applications.png)

    You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). ![add an application](../images/add-applications-details.png) ![step five](../images/five.png) ![add certificates](../images/add-certificates.png)

    To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.![add a certificate](../images/add-certificates-details.png) ![finish](../images/finish.png)

    You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.![Protect your package](../images/finish-details.png) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index bacec7e70a..9f7712c5d3 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -20,7 +20,7 @@ ms.date: 09/06/2017 - Windows 10 -In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. +In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). @@ -35,7 +35,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate - **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app -## Settings for Classic Windows apps +## Settings for Windows desktop applications ### MSI installer @@ -61,7 +61,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate -## Add a Classic Windows app using advanced editor in Windows Configuration Designer +## Add a Windows desktop application using advanced editor in Windows Configuration Designer 1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index b05f6637ed..c0cbd3ed3f 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -43,7 +43,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg) - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - - [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) + - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 4bbbf8ad10..2a331f5839 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -86,7 +86,7 @@ The following table describes settings that you can configure using the wizards - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) -- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) +- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#wizard) diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md new file mode 100644 index 0000000000..d5ea73a4a8 --- /dev/null +++ b/windows/configuration/setup-digital-signage.md @@ -0,0 +1,91 @@ +--- +title: Set up digital signs on Windows 10 (Windows 10) +description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 08/03/2018 +--- + +# Set up digital signs on Windows 10 + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. + +For digital signage, simply select a digital sign player as your kiosk app. You can also use the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content. + +>[!TIP] +>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). + +Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803. + +>[!NOTE] +>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](https://docs.microsoft.com/microsoft-store/sign-up-microsoft-store-for-business). + + +This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience). + +1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) +2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) +2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md) +3. Open Windows Configuration Designer and select **Provision kiosk devices**. +4. Enter a friendly name for the project, and select **Finish**. +5. On **Set up device**, select **Disabled**, and select **Next**. +6. On **Set up network**, enable network setup. + - Toggle **On** wireless network connectivity. + - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. +7. On **Account management**, select **Disabled**, and select **Next**. +8. On **Add applications**, select **Add an application**. + - For **Application name**, enter `Kiosk Browser`. + - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed. + - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business. + - The **Package family name** is populated automatically. + - Select **Next**. +9. On **Add certificates**, select **Next**. +10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage. + - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. + - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. + - For **App type**, select **Universal Windows App**. + - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe`. +11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. +12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu. + - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. + - In **BlockedUrl**, enter `*`. + - In **DefaultUrl**, enter `https://www.contoso.com/menu`. + - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**. + + >[!TIP] + >For more information on kiosk browser settings, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). + +13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box. +14. On the **Export** menu, select **Provisioning package**. +15. Change the **Owner** to **IT Admin**, and select **Next**. +16. On **Select security details for the provisioning package**, select **Next**. +17. On **Select where to save the provisioning package**, select **Next**. +18. On **Build the provisioning package**, select **Build**. +19. On the **All done!** screen, click the **Output location**. +20. Copy the .ppkg file to a USB drive. +21. Attach the USB drive to the device that you want to use for your digital sign. +22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive. + + + + + + + + + + + + + + \ No newline at end of file diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md deleted file mode 100644 index f2f227fd8c..0000000000 --- a/windows/configuration/setup-kiosk-digital-signage.md +++ /dev/null @@ -1,487 +0,0 @@ ---- -title: Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education (Windows 10) -description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerms -ms.author: jdecker -ms.topic: article -ms.localizationpriority: medium -ms.date: 06/05/2018 ---- - -# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education - - -**Applies to** - -- Windows 10 Pro, Enterprise, and Education - - - -Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. A single-use, kiosk device is easy to set up in Windows 10. (For kiosks that run more than one more app, see [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md).) - - - -## Choose a method for configuring your kiosks and digitals signs - -**Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Classic Windows desktop application. When the kiosk account signs in, the kiosk app will launch automatically. If the kiosk app is closed, it will automatically restart. - ->[!TIP] ->For **digital signage**, simply select a digital sign player as your kiosk app. You can also use the **Kiosk Browser** app ([new in Windows 10, version 1803)](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers) and configure it to show your online content. - -**Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. - ->[!WARNING] ->For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. -> ->Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. - -**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. - -### Methods for kiosks and digital signs running a UWP app - -Choose this method | For this edition | For this kiosk account type ---- | --- | --- -[Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user -[PowerShell](#powershell) | Pro, Ent, Edu | Local standard user -[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory -[Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD - -### Methods for kiosks and digital signs running a Classic Windows app - -Choose this method | For this edition | For this kiosk account type ---- | --- | --- -[Provisioning](#wizard) | Ent, Edu | Local standard user, Active Directory -[ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD - - - - - -### Other settings to lock down - -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: - -Recommendation | How to ---- | --- -Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

    `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`

    [Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)

    You must restart the device after changing the registry. -Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. -Hide **Ease of access** feature on the logon screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. -Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

    **NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. - -In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon. - - -**How to edit the registry to have an account automatically logged on** - -1. Open Registry Editor (regedit.exe). - - >[!NOTE]   - >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). -   - -2. Go to - - **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** - -3. Set the values for the following keys. - - - *AutoAdminLogon*: set value as **1**. - - - *DefaultUserName*: set value as the account that you want logged in. - - - *DefaultPassword*: set value as the password for the account. - - > [!NOTE] - > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - - - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. - -4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically. - ->[!TIP] ->You can also configure automatic logon [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). - - - -## Set up a kiosk or digital sign in local Settings - ->App type: UWP -> ->OS edition: Windows 10 Pro, Ent, Edu -> ->Account type: Local standard user - -You can use **Settings** to quickly configure one or a few devices as a kiosk. (Using **Settings** isn't practical for configuring a lot of devices, but it would work.) When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) - -When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. - -If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. - -If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. - -![Screenshot of automatic sign-in setting](images/auto-signin.png) - -**To set up assigned access in PC settings** - -1. Go to **Start** > **Settings** > **Accounts** > **Other people**. - -2. Choose **Set up assigned access**. - -3. Choose an account. - -4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). - -5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. - -To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. - - - - - -## Set up a kiosk or digital sign using Windows PowerShell - - ->App type: UWP -> ->OS edition: Windows 10 Pro, Ent, Edu -> ->Account type: Local standard user - -You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. - -To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. - -``` -Set-AssignedAccess -AppUserModelId -UserName -``` - -``` -Set-AssignedAccess -AppUserModelId -UserSID -``` - -``` -Set-AssignedAccess -AppName -UserName -``` - -``` -Set-AssignedAccess -AppName -UserSID -``` - -> [!NOTE] -> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. - -[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - -[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). - -[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). - -To remove assigned access, using PowerShell, run the following cmdlet. - -``` -Clear-AssignedAccess -``` - - - -## Set up a kiosk or digital sign using a provisioning package - ->App type: UWP or Classic Windows -> ->OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types -> ->Account type: Local standard user, Active Directory - ->[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). - - -When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application. - - - - -[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. - - - - - - - - - - - - -
    ![step one](images/one.png)![set up device](images/set-up-device.png)

    Enable device setup if you want to configure settings on this page.

    **If enabled:**

    Enter a name for the device.

    (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

    Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

    You can also select to remove pre-installed software from the device.     		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
    ![step two](images/two.png) ![set up network](images/set-up-network.png)

    Enable network setup if you want to configure settings on this page.

    **If enabled:**

    Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.    		![Enter network SSID and type](images/set-up-network-details.png)
    ![step three](images/three.png) ![account management](images/account-management.png)

    Enable account management if you want to configure settings on this page.

    **If enabled:**

    You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

    To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

    Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

    **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

    To create a local administrator account, select that option and enter a user name and password.

    **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.     		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
    ![step four](images/four.png) ![add applications](images/add-applications.png)

    You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

    **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application.     		![add an application](images/add-applications-details.png)
    ![step five](images/five.png) ![add certificates](images/add-certificates.png)

    To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.    		![add a certificate](images/add-certificates-details.png)
    ![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

    You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

    If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

    In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.    		![Configure kiosk account and app](images/kiosk-account-details.png)
    ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

    On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.    		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
    ![finish](images/finish.png)

    You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.    		![Protect your package](images/finish-details.png)
    - - ->[!NOTE] ->If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** - ->[!TIP] ->You can also use [an XML file to configure both multi-app and single-app kiosks.](lock-down-windows-10-to-specific-apps.md) - ->[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - - - -[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) - - - - - -  - - - -## Set up a kiosk or digital sign in Intune or other MDM service - ->App type: UWP -> ->OS edition: Windows 10 Pro (version 1709), Ent, Edu -> ->Account type: Local standard user, Azure AD - -Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. - -The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. - -**To configure kiosk in Microsoft Intune** - -2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. -3. Select **Device configuration**. -4. Select **Profiles**. -5. Select **Create profile**. -6. Enter a friendly name for the profile. -7. Select **Windows 10 and later** for the platform. -8. Select **Kiosk (Preview)** for the profile type. -9. Enter a friendly name for the kiosk configuration. -10. Select **Kiosk - 1 setting available**. -10. Select **Add** to add a kiosk configuration. -10. Enter a friendly name for the kiosk configuration, and then in **Kiosk Mode**, select **Single full-screen app kiosk**. -10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate. -1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account. -14. Select **OK**, and then select **Create**. -18. Assign the profile to a device group to configure the devices in that group as kiosks. - - - -## Set up a kiosk or digital sign using Shell Launcher - ->App type: Classic Windows -> ->OS edition: Windows 10 Ent, Edu -> ->Account type: Local standard user or administrator, Active Directory, Azure AD - -Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. - ->[!NOTE] ->In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the [Assigned Access CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp). -> ->You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard). - ->[!WARNING] ->- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. ->- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. - -### Requirements - -- A domain or local user account. - -- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. - -[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) - - -### Configure Shell Launcher - -To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. - -**To turn on Shell Launcher in Windows features** - -1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. - -2. Expand **Device Lockdown**. - -2. Select **Shell Launcher** and **OK**. - -Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. - -**To turn on Shell Launcher using DISM** - -1. Open a command prompt as an administrator. -2. Enter the following command. - - ``` - Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher - ``` - -**To set your custom shell** - -Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. - -``` -# Check if shell launcher license is enabled -function Check-ShellLauncherLicenseEnabled -{ - [string]$source = @" -using System; -using System.Runtime.InteropServices; - -static class CheckShellLauncherLicense -{ - const int S_OK = 0; - - public static bool IsShellLauncherLicenseEnabled() - { - int enabled = 0; - - if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { - enabled = 0; - } - - return (enabled != 0); - } - - static class NativeMethods - { - [DllImport("Slc.dll")] - internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); - } - -} -"@ - - $type = Add-Type -TypeDefinition $source -PassThru - - return $type[0]::IsShellLauncherLicenseEnabled() -} - -[bool]$result = $false - -$result = Check-ShellLauncherLicenseEnabled -"`nShell Launcher license enabled is set to " + $result -if (-not($result)) -{ - "`nThis device doesn't have required license to use Shell Launcher" - exit -} - -$COMPUTER = "localhost" -$NAMESPACE = "root\standardcimv2\embedded" - -# Create a handle to the class instance so we can call the static methods. -try { - $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" - } catch [Exception] { - write-host $_.Exception.Message; - write-host "Make sure Shell Launcher feature is enabled" - exit - } - - -# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. - -$Admins_SID = "S-1-5-32-544" - -# Create a function to retrieve the SID for a user account on a machine. - -function Get-UsernameSID($AccountName) { - - $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) - $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) - - return $NTUserSID.Value - -} - -# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. - -$Cashier_SID = Get-UsernameSID("Cashier") - -# Define actions to take when the shell program exits. - -$restart_shell = 0 -$restart_device = 1 -$shutdown_device = 2 - -# Examples. You can change these examples to use the program that you want to use as the shell. - -# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. - -$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) - -# Display the default shell to verify that it was added correctly. - -$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() - -"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction - -# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. - -$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) - -# Set Explorer as the shell for administrators. - -$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") - -# View all the custom shells defined. - -"`nCurrent settings for custom shells:" -Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction - -# Enable Shell Launcher - -$ShellLauncherClass.SetEnabled($TRUE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled - -# Remove the new custom shells. - -$ShellLauncherClass.RemoveCustomShell($Admins_SID) - -$ShellLauncherClass.RemoveCustomShell($Cashier_SID) - -# Disable Shell Launcher - -$ShellLauncherClass.SetEnabled($FALSE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled -``` - -## Sign out of assigned access - -To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. - -If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: - -**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** - -To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - -  -## Related topics - -- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - - - diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index 6831294b38..b75768d432 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -31,7 +31,7 @@ On Windows 10 for desktop editions, the customized Start works by: - No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows). >[!NOTE] ->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx). +>To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md index 2270745715..81e41752be 100644 --- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md +++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md @@ -54,7 +54,7 @@ Administrators can still define which user-customized application settings can s ## Compatibility with Microsoft Enterprise State Roaming -With Windows 10, version 1607, users can synchronize Windows application settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V on on-premises domain-joined devices only. +With Windows 10, version 1607, users can synchronize Windows application settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V for on-premises domain-joined devices only. In hybrid cloud environments, UE-V can roam Win32 applications on-premises while [Enterprise State Roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation. diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index b1547d99cd..db8812512d 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -30,7 +30,7 @@ The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Di - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) -- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) +- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) ## ComputerAccount diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md index 5e1b0c5274..dd7a6057aa 100644 --- a/windows/configuration/wcd/wcd-calling.md +++ b/windows/configuration/wcd/wcd-calling.md @@ -131,7 +131,7 @@ VideoCallingDescription | Enter text to describe the video calling feature. VideoCallingLabel | Enter text to describe the video calling toggle. VideoCapabilityDescription | Enter text to describe the video capability feature. VideoCapabilityLabel | Enter text to describe the video capability toggle. -VideoTransitionTimeout | Enter the the time in milliseconds to check how long the video transition state will remain until the remote party responds. The minimum value is 10000 and the maximum value is 30000. +VideoTransitionTimeout | Enter the time in milliseconds to check how long the video transition state will remain until the remote party responds. The minimum value is 10000 and the maximum value is 30000. VoLTEAudioQualityString | Partners can add a string to the call progress screen to indicate if the active call is a high quality voice over LTE (VoLTE). Set the value of VoLTEAudioQualityString to the string that you want to display in the call progress screen to indicate that the call is a VoLTE call. This string is combined with the PLMN so if the string is "VoLTE", the resulting string is "PLMN_String VoLTE". For example, the string displayed in the call progress screen can be "Litware VoLTE" if the PLMN_String is "Litware". The value you specify for VoLTEAudioQualityString must exceed 10 characters. diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index b79f7c9f6a..b797544274 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -167,7 +167,7 @@ The **Config** settings are initial settings that can be overwritten when settin ### SystemCapabilities -You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Diagnostic data data is generated by the system to provide data that can be used to diagnose both software and hardware issues. +You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Diagnostic data is generated by the system to provide data that can be used to diagnose both software and hardware issues. | Setting | Description | | --- | --- | diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index 3c2044f533..cb1554991e 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 08/08/2018 --- # FirstExperience (Windows Configuration Designer reference) @@ -27,5 +27,5 @@ PreferredRegion | Enter the [geographical location identifier](https://msdn.micr PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](https://msdn.microsoft.com/library/ms912391.aspx) SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration. SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training. -SkipWifi | Set to **True** to skip connecting to a Wi-fi network. +SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.

    **Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](https://docs.microsoft.com/hololens/hololens-setup). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#create-a-provisioning-package-for-hololens-using-the-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md). diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 786afaaed1..e533cd7b14 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 08/03/2018 --- # Policies (Windows Configuration Designer reference) @@ -49,7 +49,7 @@ This section describes the **Policies** settings that you can configure in [prov | [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X | | [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | | | [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | | -| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device (?) | | X | | | | +| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | | | [ApplicationRestrictions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | | | [RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | | | [RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | | @@ -297,12 +297,20 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store. [EnableNavigationButtons](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X | | | | | [RestartOnIdleTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | X | | | | | +To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: + +1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. +2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). +3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com). +4. Save the XML file. +5. Open the project again in Windows Configuration Designer. +6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. ## Location | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EnableLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | | +| [EnableLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | | ## Privacy @@ -439,7 +447,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X | | [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X | | [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X | -| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | +| [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | | [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | | X | | [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X | | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X | diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index 744ae6a3b6..0f63fc68e7 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -13,7 +13,7 @@ ms.date: 09/06/2017 # ProvisioningCommands (Windows Configuration Designer reference) -Use ProvisioningCommands settings to install Classic Windows apps using a provisioning package. +Use ProvisioningCommands settings to install Windows desktop applications using a provisioning package. ## Applies to diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index 09c6c4a000..8cc91e3ca4 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -15,8 +15,7 @@ ms.date: 10/16/2017 Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. ->[!TIP] ->You can use the [ApplicationManagement](wcd-applicationmanagement.md) settings node to configure only the account management settings without enabling shared PC mode. + ## Applies to diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index 2f7f8216e2..a9e588a6f8 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -93,7 +93,7 @@ When you **enable** KeyboardFilter, a number of other settings become available ## ShellLauncher settings -Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). +Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Windows desktop application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). >[!WARNING] >Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index 186c30961e..904711ae31 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -27,7 +27,10 @@ Use Start settings to apply a customized Start screen to devices. ## StartLayout -Use StartLayout to select the LayoutModification.xml file that applies a customized Start screen to a device. +Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen to a mobile device. + +>[!NOTE] +>The XML file that defines the Start layout for Windows 10 Mobile must be named `LayoutModification.xml`. For more information, see [Start layout XML for mobile editions of Windows 10 ](../mobile-devices/lockdown-xml.md)). diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md index 9a9127182d..96e4967e7a 100644 --- a/windows/configuration/wcd/wcd-universalappinstall.md +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -25,9 +25,9 @@ Use UniversalAppInstall settings to install Windows apps from the Microsoft Stor | --- | :---: | :---: | :---: | :---: | :---: | | [DeviceContextApp](#devicecontextapp) | X | | X | | | | [DeviceContextAppLicense](#devicecontextapplicense) | X | | X | | | -| [StoreInstall](#storeinstall) | X | X | X | X | X | -| [UserContextApp](#usercontextapp) | X | X | X | X | X | -| [UserContextAppLicense](#usercontextapplicense) | X | X | X | X | X | +| [StoreInstall](#storeinstall) | X | X | X | | X | +| [UserContextApp](#usercontextapp) | X | X | X | | X | +| [UserContextAppLicense](#usercontextapplicense) | X | X | X | | X | ## DeviceContextApp diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md new file mode 100644 index 0000000000..0a2c9c16eb --- /dev/null +++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md @@ -0,0 +1,33 @@ +--- +title: WindowsHelloForBusiness (Windows 10) +description: This section describes the Windows Hello for Business settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 07/19/2018 +--- + +# WindowsHelloForBusiness (Windows Configuration Designer reference) + +>[!WARNING] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md). + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [SecurityKeys](#securitykeys) | X | | | | | + +## SecurityKeys + +Select the desired value: + +- `0`: security keys for Windows Hello are disabled. +- `1`: security keys for Windows Hello are enabled on [Shared PCs](wcd-sharedpc.md). diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 53eeaa689f..57c84d177d 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 07/19/2018 --- # Windows Configuration Designer provisioning settings (reference) @@ -74,10 +74,11 @@ This section describes the settings that you can configure in [provisioning pack | [TakeATest](wcd-takeatest.md) | X | | | | | | [TextInput](wcd-textinput.md) | | X | | | | | [Theme](wcd-theme.md) | | X | | | | -| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | | +| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | X | | [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X | | [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | X | X | | [WeakCharger](wcd-weakcharger.md) |X | X | X | X | | +| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | X | | | | | | [WindowsTeamSettings](wcd-windowsteamsettings.md) | | | X | | | | [WLAN](wcd-wlan.md) | | | | X | | | [Workplace](wcd-workplace.md) |X | X | X | X | X | diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index a1482a0a62..54b19bb5d6 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -29,7 +29,7 @@ Organizations might want to deploy a customized Start and taskbar configuration > >Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703. > ->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). +>For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). > >Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index fe57158272..80adf12056 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -19,7 +19,7 @@ ## [Deploy Windows 10](deploy.md) -### [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) +### [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) ### [Windows 10 in S mode](windows-10-pro-in-s-mode.md) ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) @@ -220,6 +220,10 @@ ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) +### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) +#### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md) +#### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md) +#### [Conclusion](update/feature-update-conclusion.md) ### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) ### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) #### [Configure Windows Update for Business](update/waas-configure-wufb.md) @@ -231,10 +235,6 @@ ### [Manage device restarts after updates](update/waas-restart.md) ### [Manage additional Windows Update settings](update/waas-wu-settings.md) ### [Determine the source of Windows updates](update/windows-update-sources.md) -### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) -#### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md) -#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md) -#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md) ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md) ## [Windows Analytics](update/windows-analytics-overview.md) diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md index afe911bf76..08d10e29c7 100644 --- a/windows/deployment/change-history-for-deploy-windows-10.md +++ b/windows/deployment/change-history-for-deploy-windows-10.md @@ -38,7 +38,7 @@ New or changed topic | Description ## June 2017 | New or changed topic | Description | |----------------------|-------------| -| [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) | New | +| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New | ## April 2017 | New or changed topic | Description | diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index ee81d5f04f..8cde17231e 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -40,7 +40,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris Windows Autopilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. -Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md). +Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md). ### Upgrade Readiness diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 49d4048f3e..a38657a7be 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -17,7 +17,7 @@ Windows 10 upgrade options are discussed and information is provided about plann |Topic |Description | |------|------------| -|[Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. | +|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. | |[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. | |[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. | |[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. | diff --git a/windows/deployment/images/download.png b/windows/deployment/images/download.png new file mode 100644 index 0000000000..266a2a196b Binary files /dev/null and b/windows/deployment/images/download.png differ diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index 71ff1f9db8..bfadedc7cd 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -126,7 +126,7 @@ Windows To Go can be deployed using standard Windows deployment tools like Diskp - A Windows 10 Enterprise or Windows 10 Education image -- A Windows 10 Enterprise or Windows 10 Education host PC that can be used to provision new USB keys +- A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. @@ -153,7 +153,7 @@ Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows ## Can the user self-provision Windows To Go? -Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise and Windows 10 Education. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). +Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). ## How can Windows To Go be managed in an organization? diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md new file mode 100644 index 0000000000..7ad33b4c1c --- /dev/null +++ b/windows/deployment/update/feature-update-conclusion.md @@ -0,0 +1,20 @@ +--- +title: Best practices for feature updates - conclusion +description: Final thoughts about how to deploy feature updates +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: lizap +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 07/09/2018 +--- + +# Conclusion + +**Applies to**: Windows 10 + +Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. + +Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. + diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md new file mode 100644 index 0000000000..d49f678bcf --- /dev/null +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -0,0 +1,257 @@ +--- +title: Best practices - deploy feature updates during maintenance windows +description: Learn how to deploy feature updates during a maintenance window +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mcureton +ms.localizationpriority: medium +ms.author: mikecure +ms.date: 07/09/2018 +--- + +# Deploy feature updates during maintenance windows + +**Applies to**: Windows 10 + +Use the following information to deploy feature updates during a maintenance window. + +## Get ready to deploy feature updates + +### Step 1: Configure maintenance windows + +1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. +2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). +3. On the **Home** tab, in the **Properties** group, choose **Properties**. +4. In the **Maintenance Windows** tab of the Properties dialog box, choose the New icon. +5. Complete the Schedule dialog. +6. Select from the Apply this schedule to drop-down list. +7. Choose **OK** and then close the **\ Properties** dialog box. + +### Step 2: Review computer restart device settings + +If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. + +For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. + +>[!NOTE] +> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. +>- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** +>- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** + +### Step 3: Enable Peer Cache + +Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. + +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). + +### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) + +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. + +%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini + +``` +[SetupConfig] +Priority=Normal +``` + +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. + +``` +#Parameters +Param( + [string] $PriorityValue = "Normal" + ) + +#Variable for ini file path +$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" + +#Variables for SetupConfig +$iniSetupConfigSlogan = "[SetupConfig]" +$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} + +#Init SetupConfig content +$iniSetupConfigContent = @" +$iniSetupConfigSlogan +"@ + +#Build SetupConfig content with settings +foreach ($k in $iniSetupConfigKeyValuePair.Keys) +{ + $val = $iniSetupConfigKeyValuePair[$k] + + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") +} + +#Write content to file +New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force + +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +or documentation, even if Microsoft has been advised of the possibility of such damages. +``` + +>[!NOTE] +>If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. + +## Manually deploy feature updates + +The following sections provide the steps to manually deploy a feature update. + +### Step 1: Specify search criteria for feature updates +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. + +4. Save the search for future use. + +### Step 2: Download the content for the feature update(s) +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. + +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. + + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. + + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + + >[!NOTE] + >The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: + + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + + - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + +#### To monitor content status +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. +4. On the **Home** tab, in the Content group, click **View Status**. + +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. + + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. + + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. + + >[!NOTE] + >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. +6. On the Scheduling page, configure the following settings: + + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. + + >[!NOTE] + >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + + >[!NOTE] + >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + >[!NOTE] + >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). + +### Step 4: Monitor the deployment status +After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: + +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md new file mode 100644 index 0000000000..5c1cc4673a --- /dev/null +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -0,0 +1,39 @@ +--- +title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices +description: Learn how to deploy feature updates to your mission critical devices +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mcureton +ms.localizationpriority: medium +ms.author: mikecure +ms.date: 07/10/2018 +--- + +# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices + +**Applies to**: Windows 10 + +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. + +For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). + +Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: + +- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. +- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. + +You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: + +- **LTSC feature updates.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. +- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. +- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. + +If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. + +Use the following information: + + +- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) +- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) +- [Conclusion](feature-update-conclusion.md) \ No newline at end of file diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md new file mode 100644 index 0000000000..bcf74135cf --- /dev/null +++ b/windows/deployment/update/feature-update-user-install.md @@ -0,0 +1,235 @@ +--- +title: Best practices - deploy feature updates for user-initiated installations +description: Learn how to manually deploy feature updates +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mcureton +ms.localizationpriority: medium +ms.author: mikecure +ms.date: 07/10/2018 +--- + +# Deploy feature updates for user-initiated installations (during a fixed service window) + +**Applies to**: Windows 10 + +Use the following steps to deploy a feature update for a user-initiated installation. + +## Get ready to deploy feature updates + +### Step 1: Enable Peer Cache +Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. + +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). + +### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later) + +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. + +%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini + +``` +[SetupConfig] +Priority=Normal +``` + +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. + +``` +#Parameters +Param( + [string] $PriorityValue = "Normal" + ) + +#Variable for ini file path +$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" + +#Variables for SetupConfig +$iniSetupConfigSlogan = "[SetupConfig]" +$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} + +#Init SetupConfig content +$iniSetupConfigContent = @" +$iniSetupConfigSlogan +"@ + +#Build SetupConfig content with settings +foreach ($k in $iniSetupConfigKeyValuePair.Keys) +{ + $val = $iniSetupConfigKeyValuePair[$k] + + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") +} + +#Write content to file +New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force + +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +or documentation, even if Microsoft has been advised of the possibility of such damages. +``` + +>[!NOTE] +>If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. + +## Manually deploy feature updates in a user-initiated installation + +The following sections provide the steps to manually deploy a feature update. + +### Step 1: Specify search criteria for feature updates +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying a feature update is to identify the feature updates that you want to deploy. + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: + - In the **search** text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English. + +4. Save the search for future use. + +### Step 2: Download the content for the feature update(s) +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. + +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. + + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. + + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + + >[!NOTE] + >The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: + + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + + - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click **Close**. + +#### To monitor content status +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. +4. On the **Home** tab, in the Content group, click **View Status**. + +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. + + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. + + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. + + >[!NOTE] + >A software update group deployed as **Required** will be downloaded in background and honor BITS settings, if configured. + + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when **Type of deployment** is set to **Required**. + + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. +6. On the Scheduling page, configure the following settings: + + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. + + - **Software available time**: Select **Specific time** to specify when the software updates will be available to clients: + - **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment is not available for installation until after the specified date and time are reached and the required content has been downloaded. + + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. However, for the purposes of the fixed servicing window, set the installation deadline date and time to a future value, well beyond the fixed servicing window. + + Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients will start downloading the content based on a randomized time. The feature update will not be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation will start immediately when initiated. + +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify **Display in Software Center and show all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. + >[!NOTE] + >Remember that the installation deadline date and time will be well into the future to allow plenty of time for the user-initiated install during a fixed servicing window. + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + >[!NOTE] + >You can review recent software updates alerts from the **Software Updates** node in the **Software Library** workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). + +### Step 4: Monitor the deployment status +After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: + +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. \ No newline at end of file diff --git a/windows/deployment/update/images/app-reliability.png b/windows/deployment/update/images/app-reliability.png new file mode 100644 index 0000000000..47ecf49431 Binary files /dev/null and b/windows/deployment/update/images/app-reliability.png differ diff --git a/windows/deployment/update/images/device-reliability-crash-count.png b/windows/deployment/update/images/device-reliability-crash-count.png new file mode 100644 index 0000000000..7dd0a2d660 Binary files /dev/null and b/windows/deployment/update/images/device-reliability-crash-count.png differ diff --git a/windows/deployment/update/images/device-reliability-device-count.png b/windows/deployment/update/images/device-reliability-device-count.png new file mode 100644 index 0000000000..ba937d49e9 Binary files /dev/null and b/windows/deployment/update/images/device-reliability-device-count.png differ diff --git a/windows/deployment/update/images/device-reliability-event1001-PSoutput.png b/windows/deployment/update/images/device-reliability-event1001-PSoutput.png new file mode 100644 index 0000000000..323e0e3878 Binary files /dev/null and b/windows/deployment/update/images/device-reliability-event1001-PSoutput.png differ diff --git a/windows/deployment/update/images/event_1001.png b/windows/deployment/update/images/event_1001.png new file mode 100644 index 0000000000..e4f4604c2b Binary files /dev/null and b/windows/deployment/update/images/event_1001.png differ diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index b2b3ba0084..78aa48d1cf 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -77,4 +77,4 @@ Once you've added Update Compliance to Microsoft Operations Management Suite, yo ## Use Update Compliance to monitor Windows Updates -Once your devices are enrolled, you can starte to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md). +Once your devices are enrolled, you can start to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md). diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index bca4cfe0a9..10b578947d 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -4,10 +4,10 @@ description: Deployment rings in Windows 10 are similar to the deployment groups ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: jaimeo ms.localizationpriority: medium -ms.author: daniha -ms.date: 07/27/2017 +ms.author: jaimeo +ms.date: 07/11/2018 --- # Build deployment rings for Windows 10 updates @@ -38,9 +38,7 @@ Table 1 provides an example of the deployment rings you might use. | Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization | >[!NOTE] ->In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC servicing channel does not receive feature updates. -> ->Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insider devices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates. +>In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates. As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. @@ -66,6 +64,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index ce3bdd55b7..b726f5ba97 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -29,7 +29,7 @@ Windows Update for Business enables information technology administrators to kee Specifically, Windows Update for Business allows for: -- The creation of deployment rings, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met). +- The creation of deployment rings, where administrators can specify which devices go first in an update wave, and which ones will come later (to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization). - Selectively including or excluding drivers as part of Microsoft-provided updates - Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune. - Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution. diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 0e3ae864cf..d0c4ddbf52 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -70,7 +70,7 @@ To align with this new update delivery model, Windows 10 has three servicing cha ### Naming changes As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms we will be using: -* Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". +* Semi-Annual Channel - We will be referring to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". * Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC). >[!IMPORTANT] diff --git a/windows/deployment/update/waas-windows-insider-for-business-aad.md b/windows/deployment/update/waas-windows-insider-for-business-aad.md deleted file mode 100644 index e8099960b8..0000000000 --- a/windows/deployment/update/waas-windows-insider-for-business-aad.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -title: Windows Insider Program for Business using Azure Active Directory -description: Benefits and configuration of corporate accounts in the Windows Insider Program -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -ms.localizationpriority: medium -ms.author: daniha -ms.date: 10/16/2017 ---- - -# Windows Insider Program for Business using Azure Active Directory - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -We recently added features and benefits to better support the IT Professionals and business users in our Windows Insider community. This includes the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. - ->[!NOTE] ->At this point, the Windows Insider Program for Business only supports Azure Active Directory (and not Active Directory on premises) as a corporate authentication method. - ->[!TIP] ->New to Azure Active Directory? Go here for [an introduction to AAD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect), including guidance for [adding users](https://docs.microsoft.com/azure/active-directory/active-directory-users-create-azure-portal), [device registration](https://docs.microsoft.com/azure/active-directory/active-directory-device-registration-overview) and [integrating your on-premises directories with Azure AD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect). -> ->If your company is currently not using AAD – but has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business. - -In order to get the most benefit out of the Windows Insider Program for Business, organizations should not use a test tenant of AAD. There will be no modifications to the AAD tenant to support the Windows Insider Program as it will only be used as an authentication method. - -## Register your organization's Azure AD domain to the Windows Insider Program for Business -Rather than have each user in your organization register for Windows 10 Insider Preview builds, you can now simply register your domain – and cover all users with just one registration. - -1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/). -2. **Register your domain**. Rather than have each user register individually for Windows Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally. - ->[!IMPORTANT] ->The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. - -## Check if a device is connected to your company’s Azure Active Directory subscription -Simply go to **Settings > Accounts > Access work or school**. If a corporate account is on Azure Active Directory and it is connected to the device, you will see the account listed as highlighted in the image below. - -![Device connected to Work Account](images/waas-wipfb-work-account.jpg) - -## Enroll a device with an Azure Active Directory account -1. Navigate to the [**Getting Started**](https://insider.windows.com/en-us/getting-started/) page on [Windows Insider](https://insider.windows.com). -2. Go to **Register your organization account** and follow the instructions. -3. On your Windows 10 device, go to **Settings > Updates & Security > Windows Insider Program**. -4. Enter the AAD account that you used to register and follow the on-screen directions. - ->[!NOTE] ->Make sure that you have administrator rights to the machine and that it has latest Windows updates. - -## Switch device enrollment from your Microsoft account to your AAD account -1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account. -2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**. -3. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**. -4. Under Windows Insider account, click your Microsoft account, then **Change** to open a Sign In box. -5. Select your corporate account and click Continue to change your account. - -![Change Windows Insider account](images/waas-wipfb-change-user.png) - ->[!NOTE] ->Your device must be connected to your corporate account in AAD for the account to appear in the account list. - -## User consent requirement - -With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this: - -![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png) - -Once agreed, everything will work fine, and that user won't be prompted for permission again. - -### Something went wrong - -The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent. - -In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message: - -![Feedback Hub consent error message](images/waas-wipfb-aad-error.png) - -This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials. - -**To fix this issue**, an administrator of the AAD directory will need to enable user consent for apps to access their data. - -To do this through the **classic Azure portal**: -1. Go to https://manage.windowsazure.com/ . -2. Switch to the **Active Directory** dashboard. - ![Azure classic portal dashboard button](images/waas-wipfb-aad-classicaad.png) -3. Select the appropriate directory and go to the **Configure** tab. -4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**. - ![Azure classic portal enable consent](images/waas-wipfb-aad-classicenable.png) - -To do this through the **new Azure portal**: -1. Go to https://portal.azure.com/ . -2. Switch to the **Active Directory** dashboard. - ![Azure new portal dashboard button](images/waas-wipfb-aad-newaad.png) -3. Switch to the appropriate directory. - ![Azure new portal switch directory button](images/waas-wipfb-aad-newdirectorybutton.png) -4. Under the **Manage** section, select **User settings**. - ![Azure new portal user settings](images/waas-wipfb-aad-newusersettings.png) -5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**. - ![Azure new portal enable consent](images/waas-wipfb-aad-newenable.png) - - -## Frequently Asked Questions - -### Will my test machines be affected by automatic registration? -All devices enrolled in the Windows Insider Program (physical or virtual) will receive Windows 10 Insider Preview builds (regardless of registration with MSA or AAD). - -### Once I register with my corporate account in AAD, do I need to keep my Microsoft account for the Windows Insider Program? -No, once you set up your device using AAD credentials – all feedback and flighting on that machine will be under your AAD account. You may need MSA for other machines that aren’t being used on your corporate network or to get Microsoft Store App updates. - -### How do I stop receiving updates? -You can simply “unlink” your account by going to **Settings > Updates & Security > Windows Insider Program**, select Windows Insider Account and click **Unlink**. - - -## Related Topics -- [Windows Insider Program for Business](waas-windows-insider-for-business.md) -- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) diff --git a/windows/deployment/update/waas-windows-insider-for-business-faq.md b/windows/deployment/update/waas-windows-insider-for-business-faq.md deleted file mode 100644 index 0d5282bf9f..0000000000 --- a/windows/deployment/update/waas-windows-insider-for-business-faq.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Windows Insider Program for Business Frequently Asked Questions -description: Frequently Asked Questions and answers about the Windows Insider Program -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -ms.localizationpriority: medium -ms.author: daniha -ms.date: 10/24/2017 ---- - -# Windows Insider Program for Business Frequently Asked Questions - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -### Are the Windows Insider Program and Windows Insider Program for Business separate programs? -No, in fact just the opposite. The Windows Insider Program was created in 2014 to help Microsoft engage with Windows Fans worldwide. Windows Insiders are the first to be able to try new Windows features that we introduce through Windows 10 Insider Preview Builds. At the same time, they can provide feedback through the Feedback Hub App which helps create even better versions of Windows for all users. The Windows Insider Program for Business enables you to incorporate Insider Preview builds into your deployment plans using your corporate credentials, deepen connections with the IT Pro community, collect feedback within your organization, and increase the visibility of your organization’s feedback – especially on features that support productivity and business needs. Together we can resolve blocking or critical issues to better support your organization’s needs sooner. Incorporating the Windows Insider Program for Business into your deployment plans enables you to prepare your organization for the next update of Windows 10, to deploy new services and tools more quickly, to help secure your applications, and to increase productivity and confidence in the stability of your environment. Windows Insider Program for Business participants collaborate with the Windows team to build and document features, infuse innovation, and plan for what’s around the bend. We’ve architected some great features together, received amazing feedback, and we’re not done. - -### What Languages are available? -Insider Preview builds are available in the following languages: English (United States), English (United Kingdom), Chinese (Simplified), Chinese (Traditional), Portuguese (Brazilian), Japanese, Russian, German, French, French (Canada), Korean, Italian, Spanish, Spanish (Latin America), Swedish, Finnish, Turkish, Arabic, Dutch, Czech, Polish, Thai, Catalan, Hindi, and Vietnamese. - -If your Windows build is not in one of the available base languages, you will not receive Insider Preview builds. - -Hindi, Catalan, and Vietnamese can only be installed as a language pack over [supported base languages](https://support.microsoft.com/help/14236/language-packs). - ->[!NOTE] -> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc). - -### How do I register for the Windows Insider Program for Business? -To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services. - -1. Visit https://insider.windows.com and click **Get Started**. -2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions. -3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions. - ->[!NOTE] ->Make sure that you have administrator rights to your machine and that it has latest Windows updates. - -### Are there any management capabilities that allow an IT admin to manage settings for a corporate environment? -Yes. Starting with Windows 10, version 1709, the Windows Insider Program for Business now enables administrators to apply the following group policies to help them manage their organization’s preview builds: - -**Manage preview builds:** Administrators can enable or prevent builds from installing on a device. You also have an option to disable preview builds once the release is public. -**Branch Readiness Level:** Administrators can set the Windows readiness level, including Fast, Slow, Release Preview Rings of Windows Insider Preview) and allows administrators to defer or pause delivery of updates. - -See more information on the [Getting started with Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) section. - -### How can I find out if my corporate account is on Azure Active Directory? -On your PC, go to **Settings > Accounts > Access work or school**. If your organization has set up your corporate account in Azure Active Directory and it is connected to your PC, you will see the account listed as highlighted in the image below. - -![Device connected to Work Account](images/waas-wipfb-work-account.jpg) - -### I have more than one Azure Active Directory account. Which should I use? -Register for Windows Insider Program for Business with the same active account that you use to access your corporate email in Office 365 and other Microsoft services. To ensure you get the most benefit out of the Windows Insider Program for Business and that your company is fully represented, do not set up a separate tenant for testing activities. There will be no modifications to the AAD tenant to support Windows Insider Program for Business, and it will only be used as an authentication method. - -### Can I register multiple users from my organization at the same time for the Windows Insider Program for Business? -Yes. The Windows Insider Program for Business now allows organizations to register their domain and control settings centrally rather than require each user to register individually for Insider Preview builds. In order to register, follow instructions on the [Getting started with Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) section. - -### My account is listed in Active Directory but not Azure Active Directory. Can I still register using my Active Directory credentials? -No. At this point, we are only supporting Azure Active Directory as a corporate authentication method. If you’d like to suggest or upvote another authentication method, please visit this [forum](https://answers.microsoft.com/en-us/insider/forum/insider_wintp). - -### I just want to participate as a Windows Insider. Do I still need to register with my corporate account in Azure Active Directory? -No. You can join using your Microsoft account (MSA) by following the steps below. However, please note that if you want to access the benefits of the Windows Insider Program for Business, you will need to sign-up using your corporate account in Azure Active Directory. - -1. Visit https://insider.windows.com and click Get Started. -2. Register with your Microsoft account and follow the on-screen registration directions. -3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds by going to **Settings > Updates & Security > Windows Insider Program** and entering your Microsoft account that you used to register. Now follow the on-screen directions. - ->[!NOTE] ->Make sure that you have administrator rights to your machine and that it has latest Windows updates. - -### I am already a Windows Insider. I want to switch my account from my Microsoft account to my corporate account in Azure Active Directory. How do I do this? -In just a few steps, you can switch your existing program registration from your Microsoft account to your corporate account in Azure Active Directory. - -1. Visit https://insider.windows.com. If you are signed in with your Microsoft account, sign out then sign back in to register with your corporate account in AAD. -2. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**. -3. In your account Under Windows Insider account, click **Change** to open a pop-up box. -4. Select your corporate account and click Continue to change your account. - ->[!NOTE] ->Your corporate account must be connected to the device for it to appear in the account list. - -### How do I sign into the Feedback Hub with my corporate credentials? -Sign in to the Feedback Hub using the same AAD account you are using to flight builds. - -### Am I going to lose all the feedback I submitted and badges I earned with my MSA? -No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. - -### How is licensing handled for Windows 10 Insider builds? -All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account. - -### Can I use the Software in a live operating environment? -The software is a pre-release version, and we do not recommend that organizations run Windows Insider Preview builds outside of their test environments. This software may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version. - -### Can a single MSA or AAD account be used to register more than one PC in the program? -Yes. If each PC has a valid Windows 10 or Windows 10 Mobile license you can use your MSA on as many devices as you’d like. However, the main concern would be that within the feedback it all looks like it comes from a single user. If multiple devices are experiencing problems with a build, you’d want the ability to submit the same feedback from multiple people (or upvote the same piece of feedback). - - -## Related Topics -- [Windows Insider Program for Business](waas-windows-insider-for-business.md) -- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) \ No newline at end of file diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index be6b6419c0..3b90be8d08 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -8,8 +8,8 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 07/02/2018 -ms.localizationpriority: high +ms.date: 07/20/2018 +ms.localizationpriority: medium --- # Frequently asked questions and troubleshooting Windows Analytics @@ -20,10 +20,13 @@ This topic compiles the most common issues encountered with configuring and usin If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here. -[Devices not showing up](#devices-not-showing-up) +[Devices not appearing in Upgrade Readiness](#devices-not-appearing-in-upgrade-readiness) -[Device Health crash data not appearing](#device-health-crash-data-not-appearing) +[Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) +[Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) + +[Apps not appearing in Device Health App Reliability](#apps-not-appearing-in-device-health-app-reliability) [Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb) @@ -36,7 +39,7 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win [Exporting large data sets](#exporting-large-data-sets) -### Devices not showing up +### Devices not appearing in Upgrade Readiness In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use. @@ -58,77 +61,96 @@ If you want to check a large number of devices, you should run the latest script If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog. -If you have deployed images that have not been generalized, then many of them might have the same ID and so analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps: +If you have deployed images that have not been generalized, then many of them might have the same ID and so Windows Analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps: 1. Net stop diagtrack 2. Reg delete hklm\software\microsoft\sqmclient /v MachineId /f 3. Net start diagtrack +#### Devices not appearing in Device Health Device Reliability -### Device Health crash data not appearing +[![Device Reliability tile showing device count highlighted](images/device-reliability-device-count.png)](images/device-reliability-device-count.png) -#### Is WER disabled? -If Windows Error Reporting (WER) is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health. +If you have devices that appear in other solutions, but not Device Health, follow these steps to investigate the issue: +1. Confirm that the devices are running Windows10. +2. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). +3. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). +4. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. +5. Wait 48 hours for activity to appear in the reports. +6. If you need additional troubleshooting, contact Microsoft Support. -Check these registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**: -- Verify that the value "Disabled" (REG_DWORD), if set, is 0. -- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. -- Verify that the value "CorporateWERServer" (REG_SZ) is not configured. +### Device crashes not appearing in Device Health Device Reliability -If you need further information on Windows Error Reporting (WER) settings, see WER Settings. +[![Device Reliability tile showing crash count highlighted](images/device-reliability-crash-count.png)](images/device-reliability-crash-count.png) + +If you know that devices are experiencing stop error crashes that do not seem to be reflected in the count of devices with crashes, follow these steps to investigate the issue: + +1. Verify that devices are reporting data properly by following the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) section of this topic. +2. Trigger a known crash on a test device by using a tool such as [NotMyFault](https://docs.microsoft.com/sysinternals/downloads/notmyfault) from Windows Sysinternals. +3. Verify that Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): + + - Verify that the value "Disabled" (REG_DWORD), if set, is 0. + - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. + - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. + +4. Verify that WER can reach all diagnostic endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md)--if WER can only reach some of the endpoints, it could be included in the device count while not reporting crashes. +5. Check that crash reports successfully complete the round trip with Event 1001 and that BucketID is not blank. A typical such event looks like this: + + [![Event viewer detail showing Event 1001 details](images/event_1001.png)](images/event_1001.png) + + You can use the following Windows PowerShell snippet to summarize recent occurences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). + + ```powershell + $limitToMostRecentNEvents = 20 + Get-WinEvent -FilterHashTable @{ProviderName="Windows Error Reporting"; ID=1001} | + ?{ $_.Properties[2].Value -match "crash|blue" } | + % { [pscustomobject]@{ + TimeCreated=$_.TimeCreated + WEREvent=$_.Properties[2].Value + BucketId=$_.Properties[0].Value + ContextHint = $( + if($_.Properties[2].Value -eq "bluescreen"){"kernel"} + else{ $_.Properties[5].Value } + ) + }} | Select-Object -First $limitToMostRecentNEvents + ``` + The output should look something like this: + [![Typical output for this snippet](images/device-reliability-event1001-PSoutput.png)](images/device-reliability-event1001-PSoutput.png) + +6. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. +7. Wait 48 hours for activity to appear in the reports. +8. If you need additional troubleshooting, contact Microsoft Support. #### Endpoint connectivity Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). -If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access. - -Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required). For suggested methods, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication). - -To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*: +If you are using proxy server authentication, it's worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER only uploads error reports in the machine context, so whitelisting endpoints to allow non-authenticated access was typically used. In Windows 10, version 1703 and later versions, WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access. -```powershell -$endPoints = @( - 'watson.telemetry.microsoft.com' - 'oca.telemetry.microsoft.com' - 'v10.events.data.microsoft.com' - ) +For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication). -$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded +### Apps not appearing in Device Health App Reliability -``` +[![App Reliability tile showing relability events trend](images/app-reliability.png)](images/app-reliability.png) -If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints. +If apps that you know are crashing do not appear in App Reliability, follow these steps to investigate the issue: -To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example: +1. Double-check the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) and [Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) sections of this topic. +2. Confirm that an in-scope application has crashed on an enrolled device. Keep the following points in mind: + - Not all user-mode crashes are included in App Reliability, which tracks only apps that have a GUI, have been used interactively by a user, and are not part of the operating system. + - Enrolling more devices helps to ensure that there are enough naturally occurring app crashes. + - You can also use test apps which are designed to crash on demand. -```powershell +3. Verify that *per-user* Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKCU\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): -[scriptblock]$accessTest = { - $endPoints = @( - 'watson.telemetry.microsoft.com' - 'oca.telemetry.microsoft.com' - 'v10.events.data.microsoft.com' - ) + - Verify that the value "Disabled" (REG_DWORD), if set, is 0. + - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. + - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. +4. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. +5. Wait 48 hours for activity to appear in the reports. +6. If you need additional troubleshooting, contact Microsoft Support. - $endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded -} - -$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1" -$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt" -$accessTest.ToString() > $scriptFullPath -$null > $outputFileFullPath -$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`"" -$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10) -$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force -Start-Sleep -Seconds 120 -Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false -Get-Content $outputFileFullPath - -``` - -As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints. ### Upgrade Readiness shows many "Computers with outdated KB" If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile: @@ -171,7 +193,7 @@ Starting with Windows 10, version 1803, the device name is no longer collected b ### Disable Upgrade Readiness -If you want to stop using Upgrade Readiness and stop sending diagnostic data data to Microsoft, follow these steps: +If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps: 1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. @@ -229,3 +251,6 @@ System Center Configuration Manager (SCCM) considers a device ready to upgrade i Currently, you can choose the criteria you wish to use: - To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector). - To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. + +### How does Upgrade Readiness collect the inventory of devices and applications? +For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. \ No newline at end of file diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index a783fc5d09..0cf9e39727 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 03/08/2018 +ms.date: 08/01/2018 ms.localizationpriority: medium --- @@ -52,6 +52,9 @@ To enable data sharing, configure your proxy sever to whitelist the following en | `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | | `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | | `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | +| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health. **Note:** WER does *not* use login.live.com to access Microsoft Account consumer services such as Xbox Live. WER uses an anti-spoofing API at that address to enhance the integrity of error reports. | +| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | +| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | >[!NOTE] diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index a3e43f7e7b..49c1fc93cc 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -45,7 +45,8 @@ See these topics for additional background information about related privacy iss - [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) - [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) - [Learn about security and privacy at Microsoft datacenters](http://www.microsoft.com/datacenters) -- [Confidence in the trusted cloud](https://azure.microsoft.com/en-us/support/trust-center/) +- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/) +- [Trust Center](https://www.microsoft.com/trustcenter) ### Can Windows Analytics be used without a direct client connection to the Microsoft Data Management Service? No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity. diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 71d6ca6433..65b4e8d268 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -18,13 +18,33 @@ ms.localizationpriority: medium >[!NOTE] >This is a 300 level topic (moderate advanced).
    ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
    -[SetupDiag.exe](https://go.microsoft.com/fwlink/?linkid=870142) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. + [![Download SetupDiag](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142) + +## About SetupDiag + +Current version of SetupDiag: 1.3.1.0 + +SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode. -See the [Release notes](#release-notes) section at the bottom of this topic for information about updates to this tool. +To quickly use SetupDiag on your current computer: +1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137). +2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142). +3. If your web browser asks what to do with the file, choose **Save**. By default, the file will be saved to your **Downloads** folder. You can also save it to a different location if desired by using **Save As**. +4. When SetupDiag has finished downloading, open the folder where you downloaded the file. As mentioned above, by default this is your **Downloads** folder which is displayed in File Explorer under **Quick access** in the left navigation pane. +5. Double-click the **SetupDiag** file to run it. Click **Yes** if you are asked to approve running the program. + - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You will need to change directories to the location of SetupDiag to run it this way. +6. A command window will open while SetupDiag diagnoses your computer. Wait for this to finish. +7. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file. +8. Use Notepad to open the log file: **SetupDiagResults.log**. +9. Review the information that is displayed. If a rule was matched this can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below. + +For instructions on how to run the tool in offline more and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below. + +The [Release notes](#release-notes) section at the bottom of this topic has information about recent updates to this tool. ## Requirements @@ -43,8 +63,9 @@ See the [Release notes](#release-notes) section at the bottom of this topic for | /Output:\ |
    • This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine. Only text format output is supported. UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, you must enclose the entire path in double quotes (see the example section below).
    • Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same directory where SetupDiag.exe is run.
    | | /Mode:\ |
    • This optional parameter allows you to specify the mode in which SetupDiag will operate: Offline or Online.
    • Offline: tells SetupDiag to run against a set of log files already captured from a failed system. In this mode you can run anywhere you have access to the log files. This mode does not require SetupDiag to be run on the computer that failed to update. When you specify offline mode, you must also specify the /LogsPath: parameter.
    • Online: tells SetupDiag that it is being run on the computer that failed to update. SetupDiag will attempt find log files and resources in standard Windows locations, such as the **%SystemDrive%\$Windows.~bt** directory for setup log files.
    • Log file search paths are configurable in the SetupDiag.exe.config file, under the SearchPath key. Search paths are comma separated. Note: A large number of search paths will extend the time required for SetupDiag to return results.
    • Default: If not specified, SetupDiag will run in Online mode.
    | | /LogsPath:\ |
    • This optional parameter is required only when **/Mode:Offline** is specified. This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.
    | -| /ZipLogs:\ |
    • This optional parameter tells SetupDiag.exe to create a zip file continuing its results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
    • Default: If not specified, a value of 'true' is used.
    | +| /ZipLogs:\ |
    • This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
    • Default: If not specified, a value of 'true' is used.
    | | /Verbose |
    • This optional parameter will output much more data to the log file produced by SetupDiag.exe. By default SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.
    | +| /Format:\ |
    • This optional parameter can be used to output log files in xml or JSON format. If this parameter is not specified, text format is used by default.
    | ### Examples: @@ -345,10 +366,26 @@ Each rule name and its associated unique rule identifier are listed with a descr - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code. 41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636 - Matches any plug in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. - +42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC + - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. +43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9 + - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug in name, plug in action and error code. +44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 + - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code. ## Release notes +07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center. + - This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed. + +07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center. + - Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues. + - New feature: Ability to output logs in JSON and XML format. + - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic. + - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text. + - New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive. + - 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed. + 05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center. - Fixed a bug in device install failure detection in online mode. - Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost. @@ -363,6 +400,84 @@ Each rule name and its associated unique rule identifier are listed with a descr 03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center. +## Sample logs + +### Text log sample + +``` +Matching Profile found: OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6 +System Information: + Machine Name = Offline + Manufacturer = MSI + Model = MS-7998 + HostOSArchitecture = x64 + FirmwareType = PCAT + BiosReleaseDate = 20160727000000.000000+000 + BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70 + BiosVersion = 1.70 + HostOSVersion = 10.0.15063 + HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834 + TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534) + HostOSLanguageId = 2057 + HostOSEdition = Core + RegisteredAV = Windows Defender, + FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo, + UpgradeStartTime = 3/21/2018 9:47:16 PM + UpgradeEndTime = 3/21/2018 10:02:40 PM + UpgradeElapsedTime = 00:15:24 + ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde + +Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F +Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again. +Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015 +Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information. +``` + +### XML log sample + +``` + + + 1.3.0.0 + DiskSpaceBlockInDownLevel + 6080AFAC-892E-4903-94EA-7A17E69E549E + + Offline + Microsoft Corporation + Virtual Machine + x64 + UEFI + 20171012000000.000000+000 + Hyper-V UEFI Release v2.5 + Hyper-V UEFI Release v2.5 + 10.0.14393 + 14393.1794.amd64fre.rs1_release.171008-1615 + 10.0.16299.15 (rs3_release.170928-1534) + 1033 + Core + + + 2017-12-21T12:56:22 + + 2017-12-21T13:22:46 + 0001-01-01T00:00:00 + 0001-01-01T00:00:00 + + Offline + 06600fcd-acc0-40e4-b7f8-bb984dc8d05a + 06600fcd-acc0-40e4-b7f8-bb984dc8d05a + + Warning: Found Disk Space Hard Block. + You must free up at least "6603" MB of space on the System Drive, and try again. + +``` + +### JSON log sample + +``` +{"Version":"1.3.0.0","ProfileName":"DiskSpaceBlockInDownLevel","ProfileGuid":"6080AFAC-892E-4903-94EA-7A17E69E549E","SystemInfo":{"BiosReleaseDate":"20171012000000.000000+000","BiosVendor":"Hyper-V UEFI Release v2.5","BiosVersion":"Hyper-V UEFI Release v2.5","CV":null,"CommercialId":"Offline","FilterDrivers":"","FirmwareType":"UEFI","HostOSArchitecture":"x64","HostOSBuildString":"14393.1794.amd64fre.rs1_release.171008-1615","HostOSEdition":"Core","HostOSLanguageId":"1033","HostOSVersion":"10.0.14393","MachineName":"Offline","Manufacturer":"Microsoft Corporation","Model":"Virtual Machine","RegisteredAV":"","ReportId":"06600fcd-acc0-40e4-b7f8-bb984dc8d05a","RollbackElapsedTime":"PT0S","RollbackEndTime":"\/Date(-62135568000000-0800)\/","RollbackStartTime":"\/Date(-62135568000000-0800)\/","SDMode":1,"SetupReportId":"06600fcd-acc0-40e4-b7f8-bb984dc8d05a","TargetOSArchitecture":null,"TargetOSBuildString":"10.0.16299.15 (rs3_release.170928-1534)","UpgradeElapsedTime":"PT26M24S","UpgradeEndTime":"\/Date(1513891366000-0800)\/","UpgradeStartTime":"\/Date(1513889782000-0800)\/"},"FailureData":["Warning: Found Disk Space Hard Block."],"DeviceDriverInfo":null,"Remediation":["You must free up at least \"6603\" MB of space on the System Drive, and try again."]} +``` + ## Related topics [Resolve Windows 10 upgrade errors: Technical information for IT Pros](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) \ No newline at end of file diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index a927b0db6d..3f049881af 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -49,7 +49,7 @@ To change an application's upgrade decision: 1. Select **Decide upgrade readiness** to view applications with issues. 2. In the table view, select an **UpgradeDecision** value. 3. Select **Decide upgrade readiness** to change the upgrade decision for each application. -4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list. +4. Select the applications you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. 5. Click **Save** when finished. IMPORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information. diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index badacb456b..97bc60f3d0 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium ms.prod: w10 author: jaimeo ms.author: jaimeo -ms.date: 08/30/2017 +ms.date: 07/31/2018 --- # Use Upgrade Readiness to manage Windows upgrades @@ -22,7 +22,7 @@ When you are ready to begin the upgrade process, a workflow is provided to guide Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step. ->**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are runnign a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). +>**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). The following information and workflow is provided: @@ -41,11 +41,11 @@ The target version setting is used to evaluate the number of computers that are ![Upgrade overview showing target version](../images/ur-target-version.png) -As mentioned previously, the default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. +The default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version. -You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, and Windows 10 version 1703. +You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, Windows 10 version 1703, Windows 10 version 1709 and Windows 10 version 1803. To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution: diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index 3bdaf3e0ba..13ef2ce85b 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -1,8 +1,23 @@ -# [Overview of Windows Autopilot](windows-10-autopilot.md) - -## [The Windows Autopilot Deployment Program in Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) -## [The Windows Autopilot Deployment Program in Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) -## [The Windows Autopilot Deployment Program in Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) -## [The Windows Autopilot Deployment Program in Partner Center](https://msdn.microsoft.com/partner-center/autopilot) -## [Demo the Windows Autopilot Deployment Program on a Virtual Machine](windows-10-autopilot-demo-vm.md) - +# [Windows Autopilot](windows-autopilot.md) +## [Requirements](windows-autopilot-requirements.md) +### [Configuration requirements](windows-autopilot-requirements-configuration.md) +### [Network requirements](windows-autopilot-requirements-network.md) +### [Licensing requirements](windows-autopilot-requirements-licensing.md) +## [Scenarios and Capabilities](windows-autopilot-scenarios.md) +### [User-driven mode](user-driven.md) +### [Self-deploying mode](self-deploying.md) +### [Enrollment status page](enrollment-status.md) +### [Windows Autopilot Reset](windows-autopilot-reset.md) +#### [Remote reset](windows-autopilot-reset-remote.md) +#### [Local reset](windows-autopilot-reset-local.md) +## Administering Autopilot +### [Configuring](configure-autopilot.md) +#### [Adding devices](add-devices.md) +#### [Creating profiles](profiles.md) +### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) +### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) +### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) +### [Administering Autopilot via Partner Center](https://msdn.microsoft.com/partner-center/autopilot) +## Getting started +### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md) +## [Troubleshooting](troubleshooting.md) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md new file mode 100644 index 0000000000..d494ef7054 --- /dev/null +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -0,0 +1,70 @@ +--- +title: Adding devices +description: How to add devices to Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/18 +--- + +# Adding devices to Windows Autopilot + +**Applies to** + +- Windows 10 + +Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. + +## Device identification + +To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. + +The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device. + +Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot Deployment Service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as motherboard replacement, would not match, so the device would need to be re-uploaded. + +## Collecting the hardware ID from existing devices using PowerShell + +The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). + +To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, these commands can be used: + +*md c:\\HWID* + +*Set-Location c:\\HWID* + +*Set-ExecutionPolicy Unrestricted* + +*Install-Script -Name Get-WindowsAutoPilotInfo* + +*Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv* + +You must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information. + +>[!NOTE] +>With Windows 10 version 1803 and above, devices will download an Autopilot profile as soon as they connect to the internet. For devices that are not yet registered with the Autopilot deployment service, a profile will be downloaded that indicates the device should not be deployed using Autopilot. If the device connects to the internet as part of the collection process, you will need to reset the PC, reimage the PC, or re-generalize the OS (using sysprep /generalize /oobe). + +## Collecting the hardware ID from existing devices using System Center Configuration Manager + +Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. + +## Uploading hardware IDs + +Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism: + +For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options: + +- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) + +- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) + +- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) + +- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) + +For those using Microsoft Intune, devices should normally be uploaded via Intune; for those using Microsoft 365 Business, its administrative portal would be used. For [Cloud Solution Provider (CSP)](https://partnercenter.microsoft.com/en-us/partner/cloud-solution-provider) partners uploading devices on the behalf of a customer that they are authorized to manage, Partner Center can be used. For any other scenario, the Microsoft Store for Business is available. diff --git a/windows/deployment/windows-autopilot/configure-autopilot.md b/windows/deployment/windows-autopilot/configure-autopilot.md new file mode 100644 index 0000000000..320afb60dd --- /dev/null +++ b/windows/deployment/windows-autopilot/configure-autopilot.md @@ -0,0 +1,32 @@ +--- +title: Configure Autopilot deployment +description: How to configure Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/18 +--- + +# Configure Autopilot deployment + +**Applies to** + +- Windows 10 + +## Deploying new devices + +When deploying new devices using Windows Autopilot, a common set of steps are required: + +1. [Register devices with the Windows Autopilot deployment service](add-devices.md). Ideally, this step would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. + +2. [Assign a profile of settings to each device](profiles.md), specifying how the device should be deployed and what user experience should be presented. + +3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download the profile settings which are used to customize the end user experience. + + + diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md similarity index 94% rename from windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md rename to windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index a093eb31cd..ca44b1c9f9 100644 --- a/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -1,5 +1,5 @@ --- -title: Demo the Windows Autopilot Deployment Program on a Virtual Machine +title: Demonstrate Autopilot deployment on a VM description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune ms.prod: w10 @@ -8,11 +8,11 @@ ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy author: coreyp-at-msft -ms.author: coreyp -ms.date: 05/09/18 +ms.author: greg-lindsay +ms.date: 07/13/18 --- -# Demo the Windows Autopilot Deployment Program on a Virtual Machine +# Demonstrate Autopilot deployment on a VM **Applies to** @@ -27,10 +27,10 @@ In this topic you'll learn how to set-up a Windows Autopilot deployment for a Vi These are the thing you'll need on your device to get started: * Installation media for the latest version of Windows 10 Professional or Enterprise (ISO file) -* Internet access (see [Network connectivity requirements](windows-10-autopilot.md#network-connectivity-requirements)) +* Internet access (see [Network connectivity requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#network-connectivity-requirements)) * Hypervisor needs to be unoccupied, or used by Hyper-V, as we will be using Hyper-V to create the Virtual Machine -See additional prerequisites in the [Windows Autopilot overview topic](windows-10-autopilot.md#prerequisites). +See additional prerequisites in the [Windows Autopilot overview topic](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#prerequisites). ## Create your Virtual Machine @@ -209,4 +209,3 @@ Once you select a language and a keyboard layout, your company branded sign-in s Windows Autopilot will now take over to automatically join your Virtual Machine into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings. -Missing something in this topic? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-autopilot-demo-vm.md). \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md new file mode 100644 index 0000000000..2f7e82b15e --- /dev/null +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -0,0 +1,52 @@ +--- +title: Windows Autopilot Enrollment Status page +description: Gives an overview of the enrollment status page capabilities, configuration +keywords: Autopilot Plug and Forget, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: +ms.localizationpriority: medium +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Windows Autopilot Enrollment Status page + +The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete. + + ![Enrollment Status Page](images/enrollment-status-page.png) + +## Available settings + + The following settings can be configured: + + - Show app and profile installation progress. When enabled, the Enrollment Status page is displayed. + - Block device use until all apps and profiles are installed. When enabled, the Enrollment Status page will be displayed until the device configuraton process is complete. When not enabled, the user can dismiss the page at any time. + - Allow users to reset device if installation errors occur. + - Allow users to use device if installation errors occur. + - Show error when installation takes longer than the specified number of minutes. + - Show custom error message when an error occurs. + - Allow users to collect logs about installation errors. + +## Installation progresss tracked + +The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include: + +- Certain types of app installations. + - Enterprise modern apps (Appx/MSIX) installed by the [Enterprise Modern App Managment CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprisemodernappmanagement-csp). + - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprisedesktopappmanagement-csp). +- Certain device configuration policies. + +Presently the following types of policies are not tracked: + +- Intune Management Extentions PowerShell scripts. +- Office 365 ProPlus installations. +- System Center Configuration Manager apps, packages, and task sequences. + +## For more information + +For more information on configuring the Enrollment Status page, [see the Microsoft Intune documentation](https://docs.microsoft.com/en-us/intune/windows-enrollment-status). For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp). + diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png b/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png new file mode 100644 index 0000000000..d86cb57895 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png b/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png new file mode 100644 index 0000000000..f6fa6d3467 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png differ diff --git a/windows/deployment/windows-autopilot/images/enrollment-status-page.png b/windows/deployment/windows-autopilot/images/enrollment-status-page.png new file mode 100644 index 0000000000..9bb550c20b Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enrollment-status-page.png differ diff --git a/windows/deployment/windows-autopilot/images/image1.png b/windows/deployment/windows-autopilot/images/image1.png new file mode 100644 index 0000000000..ed70e84120 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/image1.png differ diff --git a/windows/deployment/windows-autopilot/images/image2.png b/windows/deployment/windows-autopilot/images/image2.png new file mode 100644 index 0000000000..9790d50b35 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/image2.png differ diff --git a/windows/deployment/windows-autopilot/images/self-deploy-welcome.png b/windows/deployment/windows-autopilot/images/self-deploy-welcome.png new file mode 100644 index 0000000000..3ab1e4b304 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/self-deploy-welcome.png differ diff --git a/windows/deployment/windows-autopilot/images/windows_glyph.png b/windows/deployment/windows-autopilot/images/windows_glyph.png new file mode 100644 index 0000000000..3a41d4dfb1 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/windows_glyph.png differ diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md new file mode 100644 index 0000000000..4868e24cd2 --- /dev/null +++ b/windows/deployment/windows-autopilot/profiles.md @@ -0,0 +1,35 @@ +--- +title: Configure Autopilot profiles +description: How to configure Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/18 +--- + +# Configure Autopilot profiles + +**Applies to** + +- Windows 10 + +For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied to specify the exact behavior of that device when it is deployed. The following profile settings are available: + +- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process. + +- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process. + +- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization’s name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings. + +- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool. + +- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete. + +- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users. + +- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details. diff --git a/windows/deployment/windows-autopilot/rip-and-replace.md b/windows/deployment/windows-autopilot/rip-and-replace.md new file mode 100644 index 0000000000..0f85771ec9 --- /dev/null +++ b/windows/deployment/windows-autopilot/rip-and-replace.md @@ -0,0 +1,19 @@ +--- +title: Rip and Replace +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Rip and replace + +**Applies to: Windows 10** + +DO NOT PUBLISH. Just a placeholder for now, coming with 1809. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md new file mode 100644 index 0000000000..deba1e8e5e --- /dev/null +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -0,0 +1,76 @@ +--- +title: Windows Autopilot Self-Deploying mode (Preview) +description: Gives an overview of Autopilot Plug and Forget and how to use it. +keywords: Autopilot Plug and Forget, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: +ms.localizationpriority: medium +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Windows Autopilot Self-Deploying mode (Preview) + +**Applies to: Windows 10, build 17672 or later** + +Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. +>[!NOTE] +>In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding) for more details. + +![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) + +>[!NOTE] +>While today there is a “Next” button that must be clicked to continue the deployment process, and an Activities opt-in page in OOBE, both of these will be removed in future Insider Preview builds to enable a completely automated deployment process – no user authentication or user interaction will be required. + +Self-deploying mode can register the device into an organization’s Azure Active Directory tenant, enroll the device in the organization’s mobile device management (MDM) provider (leveraging Azure AD for automatic MDM enrollment), and ensure that all policies, applications, certificates, and networking profiles are provisioned on the device before the user ever logs on (levering the enrollment status page to prevent access to the desktop until the device is fully provisioned). + +>[!NOTE] +>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory. + +Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. + +>[!NOTE] +>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. + +Windows Autopilot self-deploying mode enables you to effortlessly deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. + +Windows Autopilot self-deploying mode is available on Windows 10 build 17672 or higher. When configuring an Autopilot profile in Microsoft Intune, you’ll see a new drop-down menu that asks for the deployment mode. In that menu, select Self-deploying (preview) and apply that profile to the devices you’d like to validate. + +## Step by step + +In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.) +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each machine that will be deployed using self-deploying mode, these additional steps are needed: + +- Ensure that the device supports TPM 2.0 and device attestation. (Note that virtual machines are not supported.) +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +## Validation + +When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed: + +- Once connected to a network, the Autopilot profile will be downloaded. +- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required: + - If multiple languages are preinstalled in Windows 10, the user must pick a language. + - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. +- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. +- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). +- The device will join Azure Active Directory. +- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). +- The [enrollment status page](enrollment-status.md) will be displayed. +- Depending on the device settings deployed, the device will either: + - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials. + - Automatically sign in as a local account, for devices configured as a kiosk or digital signage. + +In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md new file mode 100644 index 0000000000..2ea0af92da --- /dev/null +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -0,0 +1,92 @@ +--- +title: Troubleshooting Windows Autopilot +description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Troubleshooting Windows Autopilot + +**Applies to: Windows 10** + +Windows Autopilot is designed to simplify all parts of the Windows device lifecycle, but there are always situations where issues may arise, either due to configuration or other issues. To assist with troubleshooting efforts, review the following information. + +## Windows Autopilot deployment + +Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device: + +- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection. +- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place. +- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated. +- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials. +- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune). +- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in. + +For troubleshooting, key activities to perform are: + +- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements-configuration.md)? +- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements-network.md)? +- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected? +- Azure AD join issues. Was the device able to join Azure Active Directory? +- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)? + +### Troubleshooting Autopilot OOBE issues + +If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that. + +#### Windows 10 version 1803 and above + +To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot**. The following events may be recorded, depending on the scenario and profile configuration. + +| Event ID | Type | Description | +|----------|------|-------------| +| 100 | Warning | “AutoPilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. | +| 101 | Info | “AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. | +| 103 | Info | “AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. | +| 109 | Info | “AutoPilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. | +| 111 | Info | “AutoPilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. | +| 153 | Info | “AutoPilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. | +| 160 | Info | “AutoPilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. | +| 161 | Info | “AutoPilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. | +| 163 | Info | “AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. | +| 164 | Info | “AutoPilotManager determined Internet is available to attempt policy download.” | +| 171 | Error | “AutoPilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. | +| 172 | Error | “AutoPilotManager failed to set AutoPilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. | + +In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above. + +#### Windows 10 version 1709 and above + +On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot**. Available registry entries include: + +| Value | Description | +|-------|-------------| +| AadTenantId | The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error. | +| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. | +| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isn’t registered with Autopilot, this value will be blank.| +| IsAutoPilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. | +| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. | +| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | + +#### Windows 10 version 1703 and above + +On Windows 10 version 1703 and above, ETW tracing can be used to capture detailed information from Autopilot and related components. The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools. See [the advanced troubleshooting blog](https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/) for more information. + +### Troubleshooting Azure AD Join issues + +The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements-configuration.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD. + +Error code 801C0003 will typically be reported on an error page titled "Something went wrong." This error means that the Azure AD join failed. + +### Troubleshooting Intune enrollment issues + +See [this knowledge base article](https://support.microsoft.com/en-us/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user. + +Error code 80180018 will typiclaly be reported on an error page titled "Something went wrong." This error means that the MDM enrollment failed. diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md new file mode 100644 index 0000000000..91d9bbf472 --- /dev/null +++ b/windows/deployment/windows-autopilot/user-driven-aad.md @@ -0,0 +1,19 @@ +--- +title: User-driven mode for AAD +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Windows Autopilot user-driven mode for Azure Active Directory + +**Applies to: Windows 10** + +DO NOT PUBLISH. This eventually will contain the AAD-specific instuctions currently in user-driven.md. diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md new file mode 100644 index 0000000000..091783afa4 --- /dev/null +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -0,0 +1,20 @@ +--- +title: Hybrid AAD Join +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + + +# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join + +**Applies to: Windows 10** + +DO NOT PUBLISH. This eventually will contain the AD-specific (hybrid) instuctions. This will be in preview at a later point in time. diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md new file mode 100644 index 0000000000..bb9b722bb6 --- /dev/null +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -0,0 +1,62 @@ +--- +title: Windows Autopilot User-Driven Mode +description: Canonical Autopilot scenario +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Windows Autopilot User-Driven Mode + +**Applies to: Windows 10 version 1703 and above** + +Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: + +- Unbox the device, plug it in, and turn it on. +- Choose a language, locale and keyboard. +- Connect it to a wireless or wired network with internet access. +- Specify your e-mail address and password for your organization account. + +After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. + +Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. + +## Step by step + +In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. +- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each machine that will be deployed using user-driven deployment, these additional steps are needed: + +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +## Validation + +When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed: + +- If multiple languages are preinstalled in Windows 10, the user must pick a language. +- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. +- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. +- Once connected to a network, the Autopilot profile will be downloaded. +- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). +- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. +- Once correct credentials have been entered, the device will join Azure Active Directory. +- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). +- If configured, the [enrollment status page](enrollment-status.md) will be displayed. +- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. +- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. + +In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md new file mode 100644 index 0000000000..919b0f5efa --- /dev/null +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md @@ -0,0 +1,34 @@ +--- +title: Windows Autopilot configuration requirements +description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Windows Autopilot configuration requirements + +**Applies to: Windows 10** + +Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios. + +- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services. +- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). +- Enable [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. + +Specific scenarios will then have additional requirements. Generally, there are two specific tasks: + +- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. +- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. + +See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details. + +For a walkthrough for some of these and related steps, see this video: +
    + diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md new file mode 100644 index 0000000000..cb4b220902 --- /dev/null +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md @@ -0,0 +1,39 @@ +--- +title: Windows Autopilot licensing requirements +description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Windows Autopilot licensing requirements + +**Applies to: Windows 10** + +Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: + +- Windows 10 version 1703 or higher must be used. The Professional, Professional for Education, Business, Enterprise, and Education editions are supported. + +- One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality: + + - Microsoft 365 Business subscriptions + + - Microsoft 365 F1 subscriptions + + - Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune) + + - Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features + + - Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service) + +Additionally, the following are also recommended but not required: + +- Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services) + +- [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md new file mode 100644 index 0000000000..6ed585912e --- /dev/null +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md @@ -0,0 +1,83 @@ +--- +title: Windows Autopilot networking requirements +description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Windows Autopilot networking requirements + +**Applies to: Windows 10** + +Windows Autopilot depends on a variety of internet-based services; access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following: + +- Ensure DNS name resolution for internet DNS names + +- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) + +In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details: + +- **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service using the same services used for Windows Activation. See the following link for details: + + - + +- **Azure Active Directory.**  User credentials are validated by Azure Active Directory, then the device may also be joined to Azure Active Directory. See the following link for more information: + + - + +- **Intune.**  Once authenticated, Azure Active Directory will trigger the enrollment of the device into the Intune MDM service. See the following link for details: + + - (Network communication requirements section) + +- **Windows Update.**  During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. + + - + + - NOTE:  If Windows Update is inaccessible, the AutoPilot process will still continue. + +- **Delivery Optimization.**  When downloading Windows Updates and Microsoft Store apps and app updates (with additional content types expected in the future), the Delivery Optimization service is contacted to enable peer-to-peer sharing of content, so that all devices don’t need to download it from the internet. + + - + + - NOTE: If Delivery Optimization is inaccessible, the AutoPilot process will still continue. + +- **Network Time Protocol (NTP) Sync.**  When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. + + - Ensure that UDP port 123 to time.windows.com is accessible. + +- **Domain Name Services (DNS).**  To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names. + +- **Diagnostics data.**  To enable Windows Analytics and related diagnostics capabilities, see the following documentation: + + - + + - NOTE: If diagnostic data cannot be sent, the Autopilot process will still continue. + +- **Network Connection Status Indicator (NCSI).**  Windows must be able to tell that the device is able to access the internet. + + - (Network Connection Status Indicator section, [www.msftconnecttest.com](http://www.msftconnecttest.com) must be resolvable via DNS and accessible via HTTP) + +- **Windows Notification Services (WNS).**  This service is used to enable Windows to receive notifications from apps and services. + + - (Microsoft store section) + + - NOTE: If the WNS services are not available, the Autopilot process will still continue. + +- **Microsoft Store, Microsoft Store for Business.**  Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in. + + - (also includes Azure AD and Windows Notification Services) + + - NOTE: If the Microsoft Store is not accessible, the AutoPilot process will still continue. + +- **Office 365.**  As part of the Intune device configuration, installation of Office 365 ProPlus may be required. + + - (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above) + +- **Certificate revocation lists (CRLs).**  Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented in the Office documentation at and . \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md new file mode 100644 index 0000000000..1ffd9e4582 --- /dev/null +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -0,0 +1,23 @@ +--- +title: Windows Autopilot requirements +description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Windows Autopilot requirements + +**Applies to: Windows 10** + +Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met: + +- [Licensing requirements](windows-autopilot-requirements-licensing.md) must be met. +- [Networking requirements](windows-autopilot-requirements-network.md) need to be met. +- [Configuration requirements](windows-autopilot-requirements-configuration.md) need to be completed. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md new file mode 100644 index 0000000000..b8259e9016 --- /dev/null +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md @@ -0,0 +1,64 @@ +--- +title: Reset devices using local Windows Autopilot Reset +description: Gives an overview of Local Autopilot Reset and how to use it. +keywords: Autopilot Reset, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: +ms.localizationpriority: medium +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Reset devices with local Windows Autopilot Reset + +**Applies to: Windows 10, version 1709 and above + +IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state. + +To enable local Autopilot Reset in Windows 10: + +1. [Enable the policy for the feature](#enable-autopilot-reset) +2. [Trigger a reset for each device](#trigger-autopilot-reset) + +## Enable local Windows Autopilot Reset + +To enable a local Windows Autopilot Reset, the **DisableAutomaticReDeploymentCredentials** policy must be configured. This policy is documented in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, local Windows Autopilot is disabled. This ensures that a local Autopilot Reset is not triggered by accident. + +You can set the policy using one of these methods: + +- MDM provider + + - When using Intune, you can create a new device configuration profile, specifying "Windows 10 or later" for the platform, "Device restrictions" for the profile type, and "General" for the settings category. The **Automatic Redeployment** setting should be set to **Allow**. Deploy this setting to all devices where a local reset should be permitted. + - If you're using an MDM provider other than Intune, check your MDM provider documentation on how to set this policy. + +- Windows Configuration Designer + + You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting to 0 and then create a provisioning package. + +- Set up School PCs app + + The latest release of the Set up School PCs app supports enabling local Windows Autopilot Reset. + +## Trigger local Windows Autopilot Reset + +Performing a local Windows Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it is done, the device is again ready for use. + +**To trigger a local Autopilot Reset** + +1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**. + + ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) + + This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes: + 1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset + 2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process. + + ![Custom login screen for local Autopilot Reset](images/autopilot-reset-customlogin.png) + +2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset. + + Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md new file mode 100644 index 0000000000..7efd53c9f0 --- /dev/null +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md @@ -0,0 +1,36 @@ +--- +title: Reset devices with remote Autopilot Reset (Preview) +description: Gives an overview of remote Autopilot Reset and how to use it. +keywords: Autopilot Reset, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: +ms.localizationpriority: medium +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Reset devices with remote Windows Autopilot Reset (Preview) + +**Applies to: Windows 10, build 17672 or later** + +When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process. + +To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed, joined to Azure AD, and configured to use the [enrollment status page](enrollment-status.md). + +## Triggering a remote Windows Autopilot Reset + +To trigger a remote Windows Autopilot Reset via Intune, follow these steps: + +- Navigate to **Devices** tab in the Intune console. +- In the **All devices** view, select the targeted reset devices and then click **More** to view device actions. +- Select **Autopilot Reset** to kick-off the reset task. + +>[!NOTE] +>The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher. + +Once the reset is complete, the device is again ready for use. + \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md new file mode 100644 index 0000000000..4417198067 --- /dev/null +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md @@ -0,0 +1,53 @@ +--- +title: Windows Autopilot Reset +description: Gives an overview of Remote Autopilot Reset and how to use it. +keywords: Autopilot Reset, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: +ms.localizationpriority: medium +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Windows Autopilot Reset + +**Applies to: Windows 10** + +Windows Autopilot Reset removes personal files, apps, and settings and reapplies a device’s original settings, maintaining its identity connection to Azure AD and its management connection to Intune so that the device is once again ready for use. Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply. + +The Windows Autopilot Reset process automatically retains information from the existing device: + +- Set the region, language, and keyboard to the originally-configured values. +- Wi-Fi connection details. +- Provisioning packages previously applied to the device, as well as a provisioning package present on a USB drive when the reset process is initiated. +- Azure Active Directory device membership and MDM enrollment information. + +Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed. This requires configuring the device to use the [enrollment status page](enrollment-status.md). + +>[!IMPORTANT] +>To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection. + +## Scenarios + +Windows Autopilot Reset supports two scenarios: + +- [Local reset](windows-autopilot-reset-local.md), initiated by IT personnel or other administrators from the organization. +- [Remote reset](windows-autopilot-reset-remote.md), initiated remotely by IT personnel via an MDM service such as Microsoft Intune. + +Additional requirements and configuration details apply with each scenario; see the detailed links above for more information. + +## Troubleshooting + +Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. If it is not configured and enabled, an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` will be reported. + +To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: + +``` +reagentc /enable +``` + +If Windows Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md new file mode 100644 index 0000000000..b832512df1 --- /dev/null +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -0,0 +1,26 @@ +--- +title: Windows Autopilot scenarios +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Windows Autopilot scenarios + +**Applies to: Windows 10** + +Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management). + +For details about these scenarios, see these additional topics: + +- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person. +- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device. +- [Windows Autopilot Reset](windows-autopilot-reset.md), + diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md new file mode 100644 index 0000000000..39eb571f2a --- /dev/null +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -0,0 +1,26 @@ +--- +title: Overview of Windows Autopilot +description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +ms.sitesec: library +ms.pagetype: deploy +author: coreyp-at-msft +ms.author: coreyp +ms.date: 06/01/2018 +--- + +# Overview of Windows Autopilot + +**Applies to: Windows 10** + +Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. + + + +When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images as well as drivers for every model of device being used. Instead of re-imaging the device, that existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise, to support advanced features). + +Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can help with device re-purposing scenarios, leveraging Windows Autopilot Reset to quickly prepare a device for a new user, as well as in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index b46ecc7203..249270aaf6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -556,7 +556,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. The following fields are available: @@ -880,7 +880,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The following fields are available: @@ -1863,7 +1863,7 @@ The following fields are available: ### TelClientSynthetic.HeartBeat_5 -This event sends data about the health and quality of the diagnostic data data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. The following fields are available: @@ -2746,6 +2746,381 @@ The following fields are available: - **winInetError** The HResult of the operation. +## Remediation events + +>[!NOTE] +>Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057). + +### Microsoft.Windows.Remediation.Applicable + +Reports whether a specific remediation to issues preventing security and quality updates is applicable based on detection. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the remediation plugin specified for each generic plugin event. +- **Result** Result for detection or perform action phases of the remediation system. +- **RunAppraiserFailed** Rerun if the appraiser command line tool failed. + +### Microsoft.Windows.Remediation.Completed + +Enables tracking the completion of a process that remediates issues preventing security and quality updates. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system. +- **HResult** Result of execution of the event. +- **LatestState** Final state of the plugin component. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the specific remediation for each generic plugin event. +- **RemediationNoisyHammerTaskKickOffIsSuccess** Event that indicates the Update Assistant task has been started successfully. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + +### Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent + +Event that indicates whether an error condition occurred while trying to clean up disk space. + +The following fields are available: + +- **CV** Correlation vector. +- **ErrorMessage** Description of any error that was encountered. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **HResult** Result of execution of the event. +- **PackageVersion** Current Remediation package version. + +### Microsoft.Windows.Remediation.Error + +Event for general errors in the Remediation shell. + +The following fields are available: + +- **HResult** Return value. +- **Message** Contains information about any error that occurred. +- **PackageVersion** Current Remediation package version. + +### Microsoft.Windows.Remediation.FallbackError + +Indicates whether an error occurs for a fallback in the plugin. + +The following fields are available: + +- **S0** Fallback error level. +- **wilResult** Result for Windows Installer Logging function. + +### Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId + +Event indicates that there was a failure modifying the wsautoupdate task. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **hResult** Result of the failed call. +- **PackageVersion** Current Remediation package version. + +### Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId + +Event fires when an unexpected error occurs in the shell routine. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **PackageVersion** Current package version of Remediation. +- **RemediationShellUnexpectedExceptionId** Identifier of the remediation plugin. + +### Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed + +Event indicates that enabling a service failed. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **hResult** Result associated with the given failure. +- **PackageVersion** Current package version of Remediation. +- **serviceName** ServiceName associated with the given operation. + +### Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId + +Event containing data about the upgrade process. + +The following fields are available: + +- **AppraiserPlugin** True or False depending on whether the Appraiser Plugin task fix was successful. +- **ClearAUOptionsPlugin** True or False depending on whether the AU Options regkeys were successfully deleted. +- **CV** Correlation vector. +- **DatetimeSyncPlugin** True or False depending on whether the datetime sync plugin ran. +- **DiskCleanupPlugin** Disk space free by disk cleanup plugin. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **NoisyHammerPlugin** True or False depending on whether the Noisy Hammer plugin was successful. +- **PackageVersion** Current package version of Remediation. +- **RebootRequiredPlugin** True or False depending on whether the reboot required plugin ran. +- **RemediationNotifyUserFixIssuesPlugin** True or False depending on whether notify user fix issues plugin was successful. +- **RemediationPostUpgradeDiskSpace** Disk space available after the upgrade. +- **RemediationPostUpgradeHibernationSize** Size of the hibernation file after upgrade. +- **ServiceHealthPlugin** List of services updated by the plugin. +- **SIHHealthPlugin** True or False depending on whether the service health plugin completed successfully. +- **StackDataResetPlugin** True or False depending on whether resetting the update stack completed successfully. +- **TaskHealthPlugin** List of tasks updated by the plugin. +- **UpdateApplicabilityFixerPlugin** True or False depending on whether the update applicability fixer plugin completed successfully. +- **WindowsUpdateEndpointPlugin** True or False depending on whether the windows update endpoint was successful. + +### Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent + +Event occurs when notify users task executes. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **PackageVersion** Current Remediation package version. +- **RemediationNotifyUserFixIssuesCallResult** Result of calling the USO sequence of steps. +- **RemediationNotifyUserFixIssuesUsoDownloadCalledHr** Error code from USO start download call. +- **RemediationNotifyUserFixIssuesUsoInitializedHr** Error code from USO initialize call. +- **RemediationNotifyUserFixIssuesUsoProxyBlanketHr** Error code from USO proxy blanket call. +- **RemediationNotifyUserFixIssuesUsoSetSessionHr** Error code from USO set session call. + +### Microsoft.Windows.Remediation.Started + +Enables tracking the start of a process that remediates issues preventing security and quality updates. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the specific remediation for each generic plugin event. +- **Result** Results of the detection or perform action phases of the remediation system. + +### Microsoft.Windows.Remediation.wilResult + +Event containing self-update information. + +The following fields are available: + +- **callContext** List of telemetry activities containing this error. +- **currentContextId** Identifier for the newest telemetry activity containing this error. +- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). +- **currentContextName** Name of the newest telemetry activity containing this error. +- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). +- **failureId** Identifier assigned to this failure +- **filename** The name of the source file where the error occurred. +- **hresult** Failure error code. +- **lineNumber** Line number within the source file where the error occurred. +- **message** Custom message associated with the failure (if any). +- **module** Name of the binary where the error occurred. +- **originatingContextId** Identifier for the oldest telemetry activity containing this error. +- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). +- **originatingContextName** Name of the oldest telemetry activity containing this error. +- **threadId** Identifier of the thread the error occurred on. + +## Sediment Service events + +>[!NOTE] +>Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057). + +### Microsoft.Windows.SedimentService.Applicable + +Indicates whether a given plugin is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **IsSelfUpdateEnabledInOneSettings** True/False based on whether self update is enabled. +- **IsSelfUpdateNeeded** True/False based on whether a newer version is available. +- **PackageVersion** Version of the package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + +### Microsoft.Windows.SedimentService.Completed + +Indicates whether a given plugin has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** String reason for any plugin failures. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** Result of the service execution. +- **SedimentServiceCheckTaskFunctional** Result of checking if the scheduled task is functional. +- **SedimentServiceCurrentBytes** Current number of bytes the service is consuming. +- **SedimentServiceKillService** True/False based on whether the service should be stopped. +- **SedimentServiceMaximumBytes** Maximum bytes the service can consume. +- **SedimentServiceRetrievedKillService** True/False whether the kill service information was retrieved. +- **SedimentServiceStopping** True/False indicating whether the service was found to be stopping. +- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. +- **SedimentServiceTotalIterations** Number of iterations service will wait before running again. + +### Microsoft.Windows.SedimentService.Error + +Indicates whether an error condition occurs in the plugin. + +The following fields are available: + +- **Message** String message containing information from the service. +- **PackageVersion** Version of the package. +- **HResult** Return value from the plugin result. + +### Microsoft.Windows.SedimentService.FallbackError + +Indicates whether an error occurs for a fallback in the plugin. + +The following fields are available: + +- **s0** Fallback error level. +- **wilResult** Result for Windows Installer Logging function. + +### Microsoft.Windows.SedimentService.Information + +General information returned from the plugin. + +The following fields are available: + +- **HResult** Result of the plugin execution. +- **Message** Information collected from the plugin based on the purpose of the plugin. +- **PackageVersion** Version of the package. + +### Microsoft.Windows.SedimentService.Started + +Indicates that a given plugin has started. + +The following fields are available: + +- **CV** Correlation vector +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **PackageVersion** Version of the package. +- **PluginName** Name of the plugin running. +- **Result** Return code from the plugin result. + +### Microsoft.Windows.SedimentService.wilResult + +Result from the windows internal library. + +The following fields are available: + +- **callContext** List of telemetry activities containing this error. +- **currentContextId** Identifier for the newest telemetry activity containing this error. +- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). +- **currentContextName** Name of the newest telemetry activity containing this error. +- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast. +- **failureId** Identifier assigned to this failure. +- **filename** The name of the source file where the error occurred. +- **hresult** Failure error code. +- **lineNumber** Line number within the source file where the error occurred. +- **message** Custom message associated with the failure (if any). +- **module** Name of the binary where the error occurred. +- **originatingContextId** Identifier for the oldest telemetry activity containing this error. +- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). +- **originatingContextName** Name of the oldest telemetry activity containing this error. +- **threadId** Identifier of the thread the error occurred on. + +## Sediment Launcher events + +>[!NOTE] +>Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057). + +### Microsoft.Windows.SedimentLauncher.Applicable + +Indicates whether a given plugin is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Boolean true if detect condition is true and action will be run. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **IsSelfUpdateEnabledInOneSettings** True/False based on whether self update is enabled. +- **IsSelfUpdateNeeded** True/False based on whether a newer version is available. +- **PackageVersion** Version of the package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + +### Microsoft.Windows.SedimentLauncher.Completed + +Indicates whether a given plugin has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** String reason for any plugin failures. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** Result of the service execution. +- **SedLauncherExecutionResult** Final result of launcher running the plugins from the dll. + +### Microsoft.Windows.SedimentLauncher.Error + +Error occurred during execution of the plugin. + +The following fields are available: + +- **Message** Information message returned from a plugin containing only information internal to plugin execution. +- **PackageVersion** Version of the package. +- **HResult** Return value from the plugin result. + +### Microsoft.Windows.SedimentLauncher.FallbackError + +Error occurred during execution of the plugin fallback. + +The following fields are available: + +- **s0** Fallback error level for plugin. +- **wilResult** Result from executing Windows Installer Logging based function. + +### Microsoft.Windows.SedimentLauncher.Information + +General information returned from the plugin. + +The following fields are available: + +- **HResult** Result of the plugin execution. +- **Message** Information collected from the plugin based on the purpose of the plugin. +- **PackageVersion** Version of the package. + +### Microsoft.Windows.SedimentLauncher.Started + +Indicates that a given plugin has started. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **PackageVersion** Version of the package. +- **PluginName** Name of the plugin running. +- **Result** Return code from the plugin result. + +### Microsoft.Windows.SedimentLauncher.wilResult + +Result from the windows internal library. + +The following fields are available: + +- **callContext** List of telemetry activities containing this error. +- **currentContextId** Identifier for the newest telemetry activity containing this error. +- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). +- **currentContextName** Name of the newest telemetry activity containing this error. +- **failurecount** Number of failures seen. +- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast. +- **failureId** Identifier assigned to this failure. +- **filename** The name of the source file where the error occurred. +- **function** Name of the function where the error occurred. +- **hresult** Failure error code. +- **lineNumber** Line number within the source file where the error occurred. +- **message** Custom message associated with the failure (if any). +- **module** Name of the binary where the error occurred. +- **originatingContextId** Identifier for the oldest telemetry activity containing this error. +- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). +- **originatingContextName** Name of the oldest telemetry activity containing this error. +- **threadId** Identifier of the thread the error occurred on. ## Setup events @@ -3125,8 +3500,8 @@ The following fields are available: - **BIOSVendor** The vendor of the device's system bios - **BiosVersion** The version of the device's system bios - **BiosReleaseDate** The release date of the device's system bios -- **SystemBIOSMajorRelease** The major release version of the device's system system -- **SystemBIOSMinorRelease** The minor release version of the device's system system +- **SystemBIOSMajorRelease** The major release version of the device's system bios +- **SystemBIOSMinorRelease** The minor release version of the device's system bios - **BiosFamily** The device's family as defined in system bios - **BiosSKUNumber** The device's SKU as defined in system bios - **ClientVersion** The version number of the software distribution client @@ -3182,6 +3557,71 @@ The following fields are available: - **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. - **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +## Update Assistant Orchestrator events + +>[!NOTE] +>Events from this provider are sent with the installation of KB4023814. For details, see [this support article](https://support.microsoft.com/help/4023814). + +### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId + +Event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies.. + +The following fields are available: + +- **ApplicabilityBlockedReason** Blocked due to an applicability issue. +- **ClientId** Identification of the current installed version of Update Assistant. +- **TriggerTaskSource** Describes which task launched this instance of Update Assistant. + +### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId + +Event sends basic info on the reason the Windows 10 update was blocked or prevented. + +The following fields are available: + +- **ClientId** Identification of the current installed version of Update Assistant. +- **DenyReason** Reasons why Update Assistant was prevented from launching. +- **TriggerTaskSource** Describes which task launched this instance of Update Assistant. + +### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId + +Event sends basic info when the Windows 10 Update Assistant tool could not be launched due to an error.. + +The following fields are available: + +- **ClientId** Identification of the current installed version of Update Assistant. +- **HResult** Error code of the Update Assistant Orchestrator error. +- **TriggerTaskSource** Describes which task launched this instance of Update Assistant. + +### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId + +Event sends basic info to signal when the settings related to the Windows 10 update could not be downloaded. + +The following fields are available: + +- **ClientId** Identification of the current installed version of Update Assistant. +- **HResult** Error code of the attempted query for the settings. + +### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId + +Event sends basic info on whether the device should or should not be updated to the latest Windows 10 version. + +The following fields are available: + +- **ClientId** Identification of the current installed version of Update Assistant. +- **LaunchMode** Type of launch performed. +- **LaunchTypeReason** All of the reasons for the type of launch performed. +- **TriggerTaskSource** Describes which task launched this instance of Update Assistant. +- **UALaunchRunCount** Total number of times Update Assistant was launched. + +### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId + +Event sends basic info on whether the Windows 10 update notification had launched previously. + +The following fields are available: + +- **ClientId** Identification of the current installed version of Update Assistant. +- **RestoreReason** All of the reasons for being restored. +- **TriggerTaskSource** Describes which task launched this instance of Update Assistant. ## Update events @@ -3479,7 +3919,7 @@ The following fields are available: - **HostOSBuildNumber** The build number of the previous OS. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 072587c84a..d4669aa951 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -922,7 +922,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The following fields are available: @@ -1169,7 +1169,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. The following fields are available: @@ -1816,7 +1816,7 @@ The following fields are available: ### TelClientSynthetic.HeartBeat_5 -This event sends data about the health and quality of the diagnostic data data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. The following fields are available: @@ -2853,6 +2853,208 @@ The following fields are available: - **PluginName** Name of the specific remediation for each generic plugin event. - **Result** Results of the detection or perform action phases of the remediation system. +## Sediment Service events + +>[!NOTE] +>Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057). + +### Microsoft.Windows.SedimentService.Applicable + +Indicates whether a given plugin is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **IsSelfUpdateEnabledInOneSettings** True/False based on whether self update is enabled. +- **IsSelfUpdateNeeded** True/False based on whether a newer version is available. +- **PackageVersion** Version of the package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + +### Microsoft.Windows.SedimentService.Completed + +Indicates whether a given plugin has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** String reason for any plugin failures. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** Result of the service execution. +- **SedimentServiceCheckTaskFunctional** Result of checking if the scheduled task is functional. +- **SedimentServiceCurrentBytes** Current number of bytes the service is consuming. +- **SedimentServiceKillService** True/False based on whether the service should be stopped. +- **SedimentServiceMaximumBytes** Maximum bytes the service can consume. +- **SedimentServiceRetrievedKillService** True/False whether the kill service information was retrieved. +- **SedimentServiceStopping** True/False indicating whether the service was found to be stopping. +- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. +- **SedimentServiceTotalIterations** Number of iterations service will wait before running again. + +### Microsoft.Windows.SedimentService.Error + +Indicates whether an error condition occurs in the plugin. + +The following fields are available: + +- **Message** String message containing information from the service. +- **PackageVersion** Version of the package. +- **HResult** Return value from the plugin result. + +### Microsoft.Windows.SedimentService.FallbackError + +Indicates whether an error occurs for a fallback in the plugin. + +The following fields are available: + +- **s0** Fallback error level. +- **wilResult** Result for Windows Installer Logging function. + +### Microsoft.Windows.SedimentService.Information + +General information returned from the plugin. + +The following fields are available: + +- **HResult** Result of the plugin execution. +- **Message** Information collected from the plugin based on the purpose of the plugin. +- **PackageVersion** Version of the package. + +### Microsoft.Windows.SedimentService.Started + +Indicates that a given plugin has started. + +The following fields are available: + +- **CV** Correlation vector +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **PackageVersion** Version of the package. +- **PluginName** Name of the plugin running. +- **Result** Return code from the plugin result. + +### Microsoft.Windows.SedimentService.wilResult + +Result from the windows internal library. + +The following fields are available: + +- **callContext** List of telemetry activities containing this error. +- **currentContextId** Identifier for the newest telemetry activity containing this error. +- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). +- **currentContextName** Name of the newest telemetry activity containing this error. +- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast. +- **failureId** Identifier assigned to this failure. +- **filename** The name of the source file where the error occurred. +- **hresult** Failure error code. +- **lineNumber** Line number within the source file where the error occurred. +- **message** Custom message associated with the failure (if any). +- **module** Name of the binary where the error occurred. +- **originatingContextId** Identifier for the oldest telemetry activity containing this error. +- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). +- **originatingContextName** Name of the oldest telemetry activity containing this error. +- **threadId** Identifier of the thread the error occurred on. + +## Sediment Launcher events + +>[!NOTE] +>Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057). + +### Microsoft.Windows.SedimentLauncher.Applicable + +Indicates whether a given plugin is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Boolean true if detect condition is true and action will be run. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **IsSelfUpdateEnabledInOneSettings** True/False based on whether self update is enabled. +- **IsSelfUpdateNeeded** True/False based on whether a newer version is available. +- **PackageVersion** Version of the package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + +### Microsoft.Windows.SedimentLauncher.Completed + +Indicates whether a given plugin has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** String reason for any plugin failures. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** Result of the service execution. +- **SedLauncherExecutionResult** Final result of launcher running the plugins from the dll. + +### Microsoft.Windows.SedimentLauncher.Error + +Error occurred during execution of the plugin. + +The following fields are available: + +- **Message** Information message returned from a plugin containing only information internal to plugin execution. +- **PackageVersion** Version of the package. +- **HResult** Return value from the plugin result. + +### Microsoft.Windows.SedimentLauncher.FallbackError + +Error occurred during execution of the plugin fallback. + +The following fields are available: + +- **s0** Fallback error level for plugin. +- **wilResult** Result from executing Windows Installer Logging based function. + +### Microsoft.Windows.SedimentLauncher.Information + +General information returned from the plugin. + +The following fields are available: + +- **HResult** Result of the plugin execution. +- **Message** Information collected from the plugin based on the purpose of the plugin. +- **PackageVersion** Version of the package. + +### Microsoft.Windows.SedimentLauncher.Started + +Indicates that a given plugin has started. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **PackageVersion** Version of the package. +- **PluginName** Name of the plugin running. +- **Result** Return code from the plugin result. + +### Microsoft.Windows.SedimentLauncher.wilResult + +Result from the windows internal library. + +The following fields are available: + +- **callContext** List of telemetry activities containing this error. +- **currentContextId** Identifier for the newest telemetry activity containing this error. +- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). +- **currentContextName** Name of the newest telemetry activity containing this error. +- **failurecount** Number of failures seen. +- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast. +- **failureId** Identifier assigned to this failure. +- **filename** The name of the source file where the error occurred. +- **function** Name of the function where the error occurred. +- **hresult** Failure error code. +- **lineNumber** Line number within the source file where the error occurred. +- **message** Custom message associated with the failure (if any). +- **module** Name of the binary where the error occurred. +- **originatingContextId** Identifier for the oldest telemetry activity containing this error. +- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). +- **originatingContextName** Name of the oldest telemetry activity containing this error. +- **threadId** Identifier of the thread the error occurred on. ## Setup events @@ -3305,6 +3507,71 @@ The following fields are available: - **UpdateId** "Identifier associated with the specific piece of content " - **WUDeviceID** "Unique device id controlled by the software distribution client " +## Update Assistant Orchestrator events + +>[!NOTE] +>Events from this provider are sent with the installation of KB4023814. For details, see [this support article](https://support.microsoft.com/help/4023814). + +### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId + +Event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies.. + +The following fields are available: + +- **ApplicabilityBlockedReason** Blocked due to an applicability issue. +- **ClientId** Identification of the current installed version of Update Assistant. +- **TriggerTaskSource** Describes which task launched this instance of Update Assistant. + +### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId + +Event sends basic info on the reason the Windows 10 update was blocked or prevented. + +The following fields are available: + +- **ClientId** Identification of the current installed version of Update Assistant. +- **DenyReason** Reasons why Update Assistant was prevented from launching. +- **TriggerTaskSource** Describes which task launched this instance of Update Assistant. + +### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId + +Event sends basic info when the Windows 10 Update Assistant tool could not be launched due to an error.. + +The following fields are available: + +- **ClientId** Identification of the current installed version of Update Assistant. +- **HResult** Error code of the Update Assistant Orchestrator error. +- **TriggerTaskSource** Describes which task launched this instance of Update Assistant. + +### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId + +Event sends basic info to signal when the settings related to the Windows 10 update could not be downloaded. + +The following fields are available: + +- **ClientId** Identification of the current installed version of Update Assistant. +- **HResult** Error code of the attempted query for the settings. + +### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId + +Event sends basic info on whether the device should or should not be updated to the latest Windows 10 version. + +The following fields are available: + +- **ClientId** Identification of the current installed version of Update Assistant. +- **LaunchMode** Type of launch performed. +- **LaunchTypeReason** All of the reasons for the type of launch performed. +- **TriggerTaskSource** Describes which task launched this instance of Update Assistant. +- **UALaunchRunCount** Total number of times Update Assistant was launched. + +### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId + +Event sends basic info on whether the Windows 10 update notification had launched previously. + +The following fields are available: + +- **ClientId** Identification of the current installed version of Update Assistant. +- **RestoreReason** All of the reasons for being restored. +- **TriggerTaskSource** Describes which task launched this instance of Update Assistant. ## Update events @@ -3585,7 +3852,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields.md index 341093a206..84da766a22 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields.md @@ -530,7 +530,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. The following fields are available: @@ -814,7 +814,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The following fields are available: @@ -4411,7 +4411,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 17d45d542b..80ab6e72d3 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -1,445 +1,445 @@ ---- -description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. -title: Configure Windows diagnostic data in your organization (Windows 10) -keywords: privacy -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -author: brianlic-msft -ms.date: 04/04/2018 ---- - -# Configure Windows diagnostic data in your organization - -**Applies to** - -- Windows 10 Enterprise -- Windows 10 Mobile -- Windows Server - -At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. - -To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: - -- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. -- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. -- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. -- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. -- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. - -This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. - -Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services. - -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. - -## Overview - -In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. - -For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. - -## Understanding Windows diagnostic data - -Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. - -The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. - -### What is Windows diagnostic data? -Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: - -- Keep Windows up to date -- Keep Windows secure, reliable, and performant -- Improve Windows – through the aggregate analysis of the use of Windows -- Personalize Windows engagement surfaces - -Here are some specific examples of Windows diagnostic data: - -- Type of hardware being used -- Applications installed and usage details -- Reliability information on device drivers - -### What is NOT diagnostic data? - -Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. - -There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. - -If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). - -The following are specific examples of functional data: - -- Current location for weather -- Bing searches -- Wallpaper and desktop settings synced across multiple devices - -### Diagnostic data gives users a voice - -Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. - -### Drive higher app and driver quality - -Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. - -#### Real-world example of how Windows diagnostic data helps -There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. - -### Improve end-user productivity - -Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: - -- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. -- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. - -**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** - - -### Insights into your own organization - -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -#### Upgrade Readiness - -Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. - -With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer, driver, and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -## How is diagnostic data handled by Microsoft? - -### Data collection - -Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. - -1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. -2. Events are gathered using public operating system event logging and tracing APIs. -3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. -4. The Connected User Experiences and Telemetry component transmits the diagnostic data. - -Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. - -### Data transmission - -All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. - -The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). - - -### Endpoints - -The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. - -The following table defines the endpoints for Connected User Experiences and Telemetry component: - -Windows release | Endpoint ---- | --- -Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1

    Functional: v20.vortex-win.data.microsoft.com/collect/v1
    Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1
    settings-win.data.microsoft.com -Windows 10, version 1607 | v10.vortex-win.data.microsoft.com

    settings-win.data.microsoft.com - -The following table defines the endpoints for other diagnostic data services: - -| Service | Endpoint | -| - | - | -| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | -| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | -| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | - -### Data use and access - -The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. - -### Retention - -Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. - -## Diagnostic data levels -This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. - -The diagnostic data is categorized into four levels: - -- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - -- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. - -- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. - -- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. - -The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016. - -![breakdown of diagnostic data levels and types of administrative controls](images/priv-telemetry-levels.png) - -### Security level - -The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. - -> [!NOTE] -> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. - -Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. - -The data gathered at this level includes: - -- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - -- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - - > [!NOTE] - > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). - -- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. - - > [!NOTE] - > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). - - Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. - -For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. - -No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. - -### Basic level - -The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. - -The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. - -The data gathered at this level includes: - -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: - - - Device attributes, such as camera resolution and display type - - - Internet Explorer version - - - Battery attributes, such as capacity and type - - - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number - - - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware - - - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system - - - Operating system attributes, such as Windows edition and virtualization state - - - Storage attributes, such as number of drives, type, and size - -- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. - -- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. - -- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. - - - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. - - - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. - - - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. - - - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. - -- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. - - -### Enhanced level - -The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. - -This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. - -The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. - -The data gathered at this level includes: - -- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. - -- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. - -- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - -- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. - -If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. - -#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics -Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. - -In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. - -- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. - -- **Some crash dump types.** All crash dump types, except for heap and full dumps. - -**To turn on this behavior for devices** - -1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. - - -AND- - -2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. - -### Full level - -The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro. - -Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. - -If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. - -However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: - -- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. - -- Ability to get registry keys. - -- All crash dump types, including heap dumps and full dumps. - -## Enterprise management - -Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. - -Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. - -IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface. - - -### Manage your diagnostic data settings - -We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. - -> [!IMPORTANT] -> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). - -You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on. - -The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**. - -### Configure the operating system diagnostic data level - -You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. - -Use the appropriate value in the table below when you configure the management policy. - -| Level | Data gathered | Value | -| - | - | - | -| Security | Security data only. | **0** | -| Basic | Security data, and basic system and quality data. | **1** | -| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** | -| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | - - > [!NOTE] - > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. - -### Use Group Policy to set the diagnostic data level - -Use a Group Policy object to set your organization’s diagnostic data level. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. - -2. Double-click **Allow Telemetry**. - -3. In the **Options** box, select the level that you want to configure, and then click **OK**. - -### Use MDM to set the diagnostic data level - -Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. - -### Use Registry Editor to set the diagnostic data level - -Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. - -1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**. - -2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. - -3. Type **AllowTelemetry**, and then press ENTER. - -4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** - -5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. - -### Configure System Center 2016 diagnostic data - -For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps: - -- Turn off diagnostic data by using the System Center UI Console settings workspace. - -- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). - -### Additional diagnostic data controls - -There are a few more settings that you can turn off that may send diagnostic data information: - -- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). - -- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. - -- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). - -- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. - - > [!NOTE] - > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. - -## Additional resources - -FAQs - -- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) -- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) -- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) -- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) -- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) -- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) - -Blogs - -- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -Privacy Statement - -- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -TechNet - -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) - -Web Pages - -- [Privacy at Microsoft](http://privacy.microsoft.com) - - +--- +description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. +title: Configure Windows diagnostic data in your organization (Windows 10) +keywords: privacy +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +author: brianlic-msft +ms.date: 04/04/2018 +--- + +# Configure Windows diagnostic data in your organization + +**Applies to** + +- Windows 10 Enterprise +- Windows 10 Mobile +- Windows Server + +At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. + +To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: + +- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. +- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. +- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. +- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. +- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. +- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. + +This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. + +Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services. + +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. + +## Overview + +In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. + +For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. + +## Understanding Windows diagnostic data + +Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. + +The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. + +### What is Windows diagnostic data? +Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: + +- Keep Windows up to date +- Keep Windows secure, reliable, and performant +- Improve Windows – through the aggregate analysis of the use of Windows +- Personalize Windows engagement surfaces + +Here are some specific examples of Windows diagnostic data: + +- Type of hardware being used +- Applications installed and usage details +- Reliability information on device drivers + +### What is NOT diagnostic data? + +Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. + +There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. + +If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). + +The following are specific examples of functional data: + +- Current location for weather +- Bing searches +- Wallpaper and desktop settings synced across multiple devices + +### Diagnostic data gives users a voice + +Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. + +### Drive higher app and driver quality + +Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. + +#### Real-world example of how Windows diagnostic data helps +There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. + +### Improve end-user productivity + +Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: + +- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. +- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. + +**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** + + +### Insights into your own organization + +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +#### Upgrade Readiness + +Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. + +With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer, driver, and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +## How is diagnostic data handled by Microsoft? + +### Data collection + +Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. + +1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. +2. Events are gathered using public operating system event logging and tracing APIs. +3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. +4. The Connected User Experiences and Telemetry component transmits the diagnostic data. + +Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. + +### Data transmission + +All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. + +The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). + + +### Endpoints + +The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. + +The following table defines the endpoints for Connected User Experiences and Telemetry component: + +Windows release | Endpoint +--- | --- +Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1

    Functional: v20.vortex-win.data.microsoft.com/collect/v1
    Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1
    settings-win.data.microsoft.com +Windows 10, version 1607 | v10.vortex-win.data.microsoft.com

    settings-win.data.microsoft.com + +The following table defines the endpoints for other diagnostic data services: + +| Service | Endpoint | +| - | - | +| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | +| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | + +### Data use and access + +The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. + +### Retention + +Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. + +## Diagnostic data levels +This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. + +The diagnostic data is categorized into four levels: + +- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + +- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. + +- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. + +- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. + +The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016. + +![breakdown of diagnostic data levels and types of administrative controls](images/priv-telemetry-levels.png) + +### Security level + +The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. + +> [!NOTE] +> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. + +Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. + +The data gathered at this level includes: + +- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). + +- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. + + > [!NOTE] + > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). + +- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. + + > [!NOTE] + > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). + + Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. + +For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. + +No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. + +### Basic level + +The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. + +The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. + +The data gathered at this level includes: + +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: + + - Device attributes, such as camera resolution and display type + + - Internet Explorer version + + - Battery attributes, such as capacity and type + + - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number + + - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware + + - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system + + - Operating system attributes, such as Windows edition and virtualization state + + - Storage attributes, such as number of drives, type, and size + +- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. + +- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. + +- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. + + - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. + + - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. + + - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. + + - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. + + - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. + +- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. + + +### Enhanced level + +The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. + +This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. + +The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. + +The data gathered at this level includes: + +- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. + +- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. + +- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. + +- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. + +If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. + +#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics +Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. + +In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. + +- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. + +- **Some crash dump types.** All crash dump types, except for heap and full dumps. + +**To turn on this behavior for devices** + +1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. + + -AND- + +2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. + +### Full level + +The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro. + +Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. + +If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. + +However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: + +- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. + +- Ability to get registry keys. + +- All crash dump types, including heap dumps and full dumps. + +## Enterprise management + +Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. + +Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. + +IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface. + + +### Manage your diagnostic data settings + +We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. + +> [!IMPORTANT] +> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). + +You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on. + +The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**. + +### Configure the operating system diagnostic data level + +You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. + +Use the appropriate value in the table below when you configure the management policy. + +| Level | Data gathered | Value | +| - | - | - | +| Security | Security data only. | **0** | +| Basic | Security data, and basic system and quality data. | **1** | +| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** | +| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | + + > [!NOTE] + > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. + +### Use Group Policy to set the diagnostic data level + +Use a Group Policy object to set your organization’s diagnostic data level. + +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. + +2. Double-click **Allow Telemetry**. + +3. In the **Options** box, select the level that you want to configure, and then click **OK**. + +### Use MDM to set the diagnostic data level + +Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. + +### Use Registry Editor to set the diagnostic data level + +Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. + +1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. + +2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. + +3. Type **AllowTelemetry**, and then press ENTER. + +4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** + +5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. + +### Configure System Center 2016 diagnostic data + +For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps: + +- Turn off diagnostic data by using the System Center UI Console settings workspace. + +- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). + +### Additional diagnostic data controls + +There are a few more settings that you can turn off that may send diagnostic data information: + +- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). + +- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. + +- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). + +- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. + + > [!NOTE] + > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. + +## Additional resources + +FAQs + +- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) +- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) +- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) +- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) +- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) +- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) +- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) +- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) +- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) + +Blogs + +- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) + +Privacy Statement + +- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +TechNet + +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) + +Web Pages + +- [Privacy at Microsoft](http://privacy.microsoft.com) + + diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md index 67fd23abec..15ce44125d 100644 --- a/windows/privacy/windows-diagnostic-data-1703.md +++ b/windows/privacy/windows-diagnostic-data-1703.md @@ -1,6 +1,6 @@ --- title: Windows 10 diagnostic data for the Full diagnostic data level (Windows 10) -description: Use this article to learn about the types of data that is collected the the Full diagnostic data level. +description: Use this article to learn about the types of data that is collected the Full diagnostic data level. keywords: privacy,Windows 10 ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index 4b824f3b1d..9c969844b3 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -109,7 +109,7 @@ This setting determines whether a device shows notifications about Windows diagn >| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | >| **Value** | DisableTelemetryOptInChangeNotification | >| **Type** | REG_DWORD | ->| **Setting** | "00000001" | +>| **Setting** | "00000000" | #### MDM diff --git a/windows/security/TOC.md b/windows/security/TOC.md index 1a508b07b8..6ac5b43506 100644 --- a/windows/security/TOC.md +++ b/windows/security/TOC.md @@ -1,5 +1,6 @@ # [Security](index.yml) ## [Identity and access management](identity-protection/index.md) -## [Threat protection](threat-protection/index.md) ## [Information protection](information-protection/index.md) -## [Hardware-based protection](hardware-protection/index.md) \ No newline at end of file +## [Threat protection](threat-protection/index.md) + + diff --git a/windows/security/hardware-protection/TOC.md b/windows/security/hardware-protection/TOC.md deleted file mode 100644 index 86788da403..0000000000 --- a/windows/security/hardware-protection/TOC.md +++ /dev/null @@ -1,21 +0,0 @@ -# [Hardware-based protection](index.md) - -## [Encrypted Hard Drive](encrypted-hard-drive.md) - -## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) - -## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) - -## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md) -### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md) -### [TPM fundamentals](tpm/tpm-fundamentals.md) -### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md) -### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md) -### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md) -### [Manage TPM commands](tpm/manage-tpm-commands.md) -### [Manage TPM lockout](tpm/manage-tpm-lockout.md) -### [Change the TPM owner password](tpm/change-the-tpm-owner-password.md) -### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md) -### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md) -### [TPM recommendations](tpm/tpm-recommendations.md) - diff --git a/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md b/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md deleted file mode 100644 index 8b6124f000..0000000000 --- a/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: How hardware-based containers help protect Windows 10 (Windows 10) -description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: justinha -ms.date: 06/29/2017 ---- - -# How hardware-based containers help protect Windows 10 - -Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. -Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard. - -Protecting system services and data with Windows Defender System Guard is an important first step, but is just the beginning of what we need to do as it doesn’t protect the rest of the operating system, information on the device, other apps, or the network. -Since systems are generally compromised through the application layer, and often though browsers, Windows 10 includes Windows Defender Application Guard to isolate Microsoft Edge from the operating system, information on the device, and the network. -With this, Windows can start to protect the broader range of resources. - -The following diagram shows Windows Defender System Guard and Windows Defender Application Guard in relation to the Windows 10 operating system. - -![Application Guard and System Guard](images/application-guard-and-system-guard.png) - -## What security threats do containers protect against - -Exploiting zero days and vulnerabilities are an increasing threat that attackers are attempting to take advantage of. -The following diagram shows the traditional Windows software stack: a kernel with an app platform, and an app running on top of it. -Let’s look at how an attacker might elevate privileges and move down the stack. - -![Traditional Windows software stack](images/traditional-windows-software-stack.png) - -In desktop operating systems, those apps typically run under the context of the user’s privileges. -If the app was malicious, it would have access to all the files in the file system, all the settings that you as a user Standard user have access to, and so on. - -A different type of app may run under the context of an Administrator. -If attackers exploit a vulnerability in that app, they could gain Administrator privileges. -Then they can start turning off defenses. - -They can poke down a little bit lower in the stack and maybe elevate to System, which is greater than Administrator. -Or if they can exploit the kernel mode, they can turn on and turn off all defenses, while at the same time making the computer look healthy. -SecOps tools could report the computer as healthy when in fact it’s completely under the control of someone else. - -One way to address this threat is to use a sandbox, as smartphones do. -That puts a layer between the app layer and the Windows platform services. -Universal Windows Platform (UWP) applications work this way. -But what if a vulnerability in the sandbox exists? -The attacker can escape and take control of the system. - -## How containers help protect Windows 10 - -Windows 10 addresses this by using virtualization based security to isolate more and more components out of Windows (left side) over time and moving those components into a separate, isolated hardware container. -The container helps prevent zero days and vulnerabilities from allowing an attacker to take control of a device. - -Anything that's running in that container on the right side will be safe, even from Windows, even if the kernel's compromised. -Anything that's running in that container will also be secure against a compromised app. -Initially, Windows Defender System Guard will protect things like authentication and other system services and data that needs to resist malware, and more things will be protected over time. - -![Windows Defender System Guard](images/windows-defender-system-guard.png) diff --git a/windows/security/hardware-protection/images/application-guard-and-system-guard.png b/windows/security/hardware-protection/images/application-guard-and-system-guard.png deleted file mode 100644 index b4b883db90..0000000000 Binary files a/windows/security/hardware-protection/images/application-guard-and-system-guard.png and /dev/null differ diff --git a/windows/security/hardware-protection/images/traditional-windows-software-stack.png b/windows/security/hardware-protection/images/traditional-windows-software-stack.png deleted file mode 100644 index 0da610c368..0000000000 Binary files a/windows/security/hardware-protection/images/traditional-windows-software-stack.png and /dev/null differ diff --git a/windows/security/hardware-protection/images/windows-defender-system-guard.png b/windows/security/hardware-protection/images/windows-defender-system-guard.png deleted file mode 100644 index 865af86b19..0000000000 Binary files a/windows/security/hardware-protection/images/windows-defender-system-guard.png and /dev/null differ diff --git a/windows/security/hardware-protection/index.md b/windows/security/hardware-protection/index.md deleted file mode 100644 index 454b0ec4e1..0000000000 --- a/windows/security/hardware-protection/index.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Hardware-based Protection (Windows 10) -description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft -ms.date: 02/05/2018 ---- - -# Hardware-based protection - -Windows 10 leverages these hardware-based security features to protect and maintain system integrity. - -| Section | Description | -|-|-| -| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.| -|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) |Learn about how hardware-based containers can isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.| -|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) |Learn about the Windows 10 security features that help to protect your PC from malware, including rootkits and other applications.| -| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. | diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 7fde2f9d2f..91f27e52b9 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -17,7 +17,7 @@ ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) -## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) +## [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md) ## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) ### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md) @@ -28,7 +28,6 @@ ### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md) ### [Credential Guard: Known issues](credential-guard/credential-guard-known-issues.md) - ## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) ## [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 09953fe371..2cc7a62ad3 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.date: 04/19/2017 +ms.date: 07/30/2018 --- # Local Accounts @@ -92,7 +92,7 @@ The Administrator account cannot be deleted or removed from the Administrators g **Security considerations** -Because the Administrator account is known to exist on many versions of the Windows operating system, it is a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to to the server or client computer. +Because the Administrator account is known to exist on many versions of the Windows operating system, it is a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer. You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see [Disable or activate a local user account](http://technet.microsoft.com/library/cc732112.aspx) and [Rename a local user account](http://technet.microsoft.com/library/cc725595.aspx). @@ -114,11 +114,11 @@ Even when the Administrator account has been disabled, it can still be used to g ### Guest account -The Guest account (SID S-1-5-32-546) is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary. +The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary. **Account group membership** -By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers. +By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers. **Security considerations** diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index f88ca13870..e5086ff9c0 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -64,7 +64,7 @@ On the device, perform the following steps: (add select certificate) 7. Tap the back arrow. ## Encrypt or sign individual messages -1. While composing a message, choose **Options** from the ribbon. On phone, **Options** can be accessed by tapping the the ellipsis (...). +1. While composing a message, choose **Options** from the ribbon. On phone, **Options** can be accessed by tapping the ellipsis (...). 2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message. diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 0e9283f815..31116809dd 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -24,10 +24,10 @@ Windows, today, natively only supports the use of a single credential (password, Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. -Which organizations can take advanage of Multifactor unlock? Those who: +Which organizations can take advantage of Multifactor unlock? Those who: * Have expressed that PINs alone do not meet their security needs. * Want to prevent Information Workers from sharing credentials. -* Want their orgs to comply with regulatory two-factor authentication policy. +* Want their organizations to comply with regulatory two-factor authentication policy. * Want to retain the familiar Windows logon UX and not settle for a custom solution. You enable multifactor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. @@ -188,7 +188,8 @@ The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IP 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 ``` ##### dnsSuffix -The fully qualified domain name of your organizations internal dns suffix where any part of the fully qualified domain name in this setting exists in the computer's primary dns suffix. The **signal** element may contain one or more **dnsSuffix** elements.
    +The fully qualified domain name of your +s internal dns suffix where any part of the fully qualified domain name in this setting exists in the computer's primary dns suffix. The **signal** element may contain one or more **dnsSuffix** elements.
    **Example** ``` corp.contoso.com diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 15a3fdc61d..d4cda1fcb1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -217,7 +217,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. 6. In the **Applies to** list box, select **Descendant User objects**. 7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. -8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. +8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**. 9. Click **OK** three times to complete the task. ## Configure the Device Registration Service diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index a07b0f9acd..b09e2f8ec6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -253,7 +253,7 @@ The definition helps you to verify whether the values are present or if you need #### Issue objectSID of the computer account on-premises -**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: +**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: @RuleName = "Issue objectSID for domain-joined computers" c1:[ diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 9ac1099b03..effbe6b03a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -51,7 +51,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). > The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. -> **This synchronization latency delays the the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. +> **This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 3b76fcd29c..ce00462dc9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -38,7 +38,7 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv 5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. 6. In the **Applies to** list box, select **Descendant User objects**. 7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. -8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. +8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**. 9. Click **OK** three times to complete the task. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 11d1a66100..f986fd3e0e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -60,7 +60,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o 1. Open an elevated Windows PowerShell prompt. 2. Use the following command to install the Active Directory Certificate Services role. ```PowerShell - Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools + add-windowsfeature adcs-cert-authority -IncludeManagementTools ``` 3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index f1093f35c9..59977cb224 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -23,16 +23,16 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infastructure) +* [Public Key Infrastructure](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) * [MultiFactor Authetication](#multifactor-authentication) * [Device Registration](#device-registration) ## Directories ## -Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. The +Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. -A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. +A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. @@ -52,13 +52,13 @@ Review these requirements and those from the Windows Hello for Business planning ## Public Key Infrastructure ## The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. -Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Diretory object. +Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: -> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store. +> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. > * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. ### Section Review @@ -99,12 +99,12 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth > [!div class="checklist"] > * Azure MFA Service > * Windows Server 2016 AD FS and Azure (optional, if federated) -> * Windows Server 2016 AD FS and third party MFA Adapter (optional, if federated) +> * Windows Server 2016 AD FS and third-party MFA Adapter (optional, if federated)
    ## Device Registration ## -Organizations wanting to deploy hybrid key trust need thier domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. +Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. ### Section Checklist ### @@ -114,11 +114,11 @@ Organizations wanting to deploy hybrid key trust need thier domain joined device
    ### Next Steps ### -Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. +Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. -For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Syncrhonization**. +For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**. -For federerated and non-federated environments, start with **Configure Windows Hello for Business settings**. +For federated and non-federated environments, start with **Configure Windows Hello for Business settings**. > [!div class="op_single_selector"] > - [New Installation Baseline](hello-hybrid-key-new-install.md) @@ -131,7 +131,7 @@ For federerated and non-federated environments, start with **Configure Windows H ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) -2. Prerequistes (*You are here*) +2. Prerequisites (*You are here*) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index ec87d95afa..ce0710525a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -45,11 +45,11 @@ The provisioning flow has all the information it needs to complete the Windows H * A fresh, successful multi-factor authentication * A validated PIN that meets the PIN complexity requirements -The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisiong application and see their desktop. While the user has completed provisioning, Azure AD Connect syncrhonizes the user's key to Active Directory. +The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory. > [!IMPORTANT] -> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. -> **This synchronization latency delays the the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. +> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. +> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index be72d0be4e..8b9848f45c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -18,7 +18,7 @@ ms.date: 10/23/2017 >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -Configure the appropriate security groups to effeiciently deploy Windows Hello for Business to users. +Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. ### Creating Security Groups @@ -58,4 +58,4 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. Configure Windows Hello for Business settings: Active Directory (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index c52c1c6950..7fa866d652 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -19,13 +19,13 @@ ms.date: 10/23/2017 >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. +Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. -## Certifcate Templates +## Certificate Templates -This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority. +This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. ### Domain Controller certificate template @@ -49,7 +49,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 8. Close the console. -#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template +#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. @@ -108,7 +108,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 7f3233d1bb..4ddb7eed9d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -25,7 +25,7 @@ Install the Remote Server Administration Tools for Windows 10 on a computer runn Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. -Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) autoamtically request and renew the correct domain controller certifcate. +Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate. Hybrid Azure AD joined devices needs one Group Policy settings: * Enable Windows Hello for Business @@ -36,7 +36,7 @@ Domain controllers automatically request a certificate from the *Domain Controll To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. -#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object +#### Create a Domain Controller Automatic Certificate Enrollment Group Policy object Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. @@ -47,7 +47,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. 6. In the navigation pane, expand **Policies** under **Computer Configuration**. 7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. -8. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. +8. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**. 9. Select **Enabled** from the **Configuration Model** list. 10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 11. Select the **Update certificates that use certificate templates** check box. @@ -58,7 +58,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. 1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO�** +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO** 3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. ### Windows Hello for Business Group Policy @@ -67,7 +67,7 @@ The Windows Hello for Business Group Policy object delivers the correct Group Po #### Enable Windows Hello for Business -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. +The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. @@ -100,16 +100,16 @@ The best way to deploy the Windows Hello for Business Group Policy object is to The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. 1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO�** +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** 3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. -Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. +Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All other users ignore the Group Policy object. ## Other Related Group Policy settings ### Windows Hello for Business -There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. +There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting so they are applicable to any user that sign-in from a computer with these policy settings. #### Use a hardware security device @@ -117,7 +117,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. #### Use biometrics @@ -144,7 +144,7 @@ Windows 10 provides eight PIN Complexity Group Policy settings that give you gra ## Add users to the Windows Hello for Business Users group -Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business . You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. +Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. ### Section Review > [!div class="checklist"] @@ -163,9 +163,9 @@ Users must receive the Windows Hello for Business group policy settings and have ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. Configure Windows Hello for Business policy settings (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 98ea8551bf..05697bb83f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -21,7 +21,7 @@ ms.date: 10/23/2017 You are ready to configure your hybrid key trust environment for Windows Hello for Business. > [!IMPORTANT] -> Ensure your environment meets all the [prerequistes](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. +> Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. The configuration for Windows Hello for Business is grouped in four categories. These categories are: * [Active Directory](hello-hybrid-key-whfb-settings-ad.md) @@ -45,4 +45,4 @@ For the most efficent deployment, configure these technologies in order beginnin 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. Configure Windows Hello for Business settings (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md b/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md index 8b6124f000..04430822f3 100644 --- a/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md +++ b/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md @@ -7,54 +7,46 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: justinha -ms.date: 06/29/2017 +ms.date: 08/01/2018 --- -# How hardware-based containers help protect Windows 10 + +# Windows Defender System Guard: How hardware-based containers help protect Windows 10 Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard. -Protecting system services and data with Windows Defender System Guard is an important first step, but is just the beginning of what we need to do as it doesn’t protect the rest of the operating system, information on the device, other apps, or the network. -Since systems are generally compromised through the application layer, and often though browsers, Windows 10 includes Windows Defender Application Guard to isolate Microsoft Edge from the operating system, information on the device, and the network. -With this, Windows can start to protect the broader range of resources. +Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make the these security guarantees: -The following diagram shows Windows Defender System Guard and Windows Defender Application Guard in relation to the Windows 10 operating system. +- Protect and maintain the integrity of the system as it starts up +- Protect and maintain the integrity of the system after it's running +- Validate that system integrity has truly been maintained through local and remote attestation -![Application Guard and System Guard](images/application-guard-and-system-guard.png) +## Maintaining the integrity of the system as it starts -## What security threats do containers protect against +With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. -Exploiting zero days and vulnerabilities are an increasing threat that attackers are attempting to take advantage of. -The following diagram shows the traditional Windows software stack: a kernel with an app platform, and an app running on top of it. -Let’s look at how an attacker might elevate privileges and move down the stack. +With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). -![Traditional Windows software stack](images/traditional-windows-software-stack.png) +After successful verification and startup of the device’s firmware and Windows bootloader, the next opportunity for attackers to tamper with the system’s integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection. -In desktop operating systems, those apps typically run under the context of the user’s privileges. -If the app was malicious, it would have access to all the files in the file system, all the settings that you as a user Standard user have access to, and so on. +This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. At the end of the Windows boot process, System Guard will start the system’s antimalware solution, which scans all third party drivers, at which point the system boot process is completed. In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasn’t been compromised before the remainder of your system defenses start. -A different type of app may run under the context of an Administrator. -If attackers exploit a vulnerability in that app, they could gain Administrator privileges. -Then they can start turning off defenses. +![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) -They can poke down a little bit lower in the stack and maybe elevate to System, which is greater than Administrator. -Or if they can exploit the kernel mode, they can turn on and turn off all defenses, while at the same time making the computer look healthy. -SecOps tools could report the computer as healthy when in fact it’s completely under the control of someone else. +## Maintaining integrity of the system after it’s running (run time) -One way to address this threat is to use a sandbox, as smartphones do. -That puts a layer between the app layer and the Windows platform services. -Universal Windows Platform (UWP) applications work this way. -But what if a vulnerability in the sandbox exists? -The attacker can escape and take control of the system. +Prior to Windows 10, if an attacker exploited the system and gained SYSTEM level privilege or they compromised the kernel itself, it was game over. The level of control that an attacker would acquire in this condition would enable them to tamper with and bypass many, if not all, of your system defenses. While we have a number of development practices and technologies (such as Windows Defender Exploit Guard) that have made it difficult to gain this level of privilege in Windows 10, the reality is that we needed a way to maintain the integrity of the most sensitive Windows services and data, even when the highest level of privilege has been secured by an adversary. -## How containers help protect Windows 10 +With Windows 10, we introduced the concept of virtualization-based security (VBS), which enables us to contain the most sensitive Windows services and data in hardware-based isolation, which is the Windows Defender System Guard container. This secure environment provides us with the hardware-based security boundary we need to be able to secure and maintain the integrity of critical system services at run time like Credential Guard, Device Guard, Virtual TPM and parts of Windows Defender Exploit Guard, just to name a few. -Windows 10 addresses this by using virtualization based security to isolate more and more components out of Windows (left side) over time and moving those components into a separate, isolated hardware container. -The container helps prevent zero days and vulnerabilities from allowing an attacker to take control of a device. +![Windows Defender System Guard](images/windows-defender-system-guard.png) -Anything that's running in that container on the right side will be safe, even from Windows, even if the kernel's compromised. -Anything that's running in that container will also be secure against a compromised app. -Initially, Windows Defender System Guard will protect things like authentication and other system services and data that needs to resist malware, and more things will be protected over time. +## Validating platform integrity after Windows is running (run time) -![Windows Defender System Guard](images/windows-defender-system-guard.png) +While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity. + +As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. + + +![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png) \ No newline at end of file diff --git a/windows/security/identity-protection/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/identity-protection/images/windows-defender-system-guard-boot-time-integrity.png new file mode 100644 index 0000000000..1761e2e539 Binary files /dev/null and b/windows/security/identity-protection/images/windows-defender-system-guard-boot-time-integrity.png differ diff --git a/windows/security/identity-protection/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/identity-protection/images/windows-defender-system-guard-validate-system-integrity.png new file mode 100644 index 0000000000..fbd6a798b0 Binary files /dev/null and b/windows/security/identity-protection/images/windows-defender-system-guard-validate-system-integrity.png differ diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 22c5b6361e..a57b762d3a 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -58,6 +58,15 @@ When the trigger occurs, VPN tries to connect. If an error occurs or any user in When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. +Preserving user Always On preference + +Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. +Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference. +Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config +Value: AutoTriggerDisabledProfilesList +Type: REG_MULTI_SZ + + ## Trusted network detection This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered. @@ -86,4 +95,4 @@ After you add an associated app, if you select the **Only these apps can use thi - [VPN and conditional access](vpn-conditional-access.md) - [VPN name resolution](vpn-name-resolution.md) - [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file +- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index 4aeab49c4b..840bf5b9b7 100644 --- a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -6,8 +6,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: brianlic-msft -ms.date: 04/19/2017 +author: Justinha +ms.date: 07/30/2018 --- # Configure the Workstation Authentication Certificate Template @@ -36,7 +36,7 @@ To complete these procedures, you must be a member of both the Domain Admins gro 6. Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**. -7. Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048. +7. Click the **Cryptography** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048. 8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**. diff --git a/windows/security/index.yml b/windows/security/index.yml index b928c6db2b..019ee50e72 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -14,7 +14,7 @@ metadata: keywords: protect, company, data, Windows, device, app, management, Microsoft365, e5, e3 - ms.localizationpriority: medium + ms.localizationpriority: high author: brianlic-msft @@ -22,7 +22,7 @@ metadata: manager: brianlic - ms.date: 02/06/2018 + ms.date: 07/12/2018 ms.topic: article @@ -78,199 +78,17 @@ sections: title: Information protection -- title: Security features built in to Windows 10 - +- title: Windows Defender Advanced Threat Protection items: - - - type: paragraph - - text: 'Windows 10 enables critical security features to protect your device right from the start.' - - - type: list - - style: cards - - className: cardsM - - columns: 3 - - items: - - - href: \windows\security\hardware-protection\how-hardware-based-containers-help-protect-windows - - html:

    Protect the boot process and maintain system integrity

    - - image: - - src: https://docs.microsoft.com/media/common/i_identity-protection.svg - - title: Windows Defender System Guard - - - href: \windows\security\threat-protection\windows-defender-antivirus\windows-defender-antivirus-in-windows-10 - - html:

    Protect against malware management using next-generation antivirus technologies

    - - image: - - src: https://docs.microsoft.com/media/common/i_threat-protection.svg - - title: Windows Defender Antivirus - - - href: \windows\security\information-protection\bitlocker\bitlocker-overview - - html:

    Prevent data theft from lost or stolen devices

    - - image: - - src: https://docs.microsoft.com/media/common/i_information-protection.svg - - title: BitLocker - -- title: Security features in Microsoft 365 E3 - - items: - - - type: paragraph - - text: 'Windows 10 Enterprise provides the foundation for Microsoft 365 E3 and a secure modern workplace.' - - - type: list - - style: cards - - className: cardsM - - columns: 3 - - items: - - - href: \windows\security\identity-protection\hello-for-business\hello-overview - - html:

    Give users a more personal and secure way to access their devices

    - - image: - - src: https://docs.microsoft.com/media/common/i_identity-protection.svg - - title: Windows Hello for Business - - - href: \windows\security\threat-protection\windows-defender-application-control\windows-defender-application-control - - html:

    Lock down applications that run on a device

    - - image: - - src: https://docs.microsoft.com/media/common/i_threat-protection.svg - - title: Windows Defender Application Control - - - href: \windows\security\information-protection\windows-information-protection\protect-enterprise-data-using-wip - - html:

    Prevent accidental data leaks from enterprise devices

    - - image: - - src: https://docs.microsoft.com/media/common/i_information-protection.svg - - title: Windows Information Protection - -- title: Security features in Microsoft 365 E5 - - items: - - - type: paragraph - - text: 'Get all of the protection from Microsoft 365 E3 security, plus these cloud-based security features to help you defend against even the most advanced threats.' - - - type: list - - style: cards - - className: cardsM - - columns: 3 - - items: - - - href: https://docs.microsoft.com/azure/active-directory/active-directory-identityprotection - - html:

    Identity Protection and Privileged Identity Management

    - - image: - - src: https://docs.microsoft.com/media/common/i_identity-protection.svg - - title: Azure Active Directory P2 - - - href: \windows\security\threat-protection\Windows-defender-atp\windows-defender-advanced-threat-protection - - html:

    Detect, investigate, and respond to advanced cyberattacks

    - - image: - - src: https://docs.microsoft.com/media/common/i_threat-protection.svg - - title: Windows Defender Advanced Threat Protection - - - href: https://www.microsoft.com/cloud-platform/azure-information-protection - - html:

    Protect documents and email automatically

    - - image: - - src: https://docs.microsoft.com/media/common/i_information-protection.svg - - title: Azure Information Protection P2 - -- title: Videos - - items: - - type: markdown - - text: ">[![VIDEO](images/next-generation-windows-security-vision.png)](https://www.youtube.com/watch?v=IvZySDNfNpo)" - - - type: markdown - - text: ">[![VIDEO](images/fall-creators-update-next-gen-security.png)](https://www.youtube.com/watch?v=JDGMNFwyUg8)" - -- title: Additional security features in Windows 10 - - items: - - - type: paragraph - - text: 'These additional security features are also built in to Windows 10 Enterprise.' - - - type: list - - style: unordered - - items: - - - html: Windows Defender Firewall - - html: Windows Defender Exploit Guard - - html: Windows Defender Credential Guard - - html: Windows Defender Application Control - - html: Windows Defender Application Guard - - html: Windows Defender SmartScreen - - html: Windows Defender Security Center - -- title: Security Resources - - items: - - - type: list - - style: unordered - - items: - - - html: Windows Defender Security Intelligence - - html: Microsoft Secure blog - - html: Security Update blog - - html: Microsoft Security Response Center (MSRC) - - html: MSRC Blog - - html: Ransomware FAQ - - + text: " + Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform. +
     
    + + + + + + + +
    Attack surface reductionNext generation protectionEndpoint detection and responseAuto investigation and remediationSecurity posture
    [Hardware based isolation](https://docs.microsoft.com/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)

    [Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)

    [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)

    [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

    [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)

    [Network firewall](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)

    [Attack surface reduction controls](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)    		[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)

    [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)

    [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)    		[Alerts queue](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)

    [Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)

    [Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)

    [API and SIEM integration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)

    [Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)

    [Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)

    [Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)

    [Advanced detonation and analysis service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)    		[Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)

    [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)

    [Manage automated investigations](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)

    [Analyze automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)    		[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

    [Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

    [Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

    [Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

    [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)

    [Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)
    " \ No newline at end of file diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index c845e7e6aa..b9c98da745 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -15,7 +15,7 @@ ### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md) ### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md) ### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md) -### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md) +### [BitLocker: Management for enterprises](bitlocker\bitlocker-management-for-enterprises.md) ### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md) ### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) ### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md) @@ -28,6 +28,7 @@ #### [Choose the Right BitLocker Countermeasure](bitlocker\choose-the-right-bitlocker-countermeasure.md) ### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md) +## [Encrypted Hard Drive](encrypted-hard-drive.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) @@ -53,3 +54,20 @@ #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md) ### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md) +## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) + +## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md) +### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md) +### [TPM fundamentals](tpm/tpm-fundamentals.md) +### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md) +### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md) +### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md) +### [Manage TPM commands](tpm/manage-tpm-commands.md) +### [Manage TPM lockout](tpm/manage-tpm-lockout.md) +### [Change the TPM owner password](tpm/change-the-tpm-owner-password.md) +### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md) +### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md) +### [TPM recommendations](tpm/tpm-recommendations.md) + + + diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 0b99703f80..4643595543 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -351,6 +351,7 @@ The following steps can be used to configure Network Unlock on these older syste 6. [Step Six: Configure registry settings for Network Unlock](#bkmk-stepsix) Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. + certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index cd19782c52..691e7ec1de 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -8,85 +8,36 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 10/27/2017 +ms.date: 07/27/2018 --- -# BitLocker Management Recommendations for Enterprises +# BitLocker Management for Enterprises -This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices. +The ideal for BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. -## Forward-looking recommendations for managing BitLocker +Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers. -The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. - -Therefore, we recommend that you upgrade your hardware so that your devices comply with Modern Standby or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD). - -Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for: - - - [Domain-joined computers](#dom_join) - - - [Devices joined to Azure Active Directory (Azure AD)](#azure_ad) - - - [Workplace-joined PCs and Phones](#work_join) - - - [Servers](#servers) - - - [Scripts](#powershell) - -
    - -## BitLocker management at a glance - -| | PC – Old Hardware | PC – New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone -|---|---|----|---|---| -|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A| -|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS| - -
    -*PC hardware that supports Modern Standby or HSTI - -
    -
    - - -## Recommendations for domain-joined computers - -Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. For more information, see [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption). +## Managing domain-joined computers and moving to cloud Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -For older client computers with BitLocker that are domain joined on-premises, Microsoft BitLocker Administration and Management[1] (MBAM) remains the best way to manage BitLocker. MBAM continues to be maintained and receives security patches. Using MBAM provides the following functionality: +Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). -- Encrypts device with BitLocker using MBAM -- Stores BitLocker Recovery keys in MBAM Server -- Provides Recovery key access to end-user, helpdesk and advanced helpdesk -- Provides Reporting on Compliance and Recovery key access audit +## Managing devices joined to Azure Active Directory - -[1]The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1). - -
    - - -## Recommendations for devices joined to Azure Active Directory - - - -Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones. For hardware that is compliant with Modern Standby and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. - -## Workplace-joined PCs and phones +## Managing workplace-joined PCs and phones -For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, and similarly for Azure AD domain join. +For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. - -## Recommendations for servers +## Managing servers Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. @@ -98,8 +49,6 @@ If you are installing a server manually, such as a stand-alone server, then choo For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).   - - ## PowerShell examples For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory. @@ -136,8 +85,6 @@ PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector ``` - - ## Related Articles [BitLocker: FAQs](bitlocker-frequently-asked-questions.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md index 29a5d2fc39..66780914d3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 05/03/2018 +ms.date: 07/10/2018 --- # BitLocker To Go FAQ @@ -18,5 +18,7 @@ ms.date: 05/03/2018 ## What is BitLocker To Go? -BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. +BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. + +As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel. diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md index d871cf396b..1edcded5ee 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 05/03/2018 +ms.date: 07/10/2018 --- # Using BitLocker with other programs FAQ @@ -89,11 +89,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run. - With TPM - Yes it is supported -- Without TPM - Yes it is supported (with password ) protector +- Without TPM - Yes it is supported (with password protector) -BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. +BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. ## Can I use BitLocker with virtual machines (VMs)? -Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. +Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. diff --git a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md b/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md index d7abb90fbd..d96b30a8c5 100644 --- a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md +++ b/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md @@ -85,13 +85,13 @@ DMA-based expansion slots are another avenue of attack, but these slots generall To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device. -### Hyberfil.sys Attacks +### Hiberfil.sys Attacks -The hyberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hyberfil.sys file. +The hiberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hiberfil.sys file. -Like the DMA port attack discussed in the previous section, tools are available that can scan the hyberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hyberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it. +Like the DMA port attack discussed in the previous section, tools are available that can scan the hiberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hiberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it. -In practice, the only reason an attack on hyberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hyberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack. +In practice, the only reason an attack on hiberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hiberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack. ### Memory Remanence Attacks diff --git a/windows/security/hardware-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md similarity index 100% rename from windows/security/hardware-protection/encrypted-hard-drive.md rename to windows/security/information-protection/encrypted-hard-drive.md diff --git a/windows/security/hardware-protection/images/dn168167.boot_process(en-us,MSDN.10).png b/windows/security/information-protection/images/dn168167.boot_process(en-us,MSDN.10).png similarity index 100% rename from windows/security/hardware-protection/images/dn168167.boot_process(en-us,MSDN.10).png rename to windows/security/information-protection/images/dn168167.boot_process(en-us,MSDN.10).png diff --git a/windows/security/hardware-protection/images/dn168167.measure_boot(en-us,MSDN.10).png b/windows/security/information-protection/images/dn168167.measure_boot(en-us,MSDN.10).png similarity index 100% rename from windows/security/hardware-protection/images/dn168167.measure_boot(en-us,MSDN.10).png rename to windows/security/information-protection/images/dn168167.measure_boot(en-us,MSDN.10).png diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index 4afe213341..4da67275f3 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -11,7 +11,7 @@ ms.date: 02/05/2018 # Information protection -Learn more about how to secure documents and and other data across your organization. +Learn more about how to secure documents and other data across your organization. | Section | Description | |-|-| diff --git a/windows/security/hardware-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md similarity index 100% rename from windows/security/hardware-protection/secure-the-windows-10-boot-process.md rename to windows/security/information-protection/secure-the-windows-10-boot-process.md diff --git a/windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md similarity index 100% rename from windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md rename to windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md diff --git a/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md similarity index 96% rename from windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md rename to windows/security/information-protection/tpm/change-the-tpm-owner-password.md index 85fc58c11a..7731079b80 100644 --- a/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -45,7 +45,7 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule). ## Related topics diff --git a/windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md similarity index 100% rename from windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md rename to windows/security/information-protection/tpm/how-windows-uses-the-tpm.md diff --git a/windows/security/hardware-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png b/windows/security/information-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png similarity index 100% rename from windows/security/hardware-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png rename to windows/security/information-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png diff --git a/windows/security/hardware-protection/tpm/images/tpm-capabilities.png b/windows/security/information-protection/tpm/images/tpm-capabilities.png similarity index 100% rename from windows/security/hardware-protection/tpm/images/tpm-capabilities.png rename to windows/security/information-protection/tpm/images/tpm-capabilities.png diff --git a/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md similarity index 96% rename from windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md rename to windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index 525ead7434..3b52d2e805 100644 --- a/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -28,7 +28,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the followi - [Turn on or turn off the TPM](#turn-on-or-turn-off) -For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps). ## About TPM initialization and ownership @@ -83,7 +83,7 @@ There are several ways to clear the TPM: - **Clear the TPM as part of a complete reset of the computer**: You might want to remove all files from the computer and completely reset it, for example, in preparation for a clean installation. To do this, we recommend that you use the **Reset** option in **Settings**. When you perform a reset and use the **Remove everything** option, it will clear the TPM as part of the reset. You might be prompted to press a key before the TPM can be cleared. For more information, see the “Reset this PC” section in [Recovery options in Windows 10](https://support.microsoft.com/en-us/help/12415/windows-10-recovery-options). -- **Clear the TPM to fix “reduced functionality” or “Not ready” TPM status**: If you open TPM.msc and see that the TPM status is something other than **Ready**, you can can try using TPM.msc to clear the TPM and fix the status. However, be sure to review the precautions in the next section. +- **Clear the TPM to fix “reduced functionality” or “Not ready” TPM status**: If you open TPM.msc and see that the TPM status is something other than **Ready**, you can try using TPM.msc to clear the TPM and fix the status. However, be sure to review the precautions in the next section. ### Precautions to take before clearing the TPM @@ -165,7 +165,7 @@ This capability was fully removed from TPM.msc in later versions of Windows. ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps). ## Related topics diff --git a/windows/security/hardware-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md similarity index 100% rename from windows/security/hardware-protection/tpm/manage-tpm-commands.md rename to windows/security/information-protection/tpm/manage-tpm-commands.md diff --git a/windows/security/hardware-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md similarity index 100% rename from windows/security/hardware-protection/tpm/manage-tpm-lockout.md rename to windows/security/information-protection/tpm/manage-tpm-lockout.md diff --git a/windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md similarity index 100% rename from windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md rename to windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md diff --git a/windows/security/hardware-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md similarity index 100% rename from windows/security/hardware-protection/tpm/tpm-fundamentals.md rename to windows/security/information-protection/tpm/tpm-fundamentals.md diff --git a/windows/security/hardware-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md similarity index 100% rename from windows/security/hardware-protection/tpm/tpm-recommendations.md rename to windows/security/information-protection/tpm/tpm-recommendations.md diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md similarity index 99% rename from windows/security/hardware-protection/tpm/trusted-platform-module-overview.md rename to windows/security/information-protection/tpm/trusted-platform-module-overview.md index 829d773086..43699df08e 100644 --- a/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -68,7 +68,7 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> The device must be running Windows 10 and it must support at least TPM 2.0. +> The device must be running Windows 10 and it must support at least TPM 2.0 in order to utilize Device Health Attestation. ## Supported versions diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md similarity index 100% rename from windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md rename to windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md similarity index 100% rename from windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md rename to windows/security/information-protection/tpm/trusted-platform-module-top-node.md diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index c0310f6f4e..92e3401948 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 09/11/2017 --- diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 51a816a4fa..0743b419b6 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 10/31/2017 --- @@ -41,10 +41,7 @@ The recovery process included in this topic only works for desktop devices. WIP >[!Important] >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. - - >[!Note] - >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md). ## Verify your data recovery certificate is correctly set up on a WIP client computer @@ -52,7 +49,7 @@ The recovery process included in this topic only works for desktop devices. WIP 2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. -3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: +3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: cipher /c filename diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md index b31e26bc2e..990c0c34c4 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 09/11/2017 --- diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index e7659f76d0..7adccd0ac3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -5,10 +5,10 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.author: justinha ms.localizationpriority: medium -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune @@ -348,14 +348,14 @@ If you're running into compatibility issues where your app is incompatible with ## Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). **To add your protection mode** -1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. +1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. The **Required settings** blade appears. @@ -363,7 +363,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi |Mode |Description | |-----|------------| - |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| + |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| @@ -379,7 +379,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor 1. From the **App policy** blade, click the name of your policy, and then click **Required settings**. -2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area. +2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add domains, for example your email domains, you can do it in the **Advanced settings** area. ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) @@ -422,7 +422,7 @@ There are no default locations included with WIP, you must add each of your netw Network domains corp.contoso.com,region.contoso.com - Starting with Windows 10, version 1703, this field is optional.

    Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

    If you have multiple resources, you must separate them using the "," delimiter. + Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

    If you have multiple resources, you must separate them using the "," delimiter. Proxy servers @@ -487,7 +487,7 @@ After you've decided where your protected apps can access enterprise data on you - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - **On (recommended).** Turns on the feature and provides the additional protection. + - **On.** Turns on the feature and provides the additional protection. - **Off, or not configured.** Doesn't enable this feature. @@ -497,7 +497,7 @@ After you've decided where your protected apps can access enterprise data on you - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. - - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + - **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. @@ -509,6 +509,12 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. + - **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. + + - **On.** Starts Windows Search Indexer to index encrypted files. + + - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. + ## Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md index a2d2b485a4..d75ea228ef 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 05/30/2018 +ms.date: 08/08/2018 ms.localizationpriority: medium --- @@ -195,7 +195,7 @@ Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the ### Add an AppLocker policy file Now we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info, see [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview). -**To create a Packaged App rule rule and xml file** +**To create a Packaged App rule and xml file** 1. Open the Local Security Policy snap-in (SecPol.msc). 2. In the left pane, click **Application Control Policies** > **AppLocker** > **Packaged App Rules**. @@ -308,11 +308,11 @@ If you're running into compatibility issues where your app is incompatible with ## Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Hide Overrides**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Block**. |Mode |Description | |-----|------------| -|Hide Overrides|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Block|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Allow Overrides|WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md index 2d44748948..5d23640044 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md @@ -5,9 +5,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.author: justinha -ms.date: 05/30/2018 +ms.date: 08/08/2018 localizationpriority: medium --- @@ -377,7 +377,7 @@ In the **Required settings** blade you must pick your Windows Information Protec ### Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). @@ -392,7 +392,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi |Mode |Description | |-----|------------| - |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| + |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| @@ -420,7 +420,7 @@ In the **Advanced settings** blade you must specify where apps can access your c ### Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. -There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). +Intune will add SharePoint sites that are discovered through the Graph API. You must add other network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). >[!Important] >Every WIP policy should include policy that defines your enterprise network locations.
    Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index dbc27f74a8..e766991a5a 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -7,9 +7,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium -ms.date: 10/16/2017 +ms.date: 08/08/2018 --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager @@ -340,14 +340,14 @@ If you're running into compatibility issues where your app is incompatible with ## Manage the WIP-protection level for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**. +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). |Mode |Description | |-----|------------| -|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index 93cc37550a..d686c6df22 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 09/11/2017 --- diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md index 7cc7975a21..26b5ff9472 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -7,9 +7,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium -ms.date: 09/11/2017 +ms.date: 08/08/2018 --- # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 0bd2b3e912..cc99d381bd 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 05/30/2018 --- diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md index fb8238b948..8e0e18f98a 100644 --- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 09/11/2017 --- diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png index 517c4a4ad3..7fff387ab2 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index 7775888473..cd8e0d0388 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png index c467cd1e24..752ea852ce 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png index bdd625c9c6..734f23b46c 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png differ diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 58d83ff733..9dce29791b 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.author: justinha ms.date: 05/30/2018 ms.localizationpriority: medium diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md index 71de7778d6..6baff2c026 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 10/13/2017 --- diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index e424f3101d..b0cbdd55e6 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 10/13/2017 --- diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 1ad43ba3f3..6ebcf8b468 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -77,13 +77,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device. - - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode. You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list. - - **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. @@ -132,7 +132,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes: |Mode|Description| |----|-----------| -|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| |Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

    **Note**
    For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index ab62ce51f4..f9318f3384 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 09/11/2017 --- diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 87c74dd9a0..7225edb78c 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -10,7 +10,7 @@ ms.sitesec: library ms.pagetype: security author: coreyp-at-msft ms.localizationpriority: medium -ms.date: 04/18/2018 +ms.date: 08/08/2018 --- # Fine-tune Windows Information Protection (WIP) with WIP Learning @@ -21,16 +21,16 @@ ms.date: 04/18/2018 With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS). -The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Hide overrides”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. +The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list. -## Access the WIP Learning reports - -1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter. - +## Access the WIP Learning reports + +1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter. + 2. Choose **Intune** > **Mobile Apps**. - + 3. Choose **App protection status**. 4. Choose **Reports**. @@ -95,7 +95,7 @@ Here, you can copy the **WipAppid** and use it to adjust your WIP protection pol 9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** -When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide overrides**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) +When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f41fb07b2f..950c5a9761 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1,875 +1,916 @@ # [Threat protection](index.md) -## [The Windows Defender Security Center app](windows-defender-security-center/windows-defender-security-center.md) -### [Customize the Windows Defender Security Center app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md) -### [Hide Windows Defender Security Center app notifications](windows-defender-security-center/wdsc-hide-notifications.md) -### [Manage Windows Defender Security Center in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md) -### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md) -### [Account protection](windows-defender-security-center\wdsc-account-protection.md) -### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md) -### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md) -### [Device security](windows-defender-security-center\wdsc-device-security.md) -### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md) -### [Family options](windows-defender-security-center\wdsc-family-options.md) - ## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md) -###Get started -#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md) -#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md) -#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) -#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md) -#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md) -#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) -### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) -#### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) -##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-windows-10-machines-using-microsoft-intune) -##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) -##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -#### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) -#### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) -#### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) -#### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md) -#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) -#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) -### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) -#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) -#### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md) -#### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md) -#### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md) +####Get started +##### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md) +##### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) +##### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md) +##### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md) +##### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) +#### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) +##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md) +##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) +###### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +###### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +###### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +####### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune) +###### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) +###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +##### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) +##### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +##### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) +##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md) +##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +#### [Understand the portal ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) +##### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) +##### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md) +##### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md) +##### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) -###Investigate and remediate threats -####Alerts queue -##### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) -##### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) -##### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) -##### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md) -##### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md) -##### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md) -##### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md) -##### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md) +####Investigate and remediate threats +#####Alerts queue +###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) +###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) +###### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) +###### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md) +###### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md) +###### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md) +###### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md) +###### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md) -####Machines list -##### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md) -##### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) -##### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) -##### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) -###### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) -###### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) -###### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) -###### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) +#####Machines list +###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md) +###### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) +###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) +###### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) +####### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) +####### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) +####### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) +####### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) -#### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md) -##### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) -###### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) -###### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) -###### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) -###### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) -###### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) -###### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -##### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) -###### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) -###### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) -###### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) -###### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -###### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) -####### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) -####### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) -####### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +##### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md) +###### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md) +####### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) +####### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) +####### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) +####### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) +####### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) +####### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) +####### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) + +###### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md) +####### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) +####### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) +####### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) +####### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) +####### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +####### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) +######## [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) +######## [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) +######## [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) + +###### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md) +####### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md) +####### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) #### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md) -#### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md) -##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md) -##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) +#### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) +####API and SIEM support +##### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) +###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) +###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md) +###### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md) +###### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md) +###### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md) -### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) +##### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md) +###### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md) +###### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md) +###### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) +###### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) +#######Actor +######## [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) +######## [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +#######Alerts +######## [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) +######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +######## [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +########Domain +######### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +######### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) +######### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) +######### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) -###API and SIEM support -#### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) -##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) -##### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md) -##### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md) -##### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md) -##### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) -##### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md) +#######File +######## [Block file](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) +######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) +######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) +######## [Get FileActions collection](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) +######## [Unblock file](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) -#### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -##### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md) -##### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md) -##### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md) -##### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) -#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) -##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) -######Actor -####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) -####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) -######Alerts -####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) -####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) -####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -######Domain -####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) -####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) - -######File -####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) -####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) -####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) -####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) -####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) - -######IP -####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) -####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) -######Machines -####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) -####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) -####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) -####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) -####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) -####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) -####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) -####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) -####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) -####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) -####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) -####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) -####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) -####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) +#######IP +######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) +######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) +#######Machines +######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) +######## [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +######## [Get FileMachineAction object](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +######## [Get FileMachineActions collection](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) +######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get MachineAction object](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) +######## [Get MachineActions collection](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) +######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +######## [Get package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) +######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) +######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) +######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +######## [Request sample](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) +######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) +######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) +######## [Stop and quarantine file](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) -######User -####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) -####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) -####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) +#######User +######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +######## [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) +######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) -###Reporting -#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) +####Reporting +##### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) -###Check service health and sensor state -#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) +####Check service health and sensor state +##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) ##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) ##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) -#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) -### [Configure Windows Defender ATP Settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md) - -####General -##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md) -##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) -##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) -##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md) -##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) +##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) -####Permissions -##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md) -##### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md) - -####APIs -##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) - -####Rules -##### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md) -##### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -##### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -##### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) - -####Machine management -##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) -##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md) - -### [Configure Windows Defender ATP time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md) - -### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md) -### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) -#### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) -### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) - -## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) -### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md) - -### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md) -#### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md) +####[Configure Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md) +#####General +###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md) +###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) +###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) +###### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md) +###### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) -### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md) +#####Permissions +###### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md) +###### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md) + +#####APIs +###### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) + +#####Rules +###### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md) +###### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) +###### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) + +#####Machine management +###### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) +###### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md) + +#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md) + +#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md) +#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) +##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) +#### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) + +### [Windows Defender Antivirus](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) +#### [Windows Defender AV in the Windows Defender Security app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) +#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md) + +#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md) +##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md) -### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md) -#### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md) -##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md) -#### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md) -##### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) -#### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md) -##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md) -##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md) -##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md) -##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md) -##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md) -### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md) -#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md) -##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md) -##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md) -##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md) -##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md) -#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md) -##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md) -#### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md) -##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md) -##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md) -##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md) +#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md) +##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md) +###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md) +##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md) +###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) +##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md) +###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md) +###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md) +###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md) +###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md) +###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md) -#### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md) -##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md) -##### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md) -##### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md) -#### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md) -#### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md) -#### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md) -#### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md) -#### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md) -#### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md) +#### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md) +##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +###### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md) +###### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md) +###### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md) +###### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md) +###### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md) +##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md) +###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) +###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md) +##### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md) +###### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md) +###### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md) +###### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md) + + +#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md) +##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md) +###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md) +##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md) +##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md) +##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md) +##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md) +##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md) +##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md) #### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md) -### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md) +##### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md) -### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md) -#### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md) -#### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md) -#### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md) -#### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md) -#### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md) - -## [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) - -## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md) -### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md) -#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md) -#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md) - -### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md) -#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md) -#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md) -#### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md) -#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md) -##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) -### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md) -#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md) -#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md) -#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md) -#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md) -### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md) -#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md) -#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md) -#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md) -### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md) -#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md) -#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md) -#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md) -### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md) -#### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -#### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md) +##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md) +###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md) +###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md) +###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md) +###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md) -## [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md) - -## [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) - -## [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - -## [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) -### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md) -### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md) - -##[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md) -###[System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md) -###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) -###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md) -###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md) -###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md) - -## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) - -## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) - -## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md) - -## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) - -## [Security auditing](auditing/security-auditing-overview.md) -### [Basic security audit policies](auditing/basic-security-audit-policies.md) -#### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md) -#### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md) -#### [View the security event log](auditing/view-the-security-event-log.md) -#### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md) -##### [Audit account logon events](auditing/basic-audit-account-logon-events.md) -##### [Audit account management](auditing/basic-audit-account-management.md) -##### [Audit directory service access](auditing/basic-audit-directory-service-access.md) -##### [Audit logon events](auditing/basic-audit-logon-events.md) -##### [Audit object access](auditing/basic-audit-object-access.md) -##### [Audit policy change](auditing/basic-audit-policy-change.md) -##### [Audit privilege use](auditing/basic-audit-privilege-use.md) -##### [Audit process tracking](auditing/basic-audit-process-tracking.md) -##### [Audit system events](auditing/basic-audit-system-events.md) -### [Advanced security audit policies](auditing/advanced-security-auditing.md) -#### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md) -#### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md) -##### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md) -#### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -##### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md) -##### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md) -##### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md) -##### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md) -##### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md) -##### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md) -##### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md) -##### [Monitor claim types](auditing/monitor-claim-types.md) -#### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md) -##### [Audit Credential Validation](auditing/audit-credential-validation.md) -###### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md) -###### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md) -###### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md) -###### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md) -##### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md) -###### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md) -###### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md) -###### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md) -##### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md) -###### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md) -###### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md) -###### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md) -##### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md) -##### [Audit Application Group Management](auditing/audit-application-group-management.md) -##### [Audit Computer Account Management](auditing/audit-computer-account-management.md) -###### [Event 4741 S: A computer account was created.](auditing/event-4741.md) -###### [Event 4742 S: A computer account was changed.](auditing/event-4742.md) -###### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md) -##### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md) -###### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md) -###### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md) -###### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md) -###### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md) -###### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md) -##### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md) -###### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md) -###### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md) -##### [Audit Security Group Management](auditing/audit-security-group-management.md) -###### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md) -###### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md) -###### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md) -###### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md) -###### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md) -###### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md) -###### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md) -##### [Audit User Account Management](auditing/audit-user-account-management.md) -###### [Event 4720 S: A user account was created.](auditing/event-4720.md) -###### [Event 4722 S: A user account was enabled.](auditing/event-4722.md) -###### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md) -###### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md) -###### [Event 4725 S: A user account was disabled.](auditing/event-4725.md) -###### [Event 4726 S: A user account was deleted.](auditing/event-4726.md) -###### [Event 4738 S: A user account was changed.](auditing/event-4738.md) -###### [Event 4740 S: A user account was locked out.](auditing/event-4740.md) -###### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md) -###### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md) -###### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md) -###### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md) -###### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md) -###### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md) -###### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md) -###### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md) -###### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md) -##### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md) -###### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md) -###### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md) -###### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md) -###### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md) -##### [Audit PNP Activity](auditing/audit-pnp-activity.md) -###### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md) -###### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md) -###### [Event 6420 S: A device was disabled.](auditing/event-6420.md) -###### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md) -###### [Event 6422 S: A device was enabled.](auditing/event-6422.md) -###### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md) -###### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md) -##### [Audit Process Creation](auditing/audit-process-creation.md) -###### [Event 4688 S: A new process has been created.](auditing/event-4688.md) -###### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md) -##### [Audit Process Termination](auditing/audit-process-termination.md) -###### [Event 4689 S: A process has exited.](auditing/event-4689.md) -##### [Audit RPC Events](auditing/audit-rpc-events.md) -###### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md) -##### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md) -###### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md) -###### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md) -###### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md) -###### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md) -###### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md) -###### [Event 4935 F: Replication failure begins.](auditing/event-4935.md) -###### [Event 4936 S: Replication failure ends.](auditing/event-4936.md) -###### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md) -##### [Audit Directory Service Access](auditing/audit-directory-service-access.md) -###### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md) -###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md) -##### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md) -###### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md) -###### [Event 5137 S: A directory service object was created.](auditing/event-5137.md) -###### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md) -###### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md) -###### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md) -##### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md) -###### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md) -###### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md) -##### [Audit Account Lockout](auditing/audit-account-lockout.md) -###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md) -##### [Audit User/Device Claims](auditing/audit-user-device-claims.md) -###### [Event 4626 S: User/Device claims information.](auditing/event-4626.md) -##### [Audit Group Membership](auditing/audit-group-membership.md) -###### [Event 4627 S: Group membership information.](auditing/event-4627.md) -##### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md) -##### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md) -##### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md) -##### [Audit Logoff](auditing/audit-logoff.md) -###### [Event 4634 S: An account was logged off.](auditing/event-4634.md) -###### [Event 4647 S: User initiated logoff.](auditing/event-4647.md) -##### [Audit Logon](auditing/audit-logon.md) -###### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md) -###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md) -###### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md) -###### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md) -##### [Audit Network Policy Server](auditing/audit-network-policy-server.md) -##### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md) -###### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md) -###### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md) -###### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md) -###### [Event 4800 S: The workstation was locked.](auditing/event-4800.md) -###### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md) -###### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md) -###### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md) -###### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md) -###### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md) -###### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md) -##### [Audit Special Logon](auditing/audit-special-logon.md) -###### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md) -###### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md) -##### [Audit Application Generated](auditing/audit-application-generated.md) -##### [Audit Certification Services](auditing/audit-certification-services.md) -##### [Audit Detailed File Share](auditing/audit-detailed-file-share.md) -###### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md) -##### [Audit File Share](auditing/audit-file-share.md) -###### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md) -###### [Event 5142 S: A network share object was added.](auditing/event-5142.md) -###### [Event 5143 S: A network share object was modified.](auditing/event-5143.md) -###### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md) -###### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md) -##### [Audit File System](auditing/audit-file-system.md) -###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) -###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) -###### [Event 4660 S: An object was deleted.](auditing/event-4660.md) -###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) -###### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md) -###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -###### [Event 5051: A file was virtualized.](auditing/event-5051.md) -###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -##### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md) -###### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md) -###### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md) -###### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md) -###### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md) -###### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md) -###### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md) -###### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md) -###### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md) -###### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md) -##### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md) -###### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md) -###### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md) -##### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md) -###### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md) -##### [Audit Kernel Object](auditing/audit-kernel-object.md) -###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) -###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) -###### [Event 4660 S: An object was deleted.](auditing/event-4660.md) -###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) -##### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md) -###### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md) -###### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md) -###### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md) -###### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md) -###### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md) -###### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md) -###### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md) -###### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md) -###### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md) -###### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md) -###### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md) -###### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md) -##### [Audit Registry](auditing/audit-registry.md) -###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) -###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) -###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) -###### [Event 4660 S: An object was deleted.](auditing/event-4660.md) -###### [Event 4657 S: A registry value was modified.](auditing/event-4657.md) -###### [Event 5039: A registry key was virtualized.](auditing/event-5039.md) -###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -##### [Audit Removable Storage](auditing/audit-removable-storage.md) -##### [Audit SAM](auditing/audit-sam.md) -###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md) -##### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md) -###### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md) -##### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md) -###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -###### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md) -###### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md) -###### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md) -###### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md) -###### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md) -###### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md) -###### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md) -###### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md) -###### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md) -###### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md) -##### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md) -###### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md) -###### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md) -###### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md) -###### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md) -###### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md) -###### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md) -###### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md) -###### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md) -###### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md) -###### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md) -###### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md) -##### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md) -###### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md) -###### [Event 4704 S: A user right was assigned.](auditing/event-4704.md) -###### [Event 4705 S: A user right was removed.](auditing/event-4705.md) -###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -###### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md) -###### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md) -##### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md) -##### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md) -###### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md) -###### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md) -###### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md) -###### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md) -###### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md) -###### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md) -###### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md) -###### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md) -###### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md) -###### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md) -###### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md) -###### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md) -###### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md) -###### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md) -##### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md) -###### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md) -###### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md) -###### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md) -###### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md) -###### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md) -###### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md) -###### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md) -###### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md) -###### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md) -###### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md) -###### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md) -###### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md) -###### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md) -###### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md) -###### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md) -###### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md) -##### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md) -###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md) -###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md) -###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -##### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md) -###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md) -###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md) -###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -##### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md) -###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -##### [Audit IPsec Driver](auditing/audit-ipsec-driver.md) -##### [Audit Other System Events](auditing/audit-other-system-events.md) -###### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md) -###### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md) -###### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md) -###### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md) -###### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md) -###### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md) -###### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md) -###### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md) -###### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md) -###### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md) -###### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md) -###### [Event 5058 S, F: Key file operation.](auditing/event-5058.md) -###### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md) -###### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md) -###### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md) -###### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md) -###### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md) -###### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md) -###### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md) -###### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md) -###### [Event 6407: 1%.](auditing/event-6407.md) -###### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md) -###### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md) -##### [Audit Security State Change](auditing/audit-security-state-change.md) -###### [Event 4608 S: Windows is starting up.](auditing/event-4608.md) -###### [Event 4616 S: The system time was changed.](auditing/event-4616.md) -###### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md) -##### [Audit Security System Extension](auditing/audit-security-system-extension.md) -###### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md) -###### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md) -###### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md) -###### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md) -###### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md) -##### [Audit System Integrity](auditing/audit-system-integrity.md) -###### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md) -###### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md) -###### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md) -###### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md) -###### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md) -###### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md) -###### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md) -###### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md) -###### [Event 5060 F: Verification operation failed.](auditing/event-5060.md) -###### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md) -###### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md) -###### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md) -##### [Other Events](auditing/other-events.md) -###### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md) -###### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md) -###### [Event 1104 S: The security log is now full.](auditing/event-1104.md) -###### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md) -###### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md) -##### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md) -##### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md) -##### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md) - -## [Security policy settings](security-policy-settings/security-policy-settings.md) -### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md) -#### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md) -### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md) -### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md) -#### [Account Policies](security-policy-settings/account-policies.md) -##### [Password Policy](security-policy-settings/password-policy.md) -###### [Enforce password history](security-policy-settings/enforce-password-history.md) -###### [Maximum password age](security-policy-settings/maximum-password-age.md) -###### [Minimum password age](security-policy-settings/minimum-password-age.md) -###### [Minimum password length](security-policy-settings/minimum-password-length.md) -###### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md) -###### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md) -##### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md) -###### [Account lockout duration](security-policy-settings/account-lockout-duration.md) -###### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md) -###### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md) -##### [Kerberos Policy](security-policy-settings/kerberos-policy.md) -###### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md) -###### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md) -###### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md) -###### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md) -###### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md) -#### [Audit Policy](security-policy-settings/audit-policy.md) -#### [Security Options](security-policy-settings/security-options.md) -##### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md) -##### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) -##### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md) -##### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) -##### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md) -##### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md) -##### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md) -##### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md) -##### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md) -##### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md) -##### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) -##### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) -##### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md) -##### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md) -##### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md) -##### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md) -##### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md) -##### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md) -##### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md) -##### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md) -##### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) -##### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md) -##### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md) -##### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md) -##### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md) -##### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md) -##### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md) -##### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md) -##### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md) -##### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md) -##### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md) -##### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md) -##### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md) -##### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md) -##### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) -##### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md) -##### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) -##### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md) -##### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md) -##### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md) -##### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md) -##### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md) -##### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md) -##### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md) -##### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md) -##### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md) -##### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md) -##### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md) -##### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md) -##### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md) -##### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md) -##### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md) -##### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md) -##### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md) -##### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md) -##### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md) -##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md) -##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md) -##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) -##### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) -##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md) -##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md) -##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) -##### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md) -##### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md) -##### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md) -##### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md) -##### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md) -##### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md) -##### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md) -##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md) -##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md) -##### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) -##### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md) -##### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) -##### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) -##### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md) -##### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) -##### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) -##### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md) -##### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md) -##### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md) -##### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md) -##### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md) -##### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md) -##### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md) -##### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md) -##### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md) -##### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md) -##### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md) -##### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md) -##### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md) -##### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) -##### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md) -##### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md) -##### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) -##### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md) -##### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) -##### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md) -#### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md) -#### [User Rights Assignment](security-policy-settings/user-rights-assignment.md) -##### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md) -##### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md) -##### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md) -##### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md) -##### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md) -##### [Allow log on locally](security-policy-settings/allow-log-on-locally.md) -##### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md) -##### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md) -##### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md) -##### [Change the system time](security-policy-settings/change-the-system-time.md) -##### [Change the time zone](security-policy-settings/change-the-time-zone.md) -##### [Create a pagefile](security-policy-settings/create-a-pagefile.md) -##### [Create a token object](security-policy-settings/create-a-token-object.md) -##### [Create global objects](security-policy-settings/create-global-objects.md) -##### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md) -##### [Create symbolic links](security-policy-settings/create-symbolic-links.md) -##### [Debug programs](security-policy-settings/debug-programs.md) -##### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md) -##### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md) -##### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md) -##### [Deny log on locally](security-policy-settings/deny-log-on-locally.md) -##### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md) -##### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md) -##### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md) -##### [Generate security audits](security-policy-settings/generate-security-audits.md) -##### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md) -##### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md) -##### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md) -##### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md) -##### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md) -##### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md) -##### [Log on as a service](security-policy-settings/log-on-as-a-service.md) -##### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md) -##### [Modify an object label](security-policy-settings/modify-an-object-label.md) -##### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md) -##### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md) -##### [Profile single process](security-policy-settings/profile-single-process.md) -##### [Profile system performance](security-policy-settings/profile-system-performance.md) -##### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md) -##### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md) -##### [Restore files and directories](security-policy-settings/restore-files-and-directories.md) -##### [Shut down the system](security-policy-settings/shut-down-the-system.md) -##### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md) -##### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) -## [Windows security baselines](windows-security-baselines.md) -### [Security Compliance Toolkit](security-compliance-toolkit-10.md) -### [Get support](get-support-for-security-baselines.md) -## [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) + + + + + + + + + + + +### [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md) +#### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md) +##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md) +##### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md) +#### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md) +##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md) +##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md) +##### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md) +##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md) +###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) +##### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md) +###### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md) +#### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md) +##### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md) +##### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md) +##### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md) +##### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md) +#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md) +##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md) +##### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md) +##### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md) +#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md) +##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md) +##### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md) +##### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md) + + + + +### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md) + + + + + + +### [Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md) +#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md) +#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) +#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md) +#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md) +#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md) + + +## Other security features +### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md) +#### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md) +#### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md) +#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md) +#### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md) +#### [Account protection](windows-defender-security-center\wdsc-account-protection.md) +#### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md) +#### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md) +#### [Device security](windows-defender-security-center\wdsc-device-security.md) +#### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md) +#### [Family options](windows-defender-security-center\wdsc-family-options.md) + + +### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) +#### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md) +#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md) + + +### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) + + +### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) + +### [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) + +### [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) + +### [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md) + +### [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) + +### [Security auditing](auditing/security-auditing-overview.md) + +#### [Basic security audit policies](auditing/basic-security-audit-policies.md) +##### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md) +##### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md) +##### [View the security event log](auditing/view-the-security-event-log.md) + +##### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md) +###### [Audit account logon events](auditing/basic-audit-account-logon-events.md) +###### [Audit account management](auditing/basic-audit-account-management.md) +###### [Audit directory service access](auditing/basic-audit-directory-service-access.md) +###### [Audit logon events](auditing/basic-audit-logon-events.md) +###### [Audit object access](auditing/basic-audit-object-access.md) +###### [Audit policy change](auditing/basic-audit-policy-change.md) +###### [Audit privilege use](auditing/basic-audit-privilege-use.md) +###### [Audit process tracking](auditing/basic-audit-process-tracking.md) +###### [Audit system events](auditing/basic-audit-system-events.md) + +#### [Advanced security audit policies](auditing/advanced-security-auditing.md) +##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md) +##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md) +###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md) + +###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) +####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md) +####### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md) +####### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md) +####### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md) +####### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md) +####### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md) +####### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md) +####### [Monitor claim types](auditing/monitor-claim-types.md) + +###### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md) +####### [Audit Credential Validation](auditing/audit-credential-validation.md) +####### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md) +####### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md) +####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md) +####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md) +###### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md) +####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md) +####### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md) +####### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md) +###### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md) +####### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md) +####### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md) +####### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md) +###### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md) +###### [Audit Application Group Management](auditing/audit-application-group-management.md) +###### [Audit Computer Account Management](auditing/audit-computer-account-management.md) +####### [Event 4741 S: A computer account was created.](auditing/event-4741.md) +####### [Event 4742 S: A computer account was changed.](auditing/event-4742.md) +####### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md) +###### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md) +####### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md) +####### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md) +####### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md) +####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md) +####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md) +###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md) +####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md) +####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md) +###### [Audit Security Group Management](auditing/audit-security-group-management.md) +####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md) +####### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md) +####### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md) +####### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md) +####### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md) +####### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md) +####### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md) +###### [Audit User Account Management](auditing/audit-user-account-management.md) +####### [Event 4720 S: A user account was created.](auditing/event-4720.md) +####### [Event 4722 S: A user account was enabled.](auditing/event-4722.md) +####### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md) +####### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md) +####### [Event 4725 S: A user account was disabled.](auditing/event-4725.md) +####### [Event 4726 S: A user account was deleted.](auditing/event-4726.md) +####### [Event 4738 S: A user account was changed.](auditing/event-4738.md) +####### [Event 4740 S: A user account was locked out.](auditing/event-4740.md) +####### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md) +####### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md) +####### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md) +####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md) +####### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md) +####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md) +####### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md) +####### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md) +####### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md) +###### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md) +####### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md) +####### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md) +####### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md) +####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md) +###### [Audit PNP Activity](auditing/audit-pnp-activity.md) +####### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md) +####### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md) +####### [Event 6420 S: A device was disabled.](auditing/event-6420.md) +####### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md) +####### [Event 6422 S: A device was enabled.](auditing/event-6422.md) +####### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md) +####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md) +###### [Audit Process Creation](auditing/audit-process-creation.md) +####### [Event 4688 S: A new process has been created.](auditing/event-4688.md) +####### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md) +###### [Audit Process Termination](auditing/audit-process-termination.md) +####### [Event 4689 S: A process has exited.](auditing/event-4689.md) +###### [Audit RPC Events](auditing/audit-rpc-events.md) +####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md) +###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md) +####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md) +####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md) +####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md) +####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md) +####### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md) +####### [Event 4935 F: Replication failure begins.](auditing/event-4935.md) +####### [Event 4936 S: Replication failure ends.](auditing/event-4936.md) +####### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md) +###### [Audit Directory Service Access](auditing/audit-directory-service-access.md) +####### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md) +####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md) +###### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md) +####### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md) +####### [Event 5137 S: A directory service object was created.](auditing/event-5137.md) +####### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md) +####### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md) +####### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md) +###### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md) +####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md) +####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md) +###### [Audit Account Lockout](auditing/audit-account-lockout.md) +####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md) +###### [Audit User/Device Claims](auditing/audit-user-device-claims.md) +####### [Event 4626 S: User/Device claims information.](auditing/event-4626.md) +###### [Audit Group Membership](auditing/audit-group-membership.md) +####### [Event 4627 S: Group membership information.](auditing/event-4627.md) +###### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md) +###### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md) +###### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md) +###### [Audit Logoff](auditing/audit-logoff.md) +####### [Event 4634 S: An account was logged off.](auditing/event-4634.md) +####### [Event 4647 S: User initiated logoff.](auditing/event-4647.md) +###### [Audit Logon](auditing/audit-logon.md) +####### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md) +####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md) +####### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md) +####### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md) +###### [Audit Network Policy Server](auditing/audit-network-policy-server.md) +###### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md) +####### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md) +####### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md) +####### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md) +####### [Event 4800 S: The workstation was locked.](auditing/event-4800.md) +####### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md) +####### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md) +####### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md) +####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md) +####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md) +####### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md) +###### [Audit Special Logon](auditing/audit-special-logon.md) +####### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md) +####### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md) +###### [Audit Application Generated](auditing/audit-application-generated.md) +###### [Audit Certification Services](auditing/audit-certification-services.md) +###### [Audit Detailed File Share](auditing/audit-detailed-file-share.md) +####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md) +###### [Audit File Share](auditing/audit-file-share.md) +####### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md) +####### [Event 5142 S: A network share object was added.](auditing/event-5142.md) +####### [Event 5143 S: A network share object was modified.](auditing/event-5143.md) +####### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md) +####### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md) +###### [Audit File System](auditing/audit-file-system.md) +####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) +####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) +####### [Event 4660 S: An object was deleted.](auditing/event-4660.md) +####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) +####### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md) +####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) +####### [Event 5051: A file was virtualized.](auditing/event-5051.md) +####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) +###### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md) +####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md) +####### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md) +####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md) +####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md) +####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md) +####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md) +####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md) +####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md) +####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md) +###### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md) +####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md) +####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md) +###### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md) +####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md) +###### [Audit Kernel Object](auditing/audit-kernel-object.md) +####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) +####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) +####### [Event 4660 S: An object was deleted.](auditing/event-4660.md) +####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) +###### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md) +####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md) +####### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md) +####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md) +####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md) +####### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md) +####### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md) +####### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md) +####### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md) +####### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md) +####### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md) +####### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md) +####### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md) +###### [Audit Registry](auditing/audit-registry.md) +####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) +####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) +####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) +####### [Event 4660 S: An object was deleted.](auditing/event-4660.md) +####### [Event 4657 S: A registry value was modified.](auditing/event-4657.md) +####### [Event 5039: A registry key was virtualized.](auditing/event-5039.md) +####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) +###### [Audit Removable Storage](auditing/audit-removable-storage.md) +###### [Audit SAM](auditing/audit-sam.md) +####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md) +###### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md) +####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md) +###### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md) +####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) +####### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md) +####### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md) +####### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md) +####### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md) +####### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md) +####### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md) +####### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md) +####### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md) +####### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md) +####### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md) +###### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md) +####### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md) +####### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md) +####### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md) +####### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md) +####### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md) +####### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md) +####### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md) +####### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md) +####### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md) +####### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md) +####### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md) +###### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md) +####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md) +####### [Event 4704 S: A user right was assigned.](auditing/event-4704.md) +####### [Event 4705 S: A user right was removed.](auditing/event-4705.md) +####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) +####### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md) +####### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md) +###### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md) +###### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md) +####### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md) +####### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md) +####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md) +####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md) +####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md) +####### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md) +####### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md) +####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md) +####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md) +####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md) +####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md) +####### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md) +####### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md) +####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md) +###### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md) +####### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md) +####### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md) +####### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md) +####### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md) +####### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md) +####### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md) +####### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md) +####### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md) +####### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md) +####### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md) +####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md) +####### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md) +####### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md) +####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md) +####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md) +####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md) +###### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md) +####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md) +####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md) +####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) +###### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md) +####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md) +####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md) +####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) +###### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md) +####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) +###### [Audit IPsec Driver](auditing/audit-ipsec-driver.md) +###### [Audit Other System Events](auditing/audit-other-system-events.md) +####### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md) +####### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md) +####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md) +####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md) +####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md) +####### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md) +####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md) +####### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md) +####### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md) +####### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md) +####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md) +####### [Event 5058 S, F: Key file operation.](auditing/event-5058.md) +####### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md) +####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md) +####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md) +####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md) +####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md) +####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md) +####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md) +####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md) +####### [Event 6407: 1%.](auditing/event-6407.md) +####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md) +####### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md) +###### [Audit Security State Change](auditing/audit-security-state-change.md) +####### [Event 4608 S: Windows is starting up.](auditing/event-4608.md) +####### [Event 4616 S: The system time was changed.](auditing/event-4616.md) +####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md) +###### [Audit Security System Extension](auditing/audit-security-system-extension.md) +####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md) +####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md) +####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md) +####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md) +####### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md) +###### [Audit System Integrity](auditing/audit-system-integrity.md) +####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md) +####### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md) +####### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md) +####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md) +####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md) +####### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md) +####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md) +####### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md) +####### [Event 5060 F: Verification operation failed.](auditing/event-5060.md) +####### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md) +####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md) +####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md) +###### [Other Events](auditing/other-events.md) +####### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md) +####### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md) +####### [Event 1104 S: The security log is now full.](auditing/event-1104.md) +####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md) +####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md) +###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md) +###### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md) +###### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md) + + + + + +### [Security policy settings](security-policy-settings/security-policy-settings.md) +#### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md) +##### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md) +#### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md) +#### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md) +##### [Account Policies](security-policy-settings/account-policies.md) +###### [Password Policy](security-policy-settings/password-policy.md) +####### [Enforce password history](security-policy-settings/enforce-password-history.md) +####### [Maximum password age](security-policy-settings/maximum-password-age.md) +####### [Minimum password age](security-policy-settings/minimum-password-age.md) +####### [Minimum password length](security-policy-settings/minimum-password-length.md) +####### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md) +####### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md) +###### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md) +####### [Account lockout duration](security-policy-settings/account-lockout-duration.md) +####### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md) +####### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md) +###### [Kerberos Policy](security-policy-settings/kerberos-policy.md) +####### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md) +####### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md) +####### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md) +####### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md) +####### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md) +##### [Audit Policy](security-policy-settings/audit-policy.md) +##### [Security Options](security-policy-settings/security-options.md) +###### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md) +###### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) +###### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md) +###### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) +###### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md) +###### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md) +###### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md) +###### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md) +###### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md) +###### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md) +###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) +###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) +###### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md) +###### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md) +###### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md) +###### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md) +###### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md) +###### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md) +###### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md) +###### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md) +###### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) +###### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md) +###### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md) +###### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md) +###### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md) +###### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md) +###### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md) +###### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md) +###### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md) +###### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md) +###### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md) +###### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md) +###### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md) +###### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md) +###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) +###### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md) +###### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) +###### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md) +###### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md) +###### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md) +###### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md) +###### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md) +###### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md) +###### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md) +###### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md) +###### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md) +###### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md) +###### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md) +###### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md) +###### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md) +###### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md) +###### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md) +###### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md) +###### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md) +###### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md) +###### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md) +###### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md) +###### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md) +###### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) +###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) +###### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md) +###### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md) +###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) +###### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md) +###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md) +###### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md) +###### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md) +###### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md) +###### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md) +###### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md) +###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md) +###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md) +###### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) +###### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md) +###### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) +###### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) +###### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md) +###### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) +###### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) +###### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md) +###### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md) +###### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md) +###### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md) +###### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md) +###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md) +###### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md) +###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md) +###### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md) +###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md) +###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md) +###### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md) +###### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md) +###### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) +###### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md) +###### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md) +###### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) +###### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md) +###### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) +###### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md) +##### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md) +##### [User Rights Assignment](security-policy-settings/user-rights-assignment.md) +###### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md) +###### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md) +###### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md) +###### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md) +###### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md) +###### [Allow log on locally](security-policy-settings/allow-log-on-locally.md) +###### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md) +###### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md) +###### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md) +###### [Change the system time](security-policy-settings/change-the-system-time.md) +###### [Change the time zone](security-policy-settings/change-the-time-zone.md) +###### [Create a pagefile](security-policy-settings/create-a-pagefile.md) +###### [Create a token object](security-policy-settings/create-a-token-object.md) +###### [Create global objects](security-policy-settings/create-global-objects.md) +###### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md) +###### [Create symbolic links](security-policy-settings/create-symbolic-links.md) +###### [Debug programs](security-policy-settings/debug-programs.md) +###### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md) +###### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md) +###### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md) +###### [Deny log on locally](security-policy-settings/deny-log-on-locally.md) +###### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md) +###### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md) +###### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md) +###### [Generate security audits](security-policy-settings/generate-security-audits.md) +###### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md) +###### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md) +###### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md) +###### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md) +###### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md) +###### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md) +###### [Log on as a service](security-policy-settings/log-on-as-a-service.md) +###### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md) +###### [Modify an object label](security-policy-settings/modify-an-object-label.md) +###### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md) +###### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md) +###### [Profile single process](security-policy-settings/profile-single-process.md) +###### [Profile system performance](security-policy-settings/profile-system-performance.md) +###### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md) +###### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md) +###### [Restore files and directories](security-policy-settings/restore-files-and-directories.md) +###### [Shut down the system](security-policy-settings/shut-down-the-system.md) +###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md) +###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) + + + + + + +### [Windows security baselines](windows-security-baselines.md) +#### [Security Compliance Toolkit](security-compliance-toolkit-10.md) +#### [Get support](get-support-for-security-baselines.md) + +### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ## [Change history for Threat protection](change-history-for-threat-protection.md) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 4e87f11954..d772192059 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 07/25/2018 --- # Apply a basic audit policy on a file or folder @@ -32,7 +32,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit failure events, click **Fail.** - To audit all events, click **All.** -> **Important:**  Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited. +> **Important:**  Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.   ## Additional considerations diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md index 3683fa438c..831cb9ee9c 100644 --- a/windows/security/threat-protection/auditing/audit-account-lockout.md +++ b/windows/security/threat-protection/auditing/audit-account-lockout.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh -ms.date: 04/19/2017 +ms.date: 07/16/2018 --- # Audit Account Lockout @@ -19,7 +19,7 @@ ms.date: 04/19/2017 Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. -If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts. +If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Account lockout events are essential for understanding user activity and detecting potential attacks. diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md index e9a0c01254..9c9b76a014 100644 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ b/windows/security/threat-protection/auditing/audit-logoff.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh -ms.date: 04/19/2017 +ms.date: 07/16/2018 --- # Audit Logoff @@ -25,15 +25,15 @@ There is no failure event in this subcategory because failed logoffs (such as wh Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated. -**Event volume**: Low. +**Event volume**: High. This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
    Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
    Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
    Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
    Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
    Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
    Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md index fea480a728..af9ea206a6 100644 --- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md +++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md @@ -23,7 +23,7 @@ To set this value to **No auditing**, in the **Properties** dialog box for this **Default:** No auditing. -## Configure this this security setting +## Configure this security setting You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index f629490f28..fe78230d8c 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -18,7 +18,7 @@ ms.date: 04/19/2017 This event should be generated when registry key was virtualized using [LUAFV](http://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). -This event occurs very rarely during during standard LUAFV registry key virtualization. +This event occurs very rarely during standard LUAFV registry key virtualization. There is no example of this event in this document. diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index 1dedf56d0f..f5fea8b85c 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -7,8 +7,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 08/14/2017 ms.localizationpriority: medium --- diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 31e6351c21..8a5fc0d12d 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Device Guard - virtualization-based security and code integrity policies (Windows 10) -description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. +title: Windows Defender Application Control Configurable Code Integrity and Virtualization-based security (Windows 10) +description: Microsoft Windows 10 has a feature set that consists of both hardware and software system integrity hardening capabilites that revolutionize the Windows operating system’s security. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -9,36 +9,37 @@ author: mdsakibMSFT ms.date: 04/19/2018 --- -# Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control +# Windows Defender Application Control Configurable Code Integrity and Virtualization-based security (aka Windows Defender Device Guard) **Applies to** - Windows 10 - Windows Server 2016 -With Windows 10, we introduced Windows Defender Device Guard, a set of hardware and OS technologies that, when configured together, allow enterprises to lock down Windows systems so they operate with many of the properties of mobile devices. -In this configuration, Device Guard restricts devices to only run authorized apps by using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). +Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). -Configurable CI has these advantages over other solutions: +Configurable CI and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. Starting with the Windows 10 Anniversary Update (1607), this combined "configuration state" of Configurable CI and HVCI has been referred to as Windows Defender Device Guard. + +Using Configurable CI to restrict devices to only autherized apps has these advantages over other solutions: 1. Configurable CI policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 2. Configurable CI allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. -3. Customers can protect the configurable CI policy even from local administrator tampering by digitally signing the policy. Then changing the policy requires administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker or malware that managed to gain administrative privilege to alter the application control policy. +3. Customers can protect the configurable CI policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the application control policy. 4. The entire configurable CI enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable CI or any other application control solution. ## (Re-)Introducing Windows Defender Application Control -When we originally designed Device Guard it was built with a specific security promise in mind. Although there were no direct dependencies between its two main OS features, configurable CI and HVCI, we intentionally focused our marketing story around the Device Guard lockdown state you achieve when deploying them together. +When we originally designed the configuration state that we have referred to as Windows Defender Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between the two main OS features of the Device Guard configuration, configurable CI and HVCI, we intentionally focused our discussion around the Device Guard lockdown state you achieve when deploying them together. -However, this unintentionally left an impression for many customers that the two features were inexorably linked and could not be deployed separately. -And given that HVCI relies on the Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. +However, the use of the term Device Guard to describe this configuration state has unintentionally left an impression for many IT professionals that the two features were inexorably linked and could not be deployed separately. +Additionally, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. -As a result, many customers assumed that they couldn’t use configurable CI either. -But configurable CI carries no specific hardware or software requirements other than running Windows 10, which means many customers were wrongly denied the benefits of this powerful application control capability. +As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable CI either. +But configurable CI carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability. -Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. So we are promoting configurable CI within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). -We hope this branding change will help us better communicate options for adopting application control within an organization. +Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable CI as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). +We hope this change will help us better communicate options for adopting application control within an organization. -Does this mean Windows Defender Device Guard is going away? Not at all. Device Guard will continue to exist as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original Device Guard scenario. +Does this mean Windows Defender Device Guard configuration state is going away? Not at all. The term Device Guard will continue to be used as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original "Device Guard" locked down scenario for Windows 10 based devices. ## Related topics diff --git a/windows/security/threat-protection/images/wdatp-pillars2.png b/windows/security/threat-protection/images/wdatp-pillars2.png new file mode 100644 index 0000000000..60725244e5 Binary files /dev/null and b/windows/security/threat-protection/images/wdatp-pillars2.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index f2c623bd85..b589ac9a69 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -10,19 +10,27 @@ ms.date: 02/05/2018 --- # Threat Protection +Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. + +![Windows Defender ATP components](images/wdatp-pillars2.png) + +The following capabilities are available across multiple products that make up the Windows Defender ATP platform. + +**Attack surface reduction**
    +The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. + +**Next generation protection**
    +To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. + +**Endpoint protection and response**
    +Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. + +**Auto investigation and remediation**
    +In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. + +**Security posture**
    +Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. + + -Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile. -| Section | Description | -|-|-| -|[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.| -|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| -|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender Antivirus, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.| -|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.| -|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).| -|[Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.| -|[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.| -|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.| -|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.| -|[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md) |Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. | -|[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |Provides info about how to help protect your company from attacks which may originate from untrusted or attacker controlled font files. | diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 59c71f57ac..38cb2e0298 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -32,7 +32,7 @@ This topic provides an overview of some of the software and firmware threats fac ## The security threat landscape -Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. +Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to: diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index f9f2c541a5..6c5e5a372b 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -366,7 +366,7 @@ The following table details the hardware requirements for both virtualization-ba

    Trusted Platform Module (TPM)

    -

    Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported; TPM 1.2 is also supported beginnning with Windows 10, version 1703.

    +

    Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)

    diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index c0380358d5..16a6c63d06 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -25,8 +25,8 @@ The following topics provide a discussion of each policy setting's implementatio | Topic | Description | | - | - | -| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. | | [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. | +| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. | | [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |   ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md index 7dc894bdc7..bb487621e3 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md @@ -50,7 +50,7 @@ By default, the members of the following groups have this right on domain contro ### Location -Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment +Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment ### Default values diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index c50b81aaaf..871e2e7d7f 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 07/13/2017 --- # Increase scheduling priority @@ -33,7 +33,7 @@ Constant: SeIncreaseBasePriorityPrivilege ### Best practices -- Allow the default value, Administrators, as the only account responsible for controlling process scheduling priorities. +- Allow the default value, Administrators and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. ### Location @@ -48,11 +48,11 @@ The following table lists the actual and effective default policy values. Defaul | Server type or GPO | Default value | | - | - | | Default Domain Policy| Not defined| -| Default Domain Controller Policy| Administrators| -| Stand-Alone Server Default Settings | Administrators| -| Domain Controller Effective Default Settings | Administrators| -| Member Server Effective Default Settings | Administrators| -| Client Computer Effective Default Settings | Administrators| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Administrators and Window Manager/Window Manager Group| +| Domain Controller Effective Default Settings | Administrators and Window Manager/Window Manager Group| +| Member Server Effective Default Settings | Administrators and Window Manager/Window Manager Group| +| Client Computer Effective Default Settings | Administrators and Window Manager/Window Manager Group|   ## Policy management @@ -83,11 +83,11 @@ A user who is assigned this user right could increase the scheduling priority of ### Countermeasure -Verify that only Administrators have the **Increase scheduling priority** user right assigned to them. +Verify that only Administrators and and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them. ### Potential impact -None. Restricting the **Increase scheduling priority** user right to members of the Administrators group is the default configuration. +None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and and Window Manager/Window Manager Group is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index a21530fb60..5aa52eaa25 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -19,7 +19,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Minimum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If [Maximum password age](maximum-password-age.md) is between 1 and 999 days, the minimum password age must be less than the maximum password age. If Maximum password age is set to 0, **Minimum password age** can be any value between 0 and 998 days. +The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. ### Possible values diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index a95ce92f8c..b672362f53 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -25,7 +25,7 @@ ms.date: 07/27/2017 The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory. -The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the the KB articles listed in **Applies to** section of this topic. +The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the KB articles listed in **Applies to** section of this topic. This topic describes the default values for this security policy setting in different versions of Windows. By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 are more restrictive than earlier versions of Windows. diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index a962ec3cc3..51b259cf4e 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -26,7 +26,7 @@ When a service connects with the device identity, signing and encryption are sup ### Possible values | Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 | -| - | - | +| - | - | - | | Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. | | Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.| |Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index fc4ba4c6b4..77cc805406 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- @@ -68,11 +68,9 @@ See [How to create and deploy antimalware policies: Scan settings]( https://docs **Use Microsoft Intune to configure scanning options** +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan options](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#specify-scan-options-settings) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. - - ### Email scanning limitations diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index ca884944ee..9381eb05f6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- # Configure and validate exclusions based on file extension and folder location @@ -186,8 +186,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// **Use Microsoft Intune to configure file name, folder, or file extension exclusions:** - -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 05684915fd..43501a9510 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- # Configure exclusions for files opened by processes @@ -142,8 +142,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// **Use Microsoft Intune to exclude files that have been opened by specified processes from scans:** - -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:** @@ -173,7 +172,7 @@ Environment variables | The defined variable will be populated as a path when th ## Review the list of exclusions -You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). If you use PowerShell, you can retrieve the list in two ways: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 9ab2a46598..c409e9402c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- @@ -35,7 +35,7 @@ ms.date: 04/30/2018 When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender AV should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. -This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-default-actions-settings). +This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) to configure these settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index c53a13b919..12275ec64d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/21/2018 +ms.date: 07/19/2018 --- # Deploy, manage, and report on Windows Defender Antivirus @@ -41,7 +41,7 @@ You'll also see additional links for: Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] -Microsoft Intune|[Deploy the Microsoft Intune client to endpoints][]|Use and deploy a [custom Intune policy][] and use the Intune console to [manage tasks][]|[Monitor endpoint protection in the Microsoft Intune administration console][] +Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/en-us/intune/device-management) Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][] Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 55ed3cb681..fa6dae36c3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/20/2017 +ms.date: 07/10/2018 --- # Detect and block Potentially Unwanted Applications @@ -107,8 +107,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Intune to configure the PUA protection feature** -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. - +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 52804b3481..da5b515967 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- # Enable cloud-delivered protection in Windows Defender AV @@ -108,25 +108,22 @@ See the following for more information and allowed parameters: **Use Intune to enable cloud-delivered protection** -1. Open the [Microsoft Intune administration console](https://manage.microsoft.com/), and navigate to the associated policy you want to configure. -2. Under the **Endpoint Protection** setting, scroll down to the **Endpoint Protection Service** section set the **Submit files automatically when further analysis is required** setting to either of the following: - 1. **Send samples automatically** - 1. **Send all samples automatically** +1. Sign in to the [Azure portal](https://portal.azure.com). +2. Select **All services > Intune**. +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +5. On the **Cloud-delivered protection** switch, select **Enable**. +6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. +7. In the **Submit samples consent** dropdown, select one of the following: + 1. **Send safe samples automatically** + 2. **Send all samples automatically** > [!WARNING] > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. -5. Scroll down to the **Microsoft Active Protection Service** section and set the following settings: - - Setting | Set to - --|-- - Join Microsoft Active Protection Service | Yes - Membership level | Advanced - Receive dynamic definitions based on Microsoft Active Protection Service reports | Yes +8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. + +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles) -3. Save and [deploy the policy as usual](https://docs.microsoft.com/en-us/intune/deploy-use/common-windows-pc-management-tasks-with-the-microsoft-intune-computer-client). - -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) for more details. - **Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app** > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index ba1fdde4da..79696c63e9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/10/2018 --- # Report on Windows Defender Antivirus protection @@ -28,7 +28,7 @@ There are a number of ways you can review protection status and alerts, dependin -You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection). +You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index 16d24853fc..151f4e6a10 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 07/10/2018 --- # Review Windows Defender AV scan results @@ -83,7 +83,9 @@ Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**] **Use Microsoft Intune to review Windows Defender AV scan results:** -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Monitor Endpoint Protection](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection). +1. In Intune, go to **Devices > All Devices** and select the device you want to scan. + +2. Click the scan results in **Device actions status**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 7849eb1cd6..cfa4f029ba 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 07/10/2018 --- @@ -40,16 +40,17 @@ ms.date: 08/26/2017 You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. -## Quick scan versus full scan +## Quick scan versus full scan and custom scan Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md), which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. -A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. +A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. +A custom scan allows you to specify files or folders to scan, such as a USB drive. **Use the mpcmdrum.exe command-line utility to run a scan:** @@ -98,8 +99,9 @@ See the following for more information and allowed parameters: **Use Microsoft Intune to run a scan:** +1. In Intune, go to **Devices > All Devices** and select the device you want to scan. -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Run a malware scan](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#run-a-malware-scan-or-update-malware-definitions-on-a-computer) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. +2. Select **...More** and then select **Quick Scan** or **Full Scan**. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index 3bf361e0fd..20c62b31b9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/26/2018 --- @@ -43,7 +43,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-windows-d You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. -This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intunespecify-scan-schedule-settings). +This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). To configure the Group Policy settings described in this topic: @@ -60,7 +60,7 @@ To configure the Group Policy settings described in this topic: Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics. -## Quick scan versus full scan +## Quick scan versus full scan and custom scan When you set up scheduled scans, you can set up whether the scan should be a full or quick scan. @@ -72,6 +72,8 @@ In most instances, this means a quick scan is adequate to find malware that wasn A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md). +A custom scan allows you to specify the files and folders to scan, such as a USB drive. + ## Set up scheduled scans Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans. @@ -83,8 +85,8 @@ Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Scan | Specify the scan type to use for a scheduled scan | Quick scan Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never -Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am -Root | Randomize scheduled task times | Randomize the start time of the scan to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments | Enabled +Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am +Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender scans. This can be useful in VM or VDI deployments. | Enabled **Use PowerShell cmdlets to schedule scans:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index 4dfdd0e9f8..b2b7a4640f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 07/19/2018 --- # Specify the cloud-delivered protection level @@ -30,6 +30,7 @@ ms.date: 04/30/2018 - Group Policy - System Center Configuration Manager (current branch) +- Intune You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. @@ -59,7 +60,25 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi 1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). +**Use Intune to specify the level of cloud-delivered protection:** +1. Sign in to the [Azure portal](https://portal.azure.com). +2. Select **All services > Intune**. +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +5. On the **File Blocking Level** switch, select one of the following: + + 1. **High** to provide a strong level of detection + 2. **High +** to apply additional protection measures + 3. **Zero tolerance** to block all unknown executables + + > [!WARNING] + > While unlikely, setting this switch to **High** might cause some legitimate files to be detected. The **High +** setting might impact client performance. We recommend you set this to the default level (**Not configured**). + +8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. + +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles) + ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index df26ab7ae1..403cf6a2e3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/26/2017 +ms.date: 07/19/2018 --- # Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV @@ -22,7 +22,7 @@ In some cases, the protection will be labeled as Endpoint Protection, although t See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager. -For Microsoft Intune, consult the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune library](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). +For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/en-us/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 47d5189976..db9fd10f0d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -68,7 +68,7 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]] +Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] If you are enrolled in Windows Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index ffbec0bb55..5ee0ccdb96 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 09/21/2017 +ms.date: 08/02/2018 --- # Delete an AppLocker rule @@ -16,7 +16,7 @@ ms.date: 09/21/2017 - Windows 10 - Windows Server -This topic for IT professionals describes the steps to delete an AppLocker rule. +This topic for IT professionals describes the steps to delete an AppLocker rule. As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running. @@ -25,6 +25,8 @@ For info about testing an AppLocker policy to see what rules affect which files You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). +These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy will not override those settings. + **To delete a rule in an AppLocker policy** 1. Open the AppLocker console. @@ -43,6 +45,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML       + To use the Set-AppLockerPolicy cmdlet, first import the Applocker modules: diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 336b74e40b..1aec53e4ed 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium author: jsuther1974 -ms.date: 06/14/2018 +ms.date: 07/16/2018 --- # Microsoft recommended block rules @@ -78,7 +78,7 @@ For October 2017, we are announcing an update to system.management.automation.dl Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: -``` +```xml 10.0.0.0 @@ -655,7 +655,33 @@ Microsoft recommends that you block the following Microsoft-signed applications - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1339,6 +1371,34 @@ Microsoft recommends that you block the following Microsoft-signed applications + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1347,7 +1407,7 @@ Microsoft recommends that you block the following Microsoft-signed applications 0 - + ```
    diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 0148e43cae..d973298558 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -43,7 +43,7 @@ You might need to control a limited number of apps because they access sensitive |Control only Classic Windows applications, only Universal Windows apps, or both| WDAC policies control apps by creating an allowed list of apps based on code signing certificate and\or file hash information. Because Universal Windows apps are all signed by the Windows Store, Classic Windows applications and Universal Windows apps can be controlled together. WDAC policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Microsoft Store, but Classic Windows applications can be controlled with WDAC on Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.| | Control apps by business group | WDAC policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). | | Control apps by computer, not user | WDAC is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your WDAC planning. Otherwise, you will have to identify users, their computers, and their app access requirements.| -|Understand app usage, but there is no need to control any apps yet | WDAC policies can be set to audit app usage to help you track which apps are used in your organization. You can then use teh CodeIntegrity log in Event Viewer to create WDAC policies.| +|Understand app usage, but there is no need to control any apps yet | WDAC policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the CodeIntegrity log in Event Viewer to create WDAC policies.| ### How do you currently control app usage in your organization? @@ -135,4 +135,4 @@ Because the effectiveness of application control policies is dependent on the ab   ## Record your findings -The next step in the process is to record and analyze your answers to the preceding questions. If WDAC is the right solution for your goals, you can set your application control policy objectives and plan your WDAC rules. \ No newline at end of file +The next step in the process is to record and analyze your answers to the preceding questions. If WDAC is the right solution for your goals, you can set your application control policy objectives and plan your WDAC rules. diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 97f53bee77..af72b5b90d 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -5,8 +5,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 10/19/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 07a1453d98..dcea68cace 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -5,8 +5,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 11/07/2017 --- @@ -64,3 +64,9 @@ Answering frequently asked questions about Windows Defender Application Guard (A |**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?| |**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature.|
    + +| | | +|---|----------------------------| +|**Q:** |What is the WDAGUtilityAccount local account?| +|**A:** |This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.| +
    diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 1d9426c339..037fb26536 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -5,8 +5,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 10/19/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index d02f615282..413a76b74a 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -5,8 +5,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 11/09/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 620d90e502..cffffca2da 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -5,8 +5,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 10/19/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 7e437ce4b1..0fb816ceab 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -5,9 +5,9 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross -ms.date: 10/23/2017 +author: justinha +ms.author: justinha +ms.date: 07/09/2018 --- # Windows Defender Application Guard overview @@ -15,10 +15,8 @@ ms.date: 10/23/2017 **Applies to:** - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 - -The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. -Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. +Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. ## What is Application Guard and how does it work? Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index a8defba7ee..193fddfef8 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -1,4 +1,4 @@ -# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) +# [Windows Defender Security Center](windows-defender-security-center-atp.md) ##Get started ### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) ### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) @@ -21,7 +21,7 @@ ### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md) ### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) ### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) -## [Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) +## [Understand the portal](use-windows-defender-advanced-threat-protection.md) ### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) ### [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) ### [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) @@ -72,11 +72,13 @@ ###### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) ###### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) -### [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md) ### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) #### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md) #### [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) +## [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md) + +## [Protect data with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) ##API and SIEM support ### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) #### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) @@ -114,13 +116,13 @@ ###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) #####File -###### [Block file API](block-file-windows-defender-advanced-threat-protection.md) +###### [Block file](block-file-windows-defender-advanced-threat-protection.md) ###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md) ###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md) ###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md) ###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md) -###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md) -###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md) +###### [Get FileActions collection](get-fileactions-collection-windows-defender-advanced-threat-protection.md) +###### [Unblock file](unblock-file-windows-defender-advanced-threat-protection.md) #####IP ###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md) @@ -128,25 +130,25 @@ ###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md) ###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md) #####Machines -###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md) +###### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection.md) ###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) ###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +###### [Get FileMachineAction object](get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +###### [Get FileMachineActions collection](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) ###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md) ###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md) ###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md) +###### [Get MachineAction object](get-machineaction-object-windows-defender-advanced-threat-protection.md) +###### [Get MachineActions collection](get-machineactions-collection-windows-defender-advanced-threat-protection.md) ###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md) -###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md) -###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md) -###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md) -###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md) -###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md) +###### [Get package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection.md) +###### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection.md) +###### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection.md) +###### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +###### [Request sample](request-sample-windows-defender-advanced-threat-protection.md) +###### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection.md) +###### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection.md) +###### [Stop and quarantine file](stop-quarantine-file-windows-defender-advanced-threat-protection.md) @@ -165,7 +167,7 @@ ### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) ### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) ### [Check service health](service-status-windows-defender-advanced-threat-protection.md) -## [Configure Windows Defender ATP Settings](preferences-setup-windows-defender-advanced-threat-protection.md) +## [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) ###General #### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) @@ -173,7 +175,7 @@ #### [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) #### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) #### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md) -#### [Protect data with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) + ###Permissions #### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) @@ -193,9 +195,9 @@ #### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md) #### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md) -## [Configure Windows Defender ATP time zone settings](time-settings-windows-defender-advanced-threat-protection.md) +## [Configure Windows Defender Security Center zone settings](time-settings-windows-defender-advanced-threat-protection.md) ## [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) -## [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) +## [Troubleshoot Windows Defender ATP service issues](troubleshoot-windows-defender-advanced-threat-protection.md) ### [Review events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) -## [Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index 28dc66fbb4..b414111b05 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -71,7 +71,7 @@ When you complete the integration steps on both portals, you'll be able to see r ## Office 365 Threat Intelligence connection This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. -When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. +When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Windows Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. >[!NOTE] >You'll need to have the appropriate license to enable this feature. diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index 2888e97c54..2ebe1dceb6 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -40,6 +40,9 @@ To effectively build queries that span multiple tables, you need to understand t | AdditionalFields | string | Additional information about the event in JSON array format | | AlertId | string | Unique identifier for the alert | | ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. | +| DefaultGateways | string | Default gateway addresses in JSON array format | +| DnsServers | string | DNS server addresses in JSON array format | | EventTime | datetime | Date and time when the event was recorded | | EventType | string | Table where the record is stored | | FileName | string | Name of the file that the recorded action was applied to | @@ -64,15 +67,22 @@ To effectively build queries that span multiple tables, you need to understand t | InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event | | InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. | | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local | +| Ipv4Dhcp | string | IPv4 address of DHCP server | +| Ipv6Dhcp | string | IPv6 address of DHCP server | | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | | LocalIP | string | IP address assigned to the local machine used during communication | | LocalPort | int | TCP port on the local machine used during communication | | LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. | | LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | | LogonType | string | Type of logon session, specifically:

    - **Interactive** - User physically interacts with the machine using the local keyboard and screen

    - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

    - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

    - **Batch** - Session initiated by scheduled tasks

    - **Service** - Session initiated by services as they start
    +| MacAddress | string | MAC address of the network adapter | | MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. | | MachineId | string | Unique identifier for the machine in the service | | MD5 | string | MD5 hash of the file that the recorded action was applied to | +| NetworkAdapterName | string | Name of the network adapter | +| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/en-us/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). | +| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/en-us/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). | | NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format | | OSArchitecture | string | Architecture of the operating system running on the machine | | OSBuild | string | Build version of the operating system running on the machine | @@ -99,6 +109,7 @@ To effectively build queries that span multiple tables, you need to understand t | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. | | SHA1 | string | SHA-1 of the file that the recorded action was applied to | | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | +| TunnelingProtocol | string | Tunneling protocol, if the interface is used for this purpose, for example:
    - Various IPv6 to IPv4 tunneling protocols (6to4, Teredo, ISATAP)
    - VPN (PPTP, SSTP)
    - SSH
    **NOTE:** This field doesn’t provide full IP tunneling specifications. | >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index f86299df06..315a0b021a 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 06/13/2018 +ms.date: 08/15/2018 --- # Query data using Advanced hunting in Windows Defender ATP @@ -51,7 +51,8 @@ First, we define a time filter to review only records from the previous seven da We then add a filter on the _FileName_ to contain only instances of _powershell.exe_. -Afterwards, we add a filter on the _ProcessCommandLine_ +Afterwards, we add a filter on the _ProcessCommandLine_. + Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**. You have the option of expanding the screen view so you can focus on your hunting query and related results. @@ -134,7 +135,7 @@ These steps guide you on modifying and overwriting an existing query. The result set has several capabilities to provide you with effective investigation, including: -- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal. +- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Windows Defender Security Center. - You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. ![Image of Windows Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png) diff --git a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index 8f108fac32..677b25564f 100644 --- a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Windows Defender ATP alert API fields -description: Understand how the alert API fields map to the values in the Windows Defender ATP portal. +description: Understand how the alert API fields map to the values in Windows Defender Security Center keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -28,7 +28,7 @@ ms.date: 10/16/2017 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) -Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. +Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center. ## Alert API fields and portal mapping diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 0be5072e10..e948d94905 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Assign user access to the Windows Defender ATP portal +title: Assign user access to Windows Defender Security Center description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 04/24/2018 --- -# Assign user access to the Windows Defender ATP portal +# Assign user access to Windows Defender Security Center **Applies to:** - Windows 10 Enterprise diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md index 6dfc383d4f..933ac113b2 100644 --- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md @@ -52,7 +52,7 @@ If successful, this method returns 200, Ok response code with empty body, which ## Example -Request +**Request** Here is an example of the request. @@ -66,7 +66,7 @@ Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md index b9e163b603..1d19deb5cb 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -63,7 +63,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md index 72c39bb7dd..295192756c 100644 --- a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md @@ -30,7 +30,7 @@ There are several spaces you can explore to learn about specific information: There are several ways you can access the Community Center: -- In the Windows Defender ATP portal navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page. +- In the Windows Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page. - Access the community through the [Windows Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md index 1443633294..432cfcfa13 100644 --- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md @@ -88,13 +88,13 @@ You need to make sure that all your devices are enrolled in Intune. You can use -There are steps you'll need to take in the Windows Defender ATP portal, the Intune portal, and Azure AD portal. +There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal. > [!NOTE] > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices. Take the following steps to enable conditional access: -- Step 1: Turn on the Microsoft Intune connection from the Windows Defender ATP portal +- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center - Step 2: Turn on the Windows Defender ATP integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index 6854feeff6..c4633c09c3 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Configure HP ArcSight to pull Windows Defender ATP alerts -description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal. +description: Configure HP ArcSight to receive and pull alerts from Windows Defender Security Center keywords: configure hp arcsight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 755d61b729..24160d9cd2 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 06/18/2018 +ms.date: 07/16/2018 --- # Configure alert notifications in Windows Defender ATP @@ -24,7 +24,6 @@ ms.date: 06/18/2018 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. @@ -50,7 +49,9 @@ You can create rules that determine the machines and alert severities to send em 2. Click **Add notification rule**. 3. Specify the General information: - - **Rule name** + - **Rule name** - Specify a name for the notification rule. + - **Include organization name** - Specify the customer name that appears on the email notification. + - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant. - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). - **Alert severity** - Choose the alert severity level diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 4d3e7b1cbb..980252189b 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -34,7 +34,7 @@ ms.date: 04/24/2018 > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. ## Onboard machines using Group Policy -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -64,7 +64,7 @@ ms.date: 04/24/2018 > After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). ## Additional Windows Defender ATP configuration settings -For each machine, you can state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. +For each machine, you can state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. @@ -120,7 +120,7 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Offboarding**. @@ -154,7 +154,7 @@ For security reasons, the package used to Offboard machines will expire 30 days With Group Policy there isn’t an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools. ## Monitor machines using the portal -1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). +1. Go to [Windows Defender Security Center](https://securitycenter.windows.com/). 2. Click **Machines list**. 3. Verify that machines are appearing. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 9decf3868e..83f63e9c62 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -54,7 +54,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre - **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service. - **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis. - **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently. - - **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from the Windows Defender ATP portal, and add it. Otherwise, skip this property. + - **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property. 7. Select **OK**, and **Create** to save your changes, which creates the profile. @@ -62,7 +62,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre ### Onboard and monitor machines using the classic Intune console -1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -145,7 +145,7 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Offboarding**. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index ae90065fd3..71b333c546 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -24,7 +24,7 @@ ms.date: 04/24/2018 -Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. +Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 04552bb241..cbc1b85dda 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -47,7 +47,7 @@ You can use existing System Center Configuration Manager functionality to create ### Onboard machines using System Center Configuration Manager -1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -70,7 +70,7 @@ You can use existing System Center Configuration Manager functionality to create > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). ### Configure sample collection settings -For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. +For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine. This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint. @@ -125,7 +125,7 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Offboarding**. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 1ccd8fbdf2..8236a40cf4 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -34,7 +34,7 @@ You can also manually onboard individual machines to Windows Defender ATP. You m > The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). ## Onboard machines -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -66,7 +66,7 @@ For information on how you can manually validate that the machine is compliant a > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ## Configure sample collection settings -For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. +For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file. @@ -92,7 +92,7 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Offboarding**. @@ -126,7 +126,7 @@ You can follow the different verification steps in the [Troubleshoot onboarding Monitoring can also be done directly on the portal, or by using the different deployment tools. ### Monitor machines using the portal -1. Go to the Windows Defender ATP portal. +1. Go to Windows Defender Security Center. 2. Click **Machines list**. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md index c26f608d94..7f15b0fc5c 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -38,7 +38,7 @@ You can onboard VDI machines using a single entry or multiple entries for each m >[!WARNING] > For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender ATP sensor onboarding. -1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -78,8 +78,8 @@ You can onboard VDI machines using a single entry or multiple entries for each m d. Logon to machine with another user. - e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.
    - **For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal. + e. **For single entry for each machine**: Check only one entry in Windows Defender Security Center.
    + **For multiple entries for each machine**: Check multiple entries in Windows Defender Security Center. 7. Click **Machines list** on the Navigation pane. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index 1866f253bb..c0ae298a7a 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 07/12/2018 --- # Onboard Windows 10 machines @@ -27,7 +27,7 @@ ms.date: 04/24/2018 Machines in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization. -Windows Defender ATP supports the following deployment tools and methods: +The following deployment tools and methods are supported: - Group Policy - System Center Configuration Manager diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 0941965015..23f06ea316 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -91,9 +91,9 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec Service location | Microsoft.com DNS record :---|:--- Common URLs for all locations | ```*.blob.core.windows.net```
    ```crl.microsoft.com```
    ```ctldl.windowsupdate.com```
    ```events.data.microsoft.com``` -US | ```us.vortex-win.data.microsoft.com```
    ```us-v20.events.data.microsoft.com```
    ```winatp-gw-cus.microsoft.com```
    ```winatp-gw-eus.microsoft.com``` -Europe | ```eu.vortex-win.data.microsoft.com```
    ```eu-v20.events.data.microsoft.com```
    ```winatp-gw-neu.microsoft.com```
    ```winatp-gw-weu.microsoft.com``` -UK | ```uk.vortex-win.data.microsoft.com```
    ```uk-v20.events.data.microsoft.com```
    ```winatp-gw-uks.microsoft.com```
    ```winatp-gw-ukw.microsoft.com``` +European Union | ```eu.vortex-win.data.microsoft.com```
    ```eu-v20.events.data.microsoft.com```
    ```winatp-gw-neu.microsoft.com```
    ```winatp-gw-weu.microsoft.com``` +United Kingdom | ```uk.vortex-win.data.microsoft.com```
    ```uk-v20.events.data.microsoft.com```
    ```winatp-gw-uks.microsoft.com```
    ```winatp-gw-ukw.microsoft.com``` +United States | ```us.vortex-win.data.microsoft.com```
    ```us-v20.events.data.microsoft.com```
    ```winatp-gw-cus.microsoft.com```
    ```winatp-gw-eus.microsoft.com``` If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. @@ -127,14 +127,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

    The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP services. For example: - ```text - Testing URL : https://xxx.microsoft.com/xxx - 1 - Default proxy: Succeeded (200) - 2 - Proxy auto discovery (WPAD): Succeeded (200) - 3 - Proxy disabled: Succeeded (200) - 4 - Named proxy: Doesn't exist - 5 - Command line proxy: Doesn't exist - ``` + ```text + Testing URL : https://xxx.microsoft.com/xxx + 1 - Default proxy: Succeeded (200) + 2 - Proxy auto discovery (WPAD): Succeeded (200) + 3 - Proxy disabled: Succeeded (200) + 4 - Named proxy: Doesn't exist + 5 - Command line proxy: Doesn't exist + ``` If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method.

    diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index e174b920d6..cf4dafd48d 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas -ms.localizationpriority: medium -ms.date: 05/08/2018 +ms.localizationpriority: high +ms.date: 08/08/2018 --- # Onboard servers to the Windows Defender ATP service @@ -27,7 +27,7 @@ ms.date: 05/08/2018 Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console. -Windows Defender ATP supports the onboarding of the following servers: +The service supports the onboarding of the following servers: - Windows Server 2012 R2 - Windows Server 2016 - Windows Server, version 1803 @@ -36,12 +36,23 @@ Windows Defender ATP supports the onboarding of the following servers: To onboard your servers to Windows Defender ATP, you’ll need to: +- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. - Turn on server monitoring from the Windows Defender Security Center portal. - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. >[!TIP] > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +### Configure and update System Center Endpoint Protection clients +>[!IMPORTANT] +>This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. + +Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting + ### Turn on Server monitoring from the Windows Defender Security Center portal @@ -89,11 +100,9 @@ Agent Resource | Ports ## Onboard Windows Server, version 1803 You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. -1. Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver). +1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). -2. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). - -3. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: +2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: a. Set the following registry entry: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` @@ -108,12 +117,31 @@ You’ll be able to onboard in the same method available for Windows 10 client m ![Image of passive mode verification result](images/atp-verify-passive-mode.png) -4. Run the following command to check if Windows Defender AV is installed: +3. Run the following command to check if Windows Defender AV is installed: ```sc query Windefend``` If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + +## Integration with Azure Security Center +Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. + +The following capabilities are included in this integration: +- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/en-us/azure/security-center/security-center-onboarding). + + >[!NOTE] + > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. + +- Servers monitored by Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center console. +- Server investigation - Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach + +>[!IMPORTANT] +>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. +>- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. + + + ## Offboard servers You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index a7014a264b..f499b17917 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -57,6 +57,6 @@ Topic | Description [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. -[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. +[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center. [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API. [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index 922db1acba..ed37cdaedb 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Configure Splunk to pull Windows Defender ATP alerts -description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal. +description: Configure Splunk to receive and pull alerts from Windows Defender Security Center. keywords: configure splunk, security information and events management tools, splunk search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 4274ab7f39..43933756ec 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -135,7 +135,7 @@ Content-Type: application/json; } ``` -The following values correspond to the alert sections surfaced on the Windows Defender ATP portal: +The following values correspond to the alert sections surfaced on Windows Defender Security Center: ![Image of alert from the portal](images/atp-custom-ti-mapping.png) Highlighted section | JSON key name diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index b77656d1fc..1d1154af3b 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -27,7 +27,7 @@ ms.date: 04/24/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) -Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal. +Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through Windows Defender Security Center. 1. In the navigation pane, select **Settings** > **Threat intel**. diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index 6ad34e8a8f..44e55b2b9b 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -27,7 +27,7 @@ ms.date: 04/24/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) -Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API. +Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API. 1. In the navigation pane, select **Settings** > **SIEM**. @@ -55,7 +55,7 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. -You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal. +You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Windows Defender Security Center. diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 20d32432c5..137a1b8070 100644 --- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -139,7 +139,7 @@ This step will guide you in simulating an event in connection to a malicious IP ## Step 4: Explore the custom alert in the portal This step will guide you in exploring the custom alert in the portal. -1. Open the [Windows Defender ATP portal](http://securitycenter.windows.com/) on a browser. +1. Open [Windows Defender Security Center](http://securitycenter.windows.com/) on a browser. 2. Log in with your Windows Defender ATP credentials. @@ -148,7 +148,7 @@ This step will guide you in exploring the custom alert in the portal. ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) > [!NOTE] -> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it becomes effective. +> There is a latency time of approximately 20 minutes between the time a custom TI is introduced and when it becomes effective. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md index 11149f97e2..94cb8338ce 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Find machine information by internal IP API -description: Use this API to create calls related to finding a machine entry around a specific timestamp by FQDN or internal IP. -keywords: apis, graph api, supported apis, find machine, machine information, IP +description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP. +keywords: ip, apis, graph api, supported apis, find machine, machine information search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 12/08/2017 +ms.date: 07/25/2018 --- # Find machine information by internal IP API @@ -20,15 +20,17 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) +Find a machine entity around a specific timestamp by internal IP. -Find a machine entity around a specific timestamp by FQDN or internal IP. +>[!NOTE] +>The timestamp must be within the last 30 days. ## Permissions User needs read permissions. ## HTTP request ``` -GET /testwdatppreview/machines/find(timestamp={time},key={IP/FQDN}) +GET /testwdatppreview/machines/find(timestamp={time},key={IP}) ``` ## Request headers @@ -49,19 +51,20 @@ If no machine found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. ``` -GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp={time},key={IP/FQDN}) +GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') Content-type: application/json ``` -Response +**Response** Here is an example of the response. +The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp. ``` HTTP/1.1 200 OK diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index e0888ae096..8d04e19940 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -37,7 +37,7 @@ An inactive machine is not necessarily flagged due to an issue. The following ac If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal. **Machine was reinstalled or renamed**
    -A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally. +A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally. **Machine was offboarded**
    If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md index 84dee5c7d5..11933fc1f8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md @@ -50,7 +50,7 @@ If actor does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/actors/zinc Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md index 8a5762e665..7d607f80b0 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If actor does not exist or no related alerts - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md index 419cb34165..7bd281c1c2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If alert not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md index 9db57c1f3a..feb7c72977 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If alert not found or actor not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -59,7 +59,7 @@ Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md index 2345c8b138..1dc2400622 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If alert not found or domain not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md index df332bb31e..692038dece 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If alert not found or files not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md index be6ceafbb2..13d6fa451e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If alert not found or IPs not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md index 3ef95e980b..c65563b583 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md @@ -48,7 +48,7 @@ If alert not found or machine not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -57,7 +57,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md index 0844973f7e..0ca328f129 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If alert not found or user not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md index 554f7a5466..91370e6ab4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md @@ -50,7 +50,7 @@ If no recent alerts found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md index 7d08798a81..edf69b8cc2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If domain or alert does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md index c33a75f487..42274f276d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If domain or machines do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md index 8fc1561fca..a8d16cda6c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If domain does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md index 73c57db52c..3a8aecdcdc 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md @@ -50,7 +50,7 @@ If file does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md index fd93bb2eae..3bc108f4c5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If file or alerts do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md index e6c5a9365d..46a55266b9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If file or machines do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md index 64a0f6b518..379a272b7f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If file do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md index 12c0fa3996..58ec0179eb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ If successful, this method returns 200, Ok response code with a collection of Fi ## Example -Request +**Request** Here is an example of the request on an organization that has three FileActions. @@ -59,7 +59,7 @@ Here is an example of the request on an organization that has three FileActions. GET https://graph.microsoft.com/testwdatppreview/fileactions ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md index 754f96f452..e30ca834b1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md @@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with the *FileMachineAc ## Example -Request +**Request** Here is an example of the request. @@ -55,7 +55,7 @@ Here is an example of the request. GET https://graph.microsoft.com/testwdatppreview/filemachineactions/3dc88ce3-dd0c-40f7-93fc-8bd14317aab6 ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md index a539468085..4f981ccd54 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md @@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with a collection of Fi ## Example 1 -Request +**Request** Here is an example of the request on an organization that has three FileMachineActions. @@ -55,7 +55,7 @@ Here is an example of the request on an organization that has three FileMachineA GET https://graph.microsoft.com/testwdatppreview/filemachineactions ``` -Response +**Response** Here is an example of the response. @@ -113,7 +113,7 @@ Content-type: application/json ##Example 2 -Request +**Request** Here is an example of a request that filters the FileMachineActions by machine ID and shows the latest two FileMachineActions. @@ -121,7 +121,7 @@ Here is an example of a request that filters the FileMachineActions by machine I GET https://graph.microsoft.com/testwdatppreview/filemachineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2 ``` -Response +**Response** ``` HTTP/1.1 200 Ok diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md index 9df15443a5..b1ad30ecd5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If IP and alerts do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md index 057ba3204c..1796c563b1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md @@ -42,7 +42,7 @@ If IP or machines do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -51,7 +51,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md index 2707f3e8f3..f04eee146e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If domain does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md index 4fae64901f..cdb7691d99 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If no machine found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md index f63f7a4ac8..f73f0600fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md @@ -50,7 +50,7 @@ If no machine found or no users found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md index 4d8df5b6a4..2cbf47c5da 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If no machine or no alerts found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md index 2fc484f7ef..21214216c0 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md @@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with the *MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -55,7 +55,7 @@ Here is an example of the request. GET https://graph.microsoft.com/testwdatppreview/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md index 5cd4a460b5..4f8250057a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md @@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with a collection of Ma ## Example 1 -Request +**Request** Here is an example of the request on an organization that has three MachineActions. @@ -55,7 +55,7 @@ Here is an example of the request on an organization that has three MachineActio GET https://graph.microsoft.com/testwdatppreview/machineactions ``` -Response +**Response** Here is an example of the response. @@ -107,7 +107,7 @@ Content-type: application/json ## Example 2 -Request +**Request** Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions. @@ -117,7 +117,7 @@ GET https://graph.microsoft.com/testwdatppreview/machineactions?$filter=machineI -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md index 23858c2f48..15f5915642 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If no recent machines - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md index bfb9838d29..b000396208 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md @@ -28,7 +28,7 @@ Users need to have Security administrator or Global admin directory roles. ## HTTP request ``` -POST /testwdatppreview/machineactions/{id}/getPackageUri +GET /testwdatppreview/machineactions/{id}/getPackageUri ``` ## Request headers @@ -48,7 +48,7 @@ If successful, this method returns 200, Ok response code with object that holds ## Example -Request +**Request** Here is an example of the request. @@ -57,7 +57,7 @@ GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525c ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md index 813f2d6b28..44a41412fe 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If user does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/users/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md index 1d59e3024a..12c741d3fe 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If user does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md index c4555f4144..80a2b92234 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If user or machine does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png b/windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png new file mode 100644 index 0000000000..51f4335265 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG index dda65b5342..d7e7d092eb 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG and b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/components.png b/windows/security/threat-protection/windows-defender-atp/images/components.png index 04ab864727..0ddc52f5d3 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/components.png and b/windows/security/threat-protection/windows-defender-atp/images/components.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png new file mode 100644 index 0000000000..06ad5e6ed2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png new file mode 100644 index 0000000000..60725244e5 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index d90a76d961..c6beecee0e 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 05/30/2018 +ms.date: 08/01/2018 --- # Investigate machines in the Windows Defender ATP Machines list @@ -178,6 +178,9 @@ Use the following registry key entry to add a tag on a machine: - Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` - Registry key value (string): Group +>[!NOTE] +>The device tag is part of the machine information report that’s generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. + ### Add machine tags using the portal Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md index dde8702b35..3bda2052aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md @@ -42,7 +42,7 @@ If domain does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -51,7 +51,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md index 3071b4389d..0e5cdd372b 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ If IP do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md index 747a0d6995..8a1af5560e 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md @@ -57,7 +57,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -70,7 +70,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index ee311f4d0e..778f8d48b4 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -50,9 +50,9 @@ To gain access into which licenses are provisioned to your company, and to check ![Image of O365 admin portal](images\atp-O365-admin-portal-customer.png) -## Access the Windows Defender ATP portal for the first time +## Access Windows Defender Security Center for the first time -When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created. +When accessing [Windows Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created. 1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product. @@ -64,7 +64,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows. ![Image of Welcome screen for portal set up](images\atp-portal-welcome-screen.png) - You will need to set up your preferences for the Windows Defender ATP portal. + You will need to set up your preferences for Windows Defender Security Center. 3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. @@ -108,11 +108,11 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows. 8. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**. > [!NOTE] - > Some of these options can be changed at a later time in the Windows Defender ATP portal. + > Some of these options can be changed at a later time in Windows Defender Security Center. ![Image of final preference set up](images\atp-final-preference-setup.png) -9. A dedicated cloud instance of the Windows Defender ATP portal is being created at this time. This step will take an average of 5 minutes to complete. +9. A dedicated cloud instance of Windows Defender Security Center portal is being created at this time. This step will take an average of 5 minutes to complete. ![Image of Windows Defender ATP cloud instance](images\atp-windows-cloud-instance-creation.png) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 7f2592ffce..4860f91956 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -57,7 +57,7 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen Added comments instantly appear on the pane. ## Suppress alerts -There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. +There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md index e1ce6b8173..89eeee2c0e 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -41,9 +41,7 @@ For example, if you add *exe* and *bat* as file or attachment extension names, t 3. Configure the following extension names and separate extension names with a comma: - **File extension names** - Suspicious files except email attachments will be submitted for additional inspection - - **Attachment extension names** - Suspicious email attachments with these extension names will be submitted for additional inspection - - + ## Related topics - [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 0316cfd397..aee31bf368 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 06/15/2018 +ms.date: 07/01/2018 --- # Minimum requirements for Windows Defender ATP @@ -23,17 +23,11 @@ ms.date: 06/15/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - There are some minimum requirements for onboarding machines to the service. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink) -## Minimum requirements -You must be on Windows 10, version 1607 at a minimum. -For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy). - -### Licensing requirements +## Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - Windows 10 Enterprise E5 @@ -42,105 +36,7 @@ Windows Defender Advanced Threat Protection requires one of the following Micros For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). -### Browser requirements -Internet Explorer and Microsoft Edge are supported. Any HTML5 compliant browsers are also supported. - -### Network and data storage and configuration requirements -When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. - -> [!NOTE] -> - You cannot change your data storage location after the first-time setup. -> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. - -### Hardware and software requirements - -The Windows Defender ATP agent only supports the following editions of Windows 10: - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - -Machines on your network must be running one of these editions. - -The hardware requirements for Windows Defender ATP on machines is the same as those for the supported editions. - -> [!NOTE] -> Machines that are running mobile versions of Windows are not supported. - -#### Internet connectivity -Internet connectivity on machines is required either directly or through proxy. - -The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. - -For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . - -Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. - - -### Diagnostic data settings -You must ensure that the diagnostic data service is enabled on all the machines in your organization. -By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them. - -**Use the command line to check the Windows 10 diagnostic data service startup type**: - -1. Open an elevated command-line prompt on the machine: - - a. Go to **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc qc diagtrack - ``` - -If the service is enabled, then the result should look like the following screenshot: - -![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) - -If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start. - - - -**Use the command line to set the Windows 10 diagnostic data service to automatically start:** - -1. Open an elevated command-line prompt on the endpoint: - - a. Go to **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc config diagtrack start=auto - ``` - -3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: - - ```text - sc qc diagtrack - ``` - -## Windows Defender Antivirus signature updates are configured -The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. - -You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). - -When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. - -Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md). - -For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). - -## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled -If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard. - -If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1) ## Related topic - [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) +- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index 1c84acc786..5f44382d18 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 06/19/2018 +ms.date: 07/01/2018 --- # Onboard machines to the Windows Defender ATP service @@ -18,14 +18,14 @@ ms.date: 06/19/2018 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) - You need to onboard machines to Windows Defender ATP before you can use the service. For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) + ## Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: @@ -60,11 +60,77 @@ The hardware requirements for Windows Defender ATP on machines is the same as th ### Other supported operating systems +- macOSX +- Linux + >[!NOTE] >You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. -- macOS X -- Linux + +### Network and data storage and configuration requirements +When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. + +> [!NOTE] +> - You cannot change your data storage location after the first-time setup. +> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. + + +### Diagnostic data settings +You must ensure that the diagnostic data service is enabled on all the machines in your organization. +By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them. + +**Use the command line to check the Windows 10 diagnostic data service startup type**: + +1. Open an elevated command-line prompt on the machine: + + a. Go to **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + + ```text + sc qc diagtrack + ``` + +If the service is enabled, then the result should look like the following screenshot: + +![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) + +If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start. + + + +**Use the command line to set the Windows 10 diagnostic data service to automatically start:** + +1. Open an elevated command-line prompt on the endpoint: + + a. Go to **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + + ```text + sc config diagtrack start=auto + ``` + +3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: + + ```text + sc qc diagtrack + ``` + + + +#### Internet connectivity +Internet connectivity on machines is required either directly or through proxy. + +The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. + +For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . + +Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. ## Windows Defender Antivirus configuration requirement @@ -79,14 +145,19 @@ If you are onboarding servers and Windows Defender Antivirus is not the active a For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled +If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard. + +If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). + ## In this section Topic | Description :---|:--- -[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise. [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Windows Defender ATP. -[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP. -[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. +[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise. +[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP +[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service. [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md index f663a3e628..46f931e363 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -60,7 +60,7 @@ Review the following details to verify minimum system requirements: >[!NOTE] >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. -- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) +- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604). diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index ebbbabf5d5..bbee7b2a62 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Windows Defender Advanced Threat Protection portal overview -description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. -keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks +description: Use Windows Defender Security Center to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. +keywords: Windows Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -27,14 +27,14 @@ ms.date: 04/24/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. +Enterprise security teams can use Windows Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. -You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to: +You can use [Windows Defender Security Center](https://securitycenter.windows.com/) to: - View, sort, and triage alerts from your endpoints - Search for more information on observed indicators such as files and IP Addresses - Change Windows Defender ATP settings, including time zone and review licensing information. -## Windows Defender ATP portal +## Windows Defender Security Center When you open the portal, you’ll see the main areas of the application: ![Windows Defender Advanced Threat Protection portal](images/dashboard.png) diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index c31724c417..ee949dfc75 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -35,7 +35,7 @@ You can easily get started by: - Creating a dashboard on the Power BI service - Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization -You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported. +You can access these options from Windows Defender Security Center. Both the Power BI service and Power BI Desktop are supported. ## Create a Windows Defender ATP dashboard on Power BI service Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index a9f374c00d..769e84dfb8 100644 --- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender ATP settings +title: Configure Windows Defender Security Center settings description: Use the settings page to configure general settings, permissions, apis, and rules. keywords: settings, general settings, permissions, apis, rules search.product: eADQiWindows 10XVcnh @@ -12,7 +12,7 @@ author: mjcaparas ms.localizationpriority: medium ms.date: 04/24/2018 --- -# Configure Windows Defender ATP settings +# Configure Windows Defender Security Center settings **Applies to:** diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 16ca374715..8675655043 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 06/21/2018 +ms.date: 07/30/2018 --- # Windows Defender ATP preview features @@ -49,6 +49,10 @@ Onboard supported versions of Windows machines so that they can send sensor data - Windows 8.1 Enterprise - Windows 8.1 Pro +- [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)
    +Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. + + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index e3ead52979..aab70fb694 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Pull Windows Defender ATP alerts using REST API -description: Pull alerts from the Windows Defender ATP portal REST API. +description: Pull alerts from Windows Defender ATP REST API. keywords: alerts, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index 0fc53246c7..6c6e1ced73 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Use role-based access control to grant fine-grained access to the Windows Defender ATP portal +title: Use role-based access control to grant fine-grained access to Windows Defender Security Center description: Create roles and groups within your security operations to grant access to the portal. keywords: rbac, role, based, access, control, groups, control, tier, aad search.product: eADQiWindows 10XVcnh @@ -57,12 +57,12 @@ Before using RBAC, it's important that you understand the roles that can grant p > [!WARNING] > Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal. -When you first log in to the Windows Defender ATP portal, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. +When you first log in to Windows Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments > [!WARNING] -> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important. +> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Windows Defender Security Center, therefore, having the right groups ready in Azure AD is important. > > **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.** > diff --git a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md index 2a77493d4a..5e12dabe3d 100644 --- a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md @@ -52,7 +52,7 @@ If successful, this method returns 201, Created response code and *FileMachineAc ## Example -Request +**Request** Here is an example of the request. @@ -66,7 +66,7 @@ Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md index 86e95ef071..b7b33d60ef 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -63,7 +63,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md index ff6df83998..c6803604a8 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md @@ -59,7 +59,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -72,7 +72,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index c3aaebae19..47815df570 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -326,7 +326,7 @@ For a machine to be considered "well configured", it must comply to a minimum ba Machines are considered "well configured" for Windows Defender Credential Guard if the following requirements are met: - Hardware and software prerequisites are met -- Windows Defender Credential Guard is turned on on compatible machines +- Windows Defender Credential Guard is turned on compatible machines ##### Recommended actions: diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md index 246a062ea3..9540e46529 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md @@ -52,7 +52,7 @@ If successful, this method returns 201, Created response code and _FileMachineAc ## Example -Request +**Request** Here is an example of the request. @@ -65,7 +65,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md index 36a1a0a80b..e9cb11bc67 100644 --- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Windows Defender Advanced Threat Protection time zone settings +title: Windows Defender Security Center time zone settings description: Use the menu to configure the time zone and view license information. -keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license +keywords: settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 02/13/2018 --- -# Windows Defender Advanced Threat Protection time zone settings +# Windows Defender Security Center time zone settings **Applies to:** diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index 7bc886f9c7..eee538a7aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -1,76 +1,85 @@ ---- -title: Troubleshoot onboarding issues and error messages -description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection. -keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-tanewt -author: tbit0001 -ms.localizationpriority: medium -ms.date: 11/28/2017 ---- - -# Troubleshoot subscription and portal access issues - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) - - -This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service. - -If you receive an error message, the Windows Defender ATP portal will provide a detailed explanation on what the issue is and relevant links will be supplied. - -## No subscriptions found - -If while accessing the Windows Defender ATP portal you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license. - -Potential reasons: -- The Windows E5 and Office E5 licenses are separate licenses. -- The license was purchased but not provisioned to this AAD instance. - - It could be a license provisioning issue. - - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service. - -For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or -[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). - -![Image of no subscriptions found](images\atp-no-subscriptions-found.png) - -## Your subscription has expired - -If while accessing the Windows Defender ATP portal you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. - -You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license. - -> [!NOTE] -> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. - -![Image of subscription expired](images\atp-subscription-expired.png) - -## You are not authorized to access the portal - -If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. -For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). - -![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png) - -## Data currently isn't available on some sections of the portal -If the portal dashboard, and other sections show an error message such as "Data currently isn't available": - -![Image of data currently isn't available](images/atp-data-not-available.png) - -You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`. - - -## Related topics +--- +title: Troubleshoot onboarding issues and error messages +description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection. +keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-tanewt +author: tbit0001 +ms.localizationpriority: medium +ms.date: 08/01/2018 +--- + +# Troubleshoot subscription and portal access issues + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) + + +This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service. + +If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied. + +## No subscriptions found + +If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license. + +Potential reasons: +- The Windows E5 and Office E5 licenses are separate licenses. +- The license was purchased but not provisioned to this AAD instance. + - It could be a license provisioning issue. + - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service. + +For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or +[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). + +![Image of no subscriptions found](images\atp-no-subscriptions-found.png) + +## Your subscription has expired + +If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. + +You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license. + +> [!NOTE] +> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +![Image of subscription expired](images\atp-subscription-expired.png) + +## You are not authorized to access the portal + +If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. +For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). + +![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png) + +## Data currently isn't available on some sections of the portal +If the portal dashboard, and other sections show an error message such as "Data currently isn't available": + +![Image of data currently isn't available](images/atp-data-not-available.png) + +You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`. + + +## Portal communication issues +If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communciation. + +- `*.blob.core.windows.net +crl.microsoft.com` +- `https://*.microsoftonline-p.com` - `https://*.securitycenter.windows.com` - `https://automatediracs-eus-prd.securitycenter.windows.com` - `https://login.microsoftonline.com` - `https://login.windows.net` - `https://onboardingpackagescusprd.blob.core.windows.net` +- `https://secure.aadcdn.microsoftonline-p.com` +- `https://securitycenter.windows.com` - `https://static2.sharepointonline.com` + +## Related topics - [Validate licensing provisioning and complete setup for Windows Defender ATP](licensing-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index 6a78b01173..c6e68b56e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot Windows Defender Advanced Threat Protection +title: Troubleshoot Windows Defender Advanced Threat Protection service issues description: Find solutions and work arounds to known issues such as server errors when trying to access the service. keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer search.product: eADQiWindows 10XVcnh @@ -10,29 +10,24 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/23/2017 +ms.date: 07/30/2018 --- -# Troubleshoot Windows Defender Advanced Threat Protection +# Troubleshoot service issues **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. -### Server error - Access is denied due to invalid credentials +## Server error - Access is denied due to invalid credentials If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings. Configure your browser to allow cookies. -### Elements or data missing on the portal -If some UI elements or data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it. +## Elements or data missing on the portal +If some UI elements or data is missing on Windows Defender Security Center it’s possible that proxy settings are blocking it. Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. @@ -40,17 +35,17 @@ Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. > [!NOTE] > You must use the HTTPS protocol when adding the following endpoints. -### Windows Defender ATP service shows event or error logs in the Event Viewer +## Windows Defender ATP service shows event or error logs in the Event Viewer See the topic [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors. -### Windows Defender ATP service fails to start after a reboot and shows error 577 +## Windows Defender ATP service fails to start after a reboot and shows error 577 If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). -#### Known issues with regional formats +## Known issues with regional formats **Date and time formats**
    There are some known issues with the time and date formats. @@ -70,6 +65,20 @@ Support of use of comma as a separator in numbers are not supported. Regions whe >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) +## Windows Defender ATP tenant was automatically created in Europe +When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. + + + + + + + + + + + + ## Related topics - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md index 8a85f201ce..7ea3ec1258 100644 --- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md @@ -52,7 +52,7 @@ If successful, this method returns 200, Ok response code with empty body, which ## Example -Request +**Request** Here is an example of the request. @@ -64,7 +64,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md index 2d3ab9fbaf..c0ef9d02f6 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -63,7 +63,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md index dcd0775b9e..4c8788c337 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -64,7 +64,7 @@ Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index f394f62b34..b8fed131a5 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ You can use the code examples to guide you in creating calls to the custom threa Topic | Description :---|:--- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization. -[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through the Windows Defender ATP portal so that you can create custom threat intelligence (TI) using REST API. +[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through Windows Defender Security Center so that you can create custom threat intelligence (TI) using REST API. [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization. [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API. [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API. diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index e875c22f43..07cec03da7 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Use the Windows Defender Advanced Threat Protection portal -description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks. +description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks. keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -27,7 +27,7 @@ ms.date: 03/12/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) -You can use the Windows Defender ATP portal to carry out an end-to-end security breach investigation through the dashboards. +You can use Windows Defender Security Center to carry out an end-to-end security breach investigation through the dashboards. Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index ee4cd6878f..07eee21200 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Advanced Threat Protection -description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats. +title: Windows Defender Advanced Threat Protection +description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -9,18 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.localizationpriority: high +ms.date: 07/12/2018 --- # Windows Defender Advanced Threat Protection **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -29,78 +24,22 @@ ms.date: 04/24/2018 > >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). -Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. +Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. -Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787). +To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Windows Defender Security Center. -Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: - -- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors - collect and process behavioral signals from the operating system - (for example, process, registry, file, and network communications) - and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP. - - -- **Cloud security analytics**: Leveraging big-data, machine-learning, and - unique Microsoft optics across the Windows ecosystem (such as the - [Microsoft Malicious Software Removal Tool](https://www.microsoft.com/en-au/download/malicious-software-removal-tool-details.aspx), - enterprise cloud products (such as Office 365), and online assets - (such as Bing and SmartScreen URL reputation), behavioral signals - are translated into insights, detections, and recommended responses - to advanced threats. - -- **Threat intelligence**: Generated by Microsoft hunters, security teams, - and augmented by threat intelligence provided by partners, threat - intelligence enables Windows Defender ATP to identify attacker - tools, techniques, and procedures, and generate alerts when these - are observed in collected sensor data. - - ![Windows Defender ATP service component](images/components.png) - -Machine investigation capabilities in this service let you drill down -into security alerts and understand the scope and nature of a potential -breach. You can submit files for deep analysis and receive the results -without leaving the [Windows Defender ATP portal](https://securitycenter.windows.com). The automated investigation and remediation capability reduces the volume of alerts by leveraging various inspection algorithms to resolve breaches. - -Windows Defender ATP works with existing Windows security technologies -on machines, such as Windows Defender Antivirus, AppLocker, and Windows Defender Device Guard. It -can also work side-by-side with third-party security solutions and -antimalware products. - -Windows Defender ATP leverages Microsoft technology and expertise to -detect sophisticated cyber-attacks, providing: - -- Behavior-based, cloud-powered, advanced attack detection - - Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on machines. - -- Rich timeline for forensic investigation and mitigation - - Easily investigate the scope of breach or suspected behaviours on any machine through a rich machine timeline. File, URLs, and network connection inventory across the network. Gain additional insight using deep collection and analysis (“detonation”) for any file or URLs. - -- Built in unique threat intelligence knowledge base - - Unparalleled threat optics provides actor details and intent context for every threat intel-based detection – combining first and third-party intelligence sources. - -- Automated investigation and remediation - - Significantly reduces alert volume by leveraging inspection algorithms used by analysts to examine alerts and take remediation action. +The Windows Defender ATP platform is where all the capabilities that are available across multiple products come together to give security operations teams the ability to effectively manage their organization's network. ## In this section Topic | Description :---|:--- -Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal. -[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. -[Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal. -Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats. -API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from the Windows Defender ATP portal. -Reporting | Create and build Power BI reports using Windows Defender ATP data. -Check service health and sensor state | Verify that the service is running and check the sensor state on machines. -[Configure Windows Defender settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. -[Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Windows Defender ATP Community Center to learn, collaborate, and share experiences about the product. -[Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. -[Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md) | Understand how Windows Defender Antivirus integrates with Windows Defender ATP. +[Windows Defender Security Center](windows-defender-security-center-atp.md) | Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. +[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. +[Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard) | Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. +[Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) | Windows Defender Application Control (WDAC) can help mitigate security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). +[Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Windows Defender Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. + ## Related topic diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md new file mode 100644 index 0000000000..244a14ea0d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md @@ -0,0 +1,38 @@ +--- +title: Windows Defender Security Center +description: Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection. +keywords: windows, defender, security, center, defender, advanced, threat, protection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 07/01/2018 +--- + +# Windows Defender Security Center + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. + +## In this section + +Topic | Description +:---|:--- +Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal. +[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. +[Understand the portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal. +Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats. +API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Windows Defender Security Center. +Reporting | Create and build Power BI reports using Windows Defender ATP data. +Check service health and sensor state | Verify that the service is running and check the sensor state on machines. +[Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. +[Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Windows Defender ATP Community Center to learn, collaborate, and share experiences about the product. +[Troubleshoot service issues](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. + diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 8cecfe7be5..9f78476437 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/29/2018 +ms.date: 07/30/2018 --- @@ -103,6 +103,7 @@ Block credential stealing from the Windows local security authority subsystem (l Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. @@ -214,12 +215,16 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block Office communication applications from creating child processes +### Rule: Block Office communication applications from creating child processes (available for beta testing) Office communication apps will not be allowed to create child processes. This includes Outlook. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. +### Rule: Block Adobe Reader from creating child processes (available for beta testing) + +This rule blocks Adobe Reader from creating child processes. + ## Review Attack surface reduction events in Windows Event Viewer You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited): diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 0732ac1826..d3fdfd801d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/29/2018 +ms.date: 07/30/2018 --- # Customize Attack surface reduction @@ -76,7 +76,8 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index de3f852b51..59f434e325 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/29/2018 +ms.date: 07/30/2018 --- @@ -65,6 +65,7 @@ Block credential stealing from the Windows local security authority subsystem (l Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 8f8c0175e4..24a17e6b60 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -24,11 +24,16 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. ## How to turn on HVCI in Windows 10 To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options: +- [Windows Security app](#windows-security-app) - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune) - [Group Policy](#enable-hvci-using-group-policy) - [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) - [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity) +### Windows Security app + +HVCI is labeled **Memory integrity** in the Windows Security app and it can be accessed via **Settings** > **Update & Security** > **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [KB4096339](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center). + ### Enable HVCI using Intune Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index a7574b02af..90ebc28935 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- @@ -53,10 +53,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work. Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes: -- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md) +- [Windows Defender Security Center](../windows-defender-atp/windows-defender-security-center-atp.md) - [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -- [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) -- Windows Defender Device Guard +- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md) - [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. @@ -69,13 +68,12 @@ This section covers requirements for each feature in Windows Defender EG. |--------|---------| | ![not supported](./images/ball_empty.png) | Not supported | | ![supported](./images/ball_50.png) | Supported | -| ![supported, enhanced](./images/ball_75.png) | Includes advanced exploit protection for the kernel mode via [HVCI](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity) | -| ![supported, full reporting](./images/ball_full.png) | Includes automated reporting into the Windows Defender ATP console| +| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an Attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | -| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_75.png) | ![supported, full reporting](./images/ball_full.png) | +| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) | | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index a63a9adb0a..bc843023a7 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index 81483abf81..11e79cb879 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: justinha ms.localizationpriority: medium ms.date: 10/13/2017 --- diff --git a/windows/security/wdatp/images/WDATP-components.png b/windows/security/wdatp/images/WDATP-components.png new file mode 100644 index 0000000000..51f4335265 Binary files /dev/null and b/windows/security/wdatp/images/WDATP-components.png differ diff --git a/windows/security/wdatp/images/wdatp-pillars.png b/windows/security/wdatp/images/wdatp-pillars.png new file mode 100644 index 0000000000..06ad5e6ed2 Binary files /dev/null and b/windows/security/wdatp/images/wdatp-pillars.png differ diff --git a/windows/security/wdatp/images/wdatp-pillars2.png b/windows/security/wdatp/images/wdatp-pillars2.png new file mode 100644 index 0000000000..bbe88f3638 Binary files /dev/null and b/windows/security/wdatp/images/wdatp-pillars2.png differ diff --git a/windows/security/wdatp/index.md b/windows/security/wdatp/index.md new file mode 100644 index 0000000000..cb401fa3e4 --- /dev/null +++ b/windows/security/wdatp/index.md @@ -0,0 +1,48 @@ +--- +title: Windows Defender Advanced Threat Protection +description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats. +keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.date: 06/04/2018 +--- + +# Windows Defender Advanced Threat Protection + +Windows Defender Advanced Threat Protection (Windows Defender ATP)is a unified platform for preventative protection, post-breach detection, automated investigation and response, employing intelligent protection to protect endpoints from cyber threats. + + +![Windows Defender ATP components](images/wdatp-pillars2.png) + +**Attack surface reduction**
    +The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. + +**Next generation protection**
    +To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. + +**Endpoint detection and response**
    +Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. + +**Auto investigation and remediation**
    +In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. + +**Security posture**
    +Windows Defender ATP also provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. + +**Management and APIs**
    +Windows Defender ATP provides integrated configuration management in the cloud. The service also supports third-party mobile device management (MDM) tools, cross-platform support, and APIs that allow customers to create custom threat intelligence and automate workflows. + +Understand how capabilities align within the Windows Defender ATP suite offering: + + + Attack surface reduction | Next generation protection | Endpoint detection and response | Auto investigation and remediation | Security posture +:---|:---|:---|:---|:--- + [Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/)

    [Application control](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)

    [Exploit protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)

    [Network protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

    [Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) | [Machine learning](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)

    [Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)

    [Threat intelligence](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)

    [Sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis) | [Response containment](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)

    [Realtime and historical threat hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)

    [Threat intelligence and custom detections](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) | [Forensic collection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)

    [Response orchestration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)

    [Historical endpoint data](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)

    [Artificial intelligence response playbooks](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | [Asset inventory](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
    [Operating system baseline compliance](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

    [Recommended improvement actions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection#improvement-opportunities)

    [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

    [Threat analytics](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)

    [Reporting and trends](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection) + +These capabilities are available across multiple products that make up the Windows Defender ATP platform. For more information on how to leverage all the Windows Defender ATP capabilities, see [Threat protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/index). + + diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 7db90dbaca..df2abc4ea4 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -234,3 +234,4 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
    [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
    [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. +[How to take a screenshot on pc without any app](https://rahulit.com/how-to-take-a-screenshot-on-a-dell-laptop/)