deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 23:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/it-client/_git/it-client

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-08-26 01:57:46 -07:00
commit d5a7ec83dc
35 changed files with 5868 additions and 1343 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
devices/surface-hub/TOC.md
View File

@ -33,6 +33,7 @@
### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
### [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md)
### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md)
### [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md)
### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md)

9
devices/surface-hub/change-history-surface-hub.md
View File

@ -18,9 +18,14 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac
## August 2017
New or changed topic | Description
--- | ---
| New or changed topic | Description |
| --- | --- |
[Accessibility](accessibility-surface-hub.md) | Added information about Narrator
[Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | New
## July 2017

BIN
devices/surface-hub/images/approve-signin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
devices/surface-hub/images/approve-signin2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
devices/surface-hub/images/attendees.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
devices/surface-hub/images/mfa-options.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
devices/surface-hub/images/sign-in.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

1
devices/surface-hub/manage-surface-hub.md
View File

@ -34,6 +34,7 @@ Learn about managing and updating Surface Hub.
| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.|
| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Microsoft Whiteboards latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. |
| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.|
| [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | You can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS. |
| [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
| [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
| [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. |

83
devices/surface-hub/surface-hub-authenticator-app.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Sign in to Surface Hub with Microsoft Authenticator
description: Use Microsoft Authenticator on your mobile device to sign in to Surface Hub.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 07/27/2017
localizationpriority: medium
---
# Sign in to Surface Hub with Microsoft Authenticator
People in your organization can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS.
## Organization prerequisites
To let people in your organization sign in to Surface Hub with their phones and other devices instead of a password, youll need to make sure that your organization meets these prerequisites:
- Your organization must be a hybrid or cloud-only organization, backed by Azure Active Directory (Azure AD). For more information, see [What is Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-whatis)
- Make sure you have at minimum an Office 365 E3 subscription.
- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication). Select **Allow users to create app passwords to sign in to non-browser apps**, and make sure **Notification through mobile app** is selected.
![multi-factor authentication options](images/mfa-options.png)
- Enable content hosting on Azure AD services such as Office online, SharePoint, etc.
- Surface Hub must be running Windows 10, version 1703 or later.
- Surface Hub is set up with either a local or domain-joined account.
Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs that are joined to an Active Directory domain or to Azure AD.
## Individual prerequisites
- An Android phone running 6.0 or later, or an iPhone or iPad running iOS9 or later
- The most recent version of the Microsoft Authenticator app from the appropriate app store
>[!NOTE]
>The Microsoft Authenticator app on phones running a Windows operating system can't be used to sign in to Surface Hub.
- Passcode or screen lock on your device is enabled
- A standard SMTP email address (example: joe@contoso.com). Non-standard or vanity SMTP email addresses (example: firstname.lastname@contoso.com) currently dont work.
## How to set up the Microsoft Authenticator app
>[!NOTE]
>If Company Portal is installed on your Android device, uninstall it before you set up Microsoft Authenticator. After you set up the app, you can reinstall Company Portal.
1. Add your work or school account to Microsoft Authenticator for Multi-Factor Authentication. You will need a QR code provided by your IT department. For help, see [Get started with the Microsoft Authenticator app](https://docs.microsoft.com/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to).
2. Go to **Settings** and register your device.
1. Return to the accounts page and choose **Enable phone sign-in** from the account dropdown menu.
## How to sign in to Surface Hub during a meeting
1. After youve set up a meeting, go to the Surface Hub and select **Sign in to see your meetings and files**.
>[!NOTE]
>If youre not sure how to schedule a meeting on a Surface Hub, see [Schedule a meeting on Surface Hub](https://support.microsoft.com/help/17325/surfacehub-schedulemeeting).
![screenshot of Sign in option on Surface Hub](images/sign-in.png)
2. Youll see a list of the people invited to the meeting. Select yourself (or the person who wants to sign in make sure this person has gone through the steps to set up their device before your meeting), and then select **Continue**.
![screenshot of list of attendees in a meeting](images/attendees.png)
You'll see a code on the Surface Hub.
![screenshot of code for Approve Sign in](images/approve-signin.png)
3. To approve the sign-in, open the Authenticator app, enter the four-digit code thats displayed on the Surface Hub, and select **Approve**. You will then be asked to enter the PIN or use your fingerprint to complete the sign in.
![screenshot of the Approve sign-in screen in Microsoft Authenticator](images/approve-signin2.png)
You can now access all files through the OneDrive app.

2
devices/surface-hub/surface-hub-downloads.md
View File

@ -23,7 +23,7 @@ This topic provides links to useful Surface Hub documents, such as product datas
| [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
| [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hubs internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. |
| [Surface Hub SSD Replacement Guide (PDF)](https://www.microsoft.com/surface/en-us/support/surfacehubssd) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface%20Hub%20RASK.zip) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
| [Unpacking Guide for 84-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-84) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
| [Unpacking Guide for 55-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-55) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |
| [Wall Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-wall-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) |

8
mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
View File

@ -89,6 +89,14 @@ You can use your preferred method to view WMI. If you use PowerShell, run `gwmi
<td align="left"><p>14</p></td>
<td align="left"><p>AutoUnlock unsafe unless the OS volume is encrypted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>15</p></td>
<td align="left"><p>Policy requires minimum cypher strength is XTS-AES-128 bit, actual cypher strength is weaker than that.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>16</p></td>
<td align="left"><p>Policy requires minimum cypher strength is XTS-AES-256 bit, actual cypher strength is weaker than that.</p></td>
</tr>
</tbody>
</table>

12
windows/client-management/mdm/devdetail-csp.md
View File

@ -150,32 +150,32 @@ The following diagram shows the DevDetail configuration service provider managem
> [!NOTE]
> This is not supported in Windows 10 for desktop editions.
<a href="" id="volteservicesetting"></a>**VoLTEServiceSetting**
<a href="" id="volteservicesetting"></a>**Ext/VoLTEServiceSetting**
<p style="margin-left: 20px">Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlanipv4address"></a>**WlanIPv4Address**
<a href="" id="wlanipv4address"></a>**Ext/WlanIPv4Address**
<p style="margin-left: 20px">Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlanipv6address"></a>**WlanIPv6Address**
<a href="" id="wlanipv6address"></a>**Ext/WlanIPv6Address**
<p style="margin-left: 20px">Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlandnssuffix"></a>**WlanDnsSuffix**
<a href="" id="wlandnssuffix"></a>**Ext/WlanDnsSuffix**
<p style="margin-left: 20px">Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlansubnetmask"></a>**WlanSubnetMask**
<a href="" id="wlansubnetmask"></a>**Ext/WlanSubnetMask**
<p style="margin-left: 20px">Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="devicehardwaredata"></a>**DeviceHardwareData**
<a href="" id="devicehardwaredata"></a>**Ext/DeviceHardwareData**
<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!Note]

BIN
windows/client-management/mdm/images/provisioning-csp-office.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.1 KiB

After

Width:  |  Height:  |  Size: 9.4 KiB

60
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/14/2017
ms.date: 08/25/2017
---
# What's new in MDM enrollment and management
@ -52,7 +52,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## <a href="" id="whatsnew"></a>What's new in Windows 10, version 1511
<table>
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
@ -184,7 +184,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## <a href="" id="whatsnew1607"></a>What's new in Windows 10, version 1607
<table>
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
@ -495,7 +495,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## <a href="" id="whatsnew10"></a>What's new in Windows 10, version 1703
<table>
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
@ -916,7 +916,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## <a href="" id="whatsnew1709"></a>What's new in Windows 10, version 1709
<table>
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
@ -974,9 +974,18 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
<td style="vertical-align:top"><p>Added the following setting in Windows 10, version 1709:</p>
<ul>
<li>Installation/CurrentStatus</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Browser/LockdownFavorites</li>
<li>Browser/ProvisionFavorites</li>
<li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
<li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
<li>DeviceGuard/RequirePlatformSecurityFeatures</li>
@ -1012,14 +1021,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Power/HibernateTimeoutPluggedIn</li>
<li>Power/StandbyTimeoutOnBattery</li>
<li>Power/StandbyTimeoutPluggedIn</li>
<li>Privacy/EnableActivityFeed</li>
<li>Privacy/PublishUserActivities</li>
<li>Defender/AttackSurfaceReductionOnlyExclusions</li>
<li>Defender/AttackSurfaceReductionRules</li>
<li>Defender/CloudBlockLevel </li>
<li>Defender/CloudExtendedTimeout</li>
<li>Defender/EnableGuardMyFolders</li>
<li>Defender/ControlledFolderAccessAllowedApplications</li>
<li>Defender/ControlledFolderAccessProtectedFolders</li>
<li>Defender/EnableControlledFolderAccess</li>
<li>Defender/EnableNetworkProtection</li>
<li>Defender/GuardedFoldersAllowedApplications</li>
<li>Defender/GuardedFoldersList</li>
<li>Education/DefaultPrinterName</li>
<li>Education/PreventAddingNewPrinters</li>
<li>Education/PrinterNames</li>
@ -1315,7 +1326,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
### August 2017
<table>
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
@ -1365,6 +1376,13 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
<td style="vertical-align:top"><p>Added the following setting in Windows 10, version 1709:</p>
<ul>
<li>Installation/CurrentStatus</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top">Added information to the ADMX-backed policies.
</td></tr>
@ -1378,10 +1396,21 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Added default values.</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy DDF file](policy-ddf-file.md)</td>
<td style="vertical-align:top">Added another Policy DDF file [download](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
<ul>
<li>Browser/AllowMicrosoftCompatibilityList</li>
<li>Update/DisableDualScan</li>
<li>Update/FillEmptyContentUrls</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Browser/ProvisionFavorites</li>
<li>Browser/LockdownFavorites</li>
<li>ExploitGuard/ExploitProtectionSettings</li>
<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
@ -1407,9 +1436,22 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
<li>Privacy/EnableActivityFeed</li>
<li>Privacy/PublishUserActivities</li>
</ul>
<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
<p>Changed the names of the following policies:</p>
<ul>
<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications</li>
<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders</li>
<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess</li>
</ul>
<p>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).</p>
<p>There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:</p>
<ul>
<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts</li>
<li>Start/HideAppList</li>
</ul>
</td></tr>
</tbody>
</table>

34
windows/client-management/mdm/office-csp.md
View File

@ -6,11 +6,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/22/2017
---
# Office CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
This CSP was added in Windows 10, version 1703.
@ -38,7 +41,7 @@ The following diagram shows the Office configuration service provider in tree fo
<a href="" id="install"></a>**Install**
<p style="margin-left: 20px">Installs office by using the XML data specified in the configuration.xml file.
<p style="margin-left: 20px">Installs Office by using the XML data specified in the configuration.xml file.
<p style="margin-left: 20px">The supported operations are Get and Execute.
@ -48,13 +51,18 @@ The following diagram shows the Office configuration service provider in tree fo
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="currentstatus"></a>**CurrentStatus**
<p style="margin-left: 20px">Returns an XML of current Office 365 installation status on the device.
<p style="margin-left: 20px">The only supported operation is Get.
## Examples
Sample SyncML to install Office 365 Business Retail from current channel.
```syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>7</CmdID>
@ -76,7 +84,7 @@ Sample SyncML to install Office 365 Business Retail from current channel.
To uninstall the Office 365 from the system:
```syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>7</CmdID>
@ -95,6 +103,24 @@ To uninstall the Office 365 from the system:
</SyncML>
```
To get the current status of Office 365 on the device.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Get>
      <CmdID>7</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/Office/Installation/CurrentStatus</LocURI>
          </Target>
        </Item>
    </Get>
    <Final/>
  </SyncBody>
</SyncML>
```
## Status code
<table>

61
windows/client-management/mdm/office-ddf.md
View File

@ -7,11 +7,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/22/2017
---
# Office DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
@ -19,7 +22,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
The XML below is for Windows 10, version 1709.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -30,12 +33,12 @@ The XML below is the current version for this CSP.
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Office</NodeName>
<Path>./Vendor/MSFT</Path>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root of the office CSP.</Description>
<Description>Root of the Office CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -46,7 +49,7 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/Office</MIME>
<MIME>com.microsoft/1.3/MDM/Office</MIME>
</DFType>
</DFProperties>
<Node>
@ -55,7 +58,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>Installation options for the office CSP.</Description>
<Description>Installation options for the Office CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -100,7 +103,7 @@ The XML below is the current version for this CSP.
<Exec />
<Get />
</AccessType>
<Description>The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office.</Description>
<Description>The install action will install Office given the configuration in the data. The string data is the xml configuration to use in order to install Office.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -137,6 +140,27 @@ The XML below is the current version for this CSP.
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CurrentStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The current Office 365 installation status on the machine</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
@ -156,7 +180,7 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
<MIME>com.microsoft/1.3/MDM/Office</MIME>
</DFType>
</DFProperties>
<Node>
@ -243,6 +267,27 @@ The XML below is the current version for this CSP.
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CurrentStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The current Office 365 installation status on the machine</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>

24
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/14/2017
ms.date: 08/25/2017
---
# Policy CSP
@ -456,6 +456,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-homepages" id="browser-homepages">Browser/HomePages</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-lockdownfavorites" id="browser-lockdownfavorites">Browser/LockdownFavorites</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge" id="browser-preventaccesstoaboutflagsinmicrosoftedge">Browser/PreventAccessToAboutFlagsInMicrosoftEdge</a>
</dd>
@ -474,6 +477,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc" id="browser-preventusinglocalhostipaddressforwebrtc">Browser/PreventUsingLocalHostIPAddressForWebRTC</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-provisionfavorites" id="browser-provisionfavorites">Browser/ProvisionFavorites</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer" id="browser-sendintranettraffictointernetexplorer">Browser/SendIntranetTraffictoInternetExplorer</a>
</dd>
@ -667,7 +673,7 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-defender.md#defender-daystoretaincleanedmalware" id="defender-daystoretaincleanedmalware">Defender/DaysToRetainCleanedMalware</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-enableguardmyfolders" id="defender-enableguardmyfolders">Defender/EnableGuardMyFolders</a>
<a href="./policy-csp-defender.md#defender-enablecontrolledfolderaccess" id="defender-enablecontrolledfolderaccess">Defender/EnableControlledFolderAccess</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-enablenetworkprotection" id="defender-enablenetworkprotection">Defender/EnableNetworkProtection</a>
@ -682,10 +688,10 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-defender.md#defender-excludedprocesses" id="defender-excludedprocesses">Defender/ExcludedProcesses</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-guardedfoldersallowedapplications" id="defender-guardedfoldersallowedapplications">Defender/GuardedFoldersAllowedApplications</a>
<a href="./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications" id="defender-controlledfolderaccessallowedapplications">Defender/ControlledFolderAccessAllowedApplications</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-guardedfolderslist" id="defender-guardedfolderslist">Defender/GuardedFoldersList</a>
<a href="./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders" id="defender-controlledfolderaccessprotectedfolders">Defender/ControlledFolderAccessProtectedFolders</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-puaprotection" id="defender-puaprotection">Defender/PUAProtection</a>
@ -2023,6 +2029,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-privacy.md#privacy-disableadvertisingid" id="privacy-disableadvertisingid">Privacy/DisableAdvertisingId</a>
</dd>
<dd>
<a href="./policy-csp-privacy.md#privacy-enableactivityfeed" id="privacy-enableactivityfeed">Privacy/EnableActivityFeed</a>
</dd>
<dd>
<a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo" id="privacy-letappsaccessaccountinfo">Privacy/LetAppsAccessAccountInfo</a>
</dd>
@ -2239,6 +2248,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps" id="privacy-letappssyncwithdevices-userincontroloftheseapps">Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps</a>
</dd>
<dd>
<a href="./policy-csp-privacy.md#privacy-publishuseractivities" id="privacy-publishuseractivities">Privacy/PublishUserActivities</a>
</dd>
</dl>
### RemoteAssistance policies
@ -3353,6 +3365,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@ -3361,6 +3374,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)
- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
@ -3406,6 +3420,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Experience/AllowCortana](#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@ -3414,6 +3429,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)

90
windows/client-management/mdm/policy-csp-browser.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/09/2017
ms.date: 08/25/2017
---
# Policy CSP - Browser
@ -965,6 +965,51 @@ Employees cannot remove these search engines, but they can set any one as the de
> [!NOTE]
> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="browser-lockdownfavorites"></a>**Browser/LockdownFavorites**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
<p style="margin-left: 20px">If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
> [!Important]
> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
<ul>
<li> 0 - Disabled. Do not lockdown Favorites.</li>
<li> 1 - Enabled. Lockdown Favorites.</li>
</ul>
<p style="margin-left: 20px">If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
@ -1194,6 +1239,49 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="browser-provisionfavorites"></a>**Browser/ProvisionFavorites**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.
 
<p style="margin-left: 20px">URL can be specified as:
- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
- Local network: "SiteList"="\\network\shares\URLs.html"
- Local file: "SiteList"="file:///c:\\Users\\<user>\\Documents\\URLs.html"
> [!Important]
> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
<p style="margin-left: 20px">If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--StartPolicy-->
<a href="" id="browser-sendintranettraffictointernetexplorer"></a>**Browser/SendIntranetTraffictoInternetExplorer**
<!--StartSKU-->

18
windows/client-management/mdm/policy-csp-defender.md
View File

@ -782,7 +782,7 @@ Value type is string.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="defender-enableguardmyfolders"></a>**Defender/EnableGuardMyFolders**
<a href="" id="defender-enablecontrolledfolderaccess"></a>**Defender/EnableControlledFolderAccess**
<!--StartSKU-->
<table>
@ -809,13 +809,13 @@ Value type is string.
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
- 0 (default) - Off
- 1 - Audit mode
- 2 - Enforcement mode
- 0 (default) - Disabled
- 1 - Enabled
- 2 - Audit Mode
<!--EndDescription-->
<!--EndPolicy-->
@ -977,7 +977,7 @@ Value type is string.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="defender-guardedfoldersallowedapplications"></a>**Defender/GuardedFoldersAllowedApplications**
<a href="" id="defender-controlledfolderaccessallowedapplications"></a>**Defender/ControlledFolderAccessAllowedApplications**
<!--StartSKU-->
<table>
@ -1004,14 +1004,14 @@ Value type is string.
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode &#xF000; as the substring separator.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="defender-guardedfolderslist"></a>**Defender/GuardedFoldersList**
<a href="" id="defender-controlledfolderaccessprotectedfolders"></a>**Defender/ControlledFolderAccessProtectedFolders**
<!--StartSKU-->
<table>
@ -1038,7 +1038,7 @@ Value type is string.
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode &#xF000; as the substring separator.

90
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/09/2017
ms.date: 08/21/2017
---
# Policy CSP - Privacy
@ -34,11 +34,11 @@ ms.date: 08/09/2017
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
@ -48,6 +48,9 @@ ms.date: 08/09/2017
<!--StartDescription-->
<p style="margin-left: 20px">Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
> [!Note]
> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not allowed.
@ -133,6 +136,42 @@ ms.date: 08/09/2017
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="privacy-enableactivityfeed"></a>**Privacy/EnableActivityFeed**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed.
The following list shows the supported values:
- 0 Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud).
- 1 (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
@ -2503,6 +2542,42 @@ ms.date: 08/09/2017
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="privacy-publishuseractivities"></a>**Privacy/PublishUserActivities**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed.
The following list shows the supported values:
- 0 Disabled. Apps/OS can't publish the *user activities*.
- 1 (default) Enabled. Apps/OS can publish the *user activities*.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
@ -2518,7 +2593,7 @@ Footnote:
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Privacy policies supported by Windows Holographic for Business
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@ -2545,6 +2620,7 @@ Footnote:
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Privacy policies supported by Microsoft Surface Hub
- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@ -2553,5 +2629,7 @@ Footnote:
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
<!--EndSurfaceHub-->

11
windows/client-management/mdm/policy-csp-start.md
View File

@ -448,10 +448,10 @@ ms.date: 08/09/2017
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
@ -462,7 +462,10 @@ ms.date: 08/09/2017
> [!NOTE]
> This policy requires reboot to take effect.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list.
<p style="margin-left: 20px">Allows IT Admins to configure Start by collapsing or removing the all apps list.
> [!Note]
> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
<p style="margin-left: 20px">The following list shows the supported values:

6581
windows/client-management/mdm/policy-ddf-file.md
View File

File diff suppressed because it is too large Load Diff

20
windows/deployment/Windows-AutoPilot-EULA-note.md Normal file
View File

@ -0,0 +1,20 @@
---
title: Windows Autopilot EULA dismissal important information
description: A notice about EULA dismissal through Windows AutoPilot
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
ms.localizationpriority: high
ms.author: mayam
ms.date: 08/22/2017
ROBOTS: noindex,nofollow
---
# Windows Autopilot EULA dismissal important information
>[!IMPORTANT]
>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors.

1
windows/deployment/deploy-enterprise-licenses.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
ms.date: 08/23/2017
author: greg-lindsay
---

1
windows/deployment/deploy-whats-new.md
View File

@ -7,6 +7,7 @@ ms.localizationpriority: high
ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
ms.date: 08/23/2017
author: greg-lindsay
---

8
windows/deployment/update/waas-servicing-channels-windows-10-updates.md
View File

@ -181,12 +181,12 @@ During the life of a device, it may be necessary or desirable to switch between
<td align="left">Use media to upgrade to the latest Windows Insider Program build.</td>
</tr>
<tr class="odd">
<td align="left">Long-Term Servicing Channel (Targeted)</td>
<td align="left">Use media to upgrade to a later Long-Term Servicing Channel build. (Note that the Long-Term Servicing Channel build must be a later build.)</td>
<td align="left">Semi-Annual Channel (Targeted)</td>
<td align="left">Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.</td>
</tr>
<tr class="even">
<td align="left">Long-Term Servicing Channel</td>
<td align="left">Use media to upgrade to a later Long-Term Servicing Channel for Business build (Long-Term Servicing Channel build plus fixes). Note that it must be a later build.</td>
<td align="left">Semi-Annual Channel</td>
<td align="left">Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.</td>
</tr>
</tbody>
</table>

1
windows/deployment/vda-subscription-activation.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
ms.date: 08/23/2017
author: greg-lindsay
---

1
windows/deployment/windows-10-enterprise-e3-overview.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
ms.date: 08/23/2017
author: greg-lindsay
---

1
windows/deployment/windows-10-enterprise-subscription-activation.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
ms.date: 08/23/2017
author: greg-lindsay
---

1
windows/deployment/windows-10-poc-mdt.md
View File

@ -7,6 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt
ms.localizationpriority: high
ms.date: 08/23/2017
author: greg-lindsay
---

1
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -7,6 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, sccm
ms.localizationpriority: high
ms.date: 08/23/2017
author: greg-lindsay
---

43
windows/deployment/windows-10-poc.md
View File

@ -7,6 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt, sccm
ms.localizationpriority: high
ms.date: 08/23/2017
author: greg-lindsay
---
@ -771,6 +772,27 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Add-DnsServerForwarder -IPAddress 192.168.0.2
</pre>
**Configure service and user accounts**
Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
>To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
On DC1, open an elevated Windows PowerShell prompt and type the following commands:
<pre style="overflow-y: visible">
New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
Set-ADUser -Identity user1 -PasswordNeverExpires $true
Set-ADUser -Identity administrator -PasswordNeverExpires $true
Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
</pre>
12. Minimize the DC1 VM window but **do not stop** the VM.
Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
@ -984,27 +1006,6 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Restart-Computer
</pre>
### Configure service and user accounts
Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
>To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
On DC1, open an elevated Windows PowerShell prompt and type the following commands:
<pre style="overflow-y: visible">
New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
Set-ADUser -Identity user1 -PasswordNeverExpires $true
Set-ADUser -Identity administrator -PasswordNeverExpires $true
Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
</pre>
This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
## Appendix A: Verify the configuration

2
windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
View File

@ -82,7 +82,7 @@ Reporting | Configure time out for detections in non-critical failed state | Not
Reporting | Configure time out for detections in recently remediated state | Not used
Reporting | Configure time out for detections requiring additional action | Not used
Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Root | Turn off Windows Defender Antivirus | Not used
Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
Root | Define addresses to bypass proxy server | Not used
Root | Define proxy auto-config (.pac) for connecting to the network | Not used
Root | Define proxy server for connecting to the network | Not used

6
windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
View File

@ -25,7 +25,9 @@ Your environment needs the following hardware to run Application Guard.
|--------|-----------|
|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
|Hardware memory|4 GB minimum, 8 GB recommended|
|Hardware memory|8 GB minimum, 16 GB recommended|
|Hard disk|5 GB free space, solid state disk (SSD) recommended|
|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
## Software requirements
Your environment needs the following hardware to run Application Guard.
@ -34,4 +36,4 @@ Your environment needs the following hardware to run Application Guard.
|--------|-----------|
|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)|
|Browser|Microsoft Edge and Internet Explorer|
|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|

40
windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -52,10 +52,9 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen
Added comments instantly appear on the pane.
## Suppress alerts
There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Windows Defender ATP lets you create suppression rules so you can limit the alerts you see in the **Alerts queue**.
Suppression rules can be created from an existing alert.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
@ -64,7 +63,9 @@ There are two contexts for a suppression rule that you can choose from:
- **Suppress alert on this machine**
- **Suppress alert in my organization**
The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule:
The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.
You can use the examples in the following table to help you choose the context for a suppression rule:
| **Context** | **Definition** | **Example scenarios** |
|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@ -87,35 +88,28 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
> [!NOTE]
> You cannot create a custom or blank suppression rule. You must start from an existing alert.
4. Specify the conditions for when the rule is applied:
- Alert title
- Indicator of compromise (IOC)
- Suppression conditions
- Alert title
- Indicator of compromise (IOC)
- Suppression conditions
> [!NOTE]
> The SHA1 of the alert cannot be modified
5. Specify the action and scope on the alert. You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. You can also specify to suppress the alert on the machine only or the whole organization.
> The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions.
5. Specify the action and scope on the alert. <br>
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization.
6. Click **Save and close**.
**See the list of suppression rules:**
### View the list of suppression rules
1. Click the settings icon ![The settings icon looks like a cogwheel or gear](images/settings.png) on the main menu bar at the top of the Windows Defender ATP screen.
2. Click **Suppression rules**.
1. Click **Alerts queue** > **Suppression rules**.
![Click the settings icon and then Suppression rules to create and modify rules](images/atp-suppression-rules.png)
The list of suppression rules shows all the rules that users in your organization have created.
![Suppression rules show the rule name or title, the context, the date, and an icon to delete the rule](images/rules-legend.png)
Each rule shows:
- (1) The title of the alert that is suppressed
- (2) Whether the alert was suppressed for a single machine (clicking the machine name will allow you to investigate the machine) or the entire organization
- (3) The date when the alert was suppressed
- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards.
2. The list of suppression rules shows all the rules that users in your organization have created.
You can select rules to open up the **Alert management** pane. From there, you can activate previously disabled rules.
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)