diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index be7007b5ea..7c4e04d4a5 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -2,9 +2,9 @@ "build_entry_point": "", "docsets_to_publish": [ { - "docset_name": "bcs-vsts", + "docset_name": "bcs-VSTS", "build_source_folder": "bcs", - "build_output_subfolder": "bcs-vsts", + "build_output_subfolder": "bcs-VSTS", "locale": "en-us", "monikers": [], "moniker_ranges": [], diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 599204ce64..19546735ca 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -4907,7 +4907,7 @@ }, { "source_path": "windows/manage/configure-windows-telemetry-in-your-organization.md", -"redirect_url": "/windows/configuration/configure-windows-telemetry-in-your-organization", +"redirect_url": "/windows/configuration/configure-windows-diagnostic-data-in-your-organization", "redirect_document_id": true }, { @@ -5932,7 +5932,12 @@ }, { "source_path": "windows/configure/configure-windows-telemetry-in-your-organization.md", -"redirect_url": "/windows/configuration/configure-windows-telemetry-in-your-organization", +"redirect_url": "/windows/configuration/configure-windows-diagnostic-data-in-your-organization", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/configure-windows-telemetry-in-your-organization.md", +"redirect_url": "/windows/configuration/configure-windows-diagnostic-data-in-your-organization", "redirect_document_id": true }, { diff --git a/bcs/index.md b/bcs/index.md index aee1cc4e7a..49e0775203 100644 --- a/bcs/index.md +++ b/bcs/index.md @@ -1,3 +1,3 @@ --- -redirect_url: https://docs.microsoft.com/microsoft-365/business/index +redirect_url: /microsoft-365/business/ --- diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 215e7cc5a8..70a990a885 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -7,15 +7,14 @@ ms.mktglfcycl: explore ms.sitesec: library title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) ms.localizationpriority: high -ms.date: 09/13/2017 +ms.date: 09/13/2017 #Previsou release date --- + + # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge -**Applies to:** - -- Windows 10 -- Windows 10 Mobile +> Applies to: Windows 10, Windows 10 Mobile Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. @@ -25,348 +24,359 @@ By using Group Policy and Intune, you can set up a policy setting once, and then > For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). ## Group Policy settings +Microsoft Edge works with the following Group Policy settings to help you manager your company's web browser configurations. The Group Policy settings are found in the Group Policy Editor in the following location: + +`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\` + + ### Allow Address bar drop-down list suggestions -- **Supported versions:** Windows 10, version 1703 - -- **Description:** This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - If you enable or don't configure this setting (default), employees can see the Address bar drop-down functionality in Microsoft Edge. - - - If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type". - - > [!Note] - > Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. +>*Supporteded versions: Windows 10, version 1703* +This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. +| If you... | Then... | +| --- | --- | +| Enable this setting (default) | Employees can see the Address bar drop-down functionality in Microsoft Edge. | +| Disable this setting | Employees do not see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type."

Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. | +| + ### Allow Adobe Flash -- **Supported versions:** Windows 10 or later +>*Supporteded version: Windows 10* -- **Description:** This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - If you enable or don't configure this setting (default), employees can use Adobe Flash. - - - If you disable this setting, employees can't use Adobe Flash. +This policy setting lets you decide whether employees can run Adobe Flash on Microsoft Edge. +| If you… | Then… | +| --- | --- | +| Enable or don’t configure this setting (default) | Employees can use Adobe Flash. | +| Disable this setting | Employees cannot use Adobe Flash. | +| ### Allow clearing browsing data on exit -- **Supported versions:** Windows 10, version 1703 +>*Supporteded versions: Windows 10, version 1703* -- **Description:** This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes. - - - If you enable this policy setting, clearing browsing history on exit is turned on. - - - If you disable or don't configure this policy setting (default), it can be turned on and configured by the employee in the Clear browsing data options area, under Settings. +This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes. +| If you… | Then… | +| --- | --- | +| Enable this setting | Clear browsing history on exit is turned on. | +| Disable or don’t configure this setting (default) | Employees can turn on and configure the Clear browsing data option under Settings. | +| ### Allow Developer Tools -- **Supported versions:** Windows 10, version 1511 or later +>*Supporteded versions: Windows 10, version 1511 or later* -- **Description:** This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. - - If you enable or don’t configure this setting (default), the F12 Developer Tools are available in Microsoft Edge. - - - If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge. +This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. +| If you… | Then… | +| --- | --- | +| Enable this setting (default) | F12 Developer Tools are available. | +| Disable this setting | F12 Developer Tools are not available. | +| ### Allow Extensions -- **Supported versions:** Windows 10, version 1607 or later +>*Supporteded versions: Windows 10, version 1607 or later* -- **Description:** This policy setting lets you decide whether employees can use Edge Extensions. - - - If you enable or don’t configure this setting, employees can use Edge Extensions. - - - If you disable this setting, employees can’t use Edge Extensions. +This policy setting lets you decide whether employees can use Edge Extensions. +| If you… | Then… | +| --- | --- | +| Enable this setting | Employees can use Edge Extensions. | +| Disable this setting | Employees cannot use Edge Extensions. | +| ### Allow InPrivate browsing -- **Supported versions:** Windows 10, version 1511 or later +>*Supporteded versions: Windows 10, version 1511 or later* -- **Description:** This policy setting lets you decide whether employees can browse using InPrivate website browsing. - - - If you enable or don’t configure this setting (default), employees can use InPrivate website browsing. - - - If you disable this setting, employees can’t use InPrivate website browsing. +This policy setting lets you decide whether employees can browse using InPrivate website browsing. +| If you… | Then… | +| --- | --- | +| Enable this setting (default) | Employees can use InPrivate website browsing. | +| Disable this setting | Employees cannot use InPrivate website browsing. | +| ### Allow Microsoft Compatibility List -- **Supported versions:** Windows 10, version 1607 or later +>*Supporteded versions: Windows 10, version 1607 or later* -- **Description:** This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. - - - If you enable or don’t configure this setting (default), Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly. - - - If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation. +This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. +| If you… | Then… | +| --- | --- | +| Enable this setting (default) | Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation . Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it’s in whatever version of IE is necessary for it to appear properly. | +| Disable this setting | Browser navigation does not use the Microsoft Compatibility List. | +| ### Allow search engine customization -- **Supported versions:** Windows 10, version 1703 +>*Supported versions: Windows 10, version 1703* -- **Description:** This policy setting lets you decide whether users can change their search engine. +This policy setting lets you decide whether users can change their search engine. Important. You can only use this setting with domain-joined or MDM-enrolled devices. - >[!Important] - >This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). +For more info, see the [Microsoft browser extension policy](http://aka.ms/browserpolicy). - - If you enable or don't configure this policy (default), users can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. - - - If you disable this setting, users can't add search engines or change the default used in the address bar. +| If you… | Then… | +| --- | --- | +| Enable or don’t configure this setting (default) | Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. | +| Disable this setting | Employees cannot add search engines or change the default used in the Address bar. | +| ### Allow web content on New Tab page -- **Supported versions:** Windows 10 or later +>*Supported versions: Windows 10* -- **Description:** This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it. - - - If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - - - If you disable this setting, Microsoft Edge opens a new tab with a blank page. - - - If you don’t configure this setting (default), employees can choose how new tabs appears. +This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it. +| If you… | Then… | +| --- | --- | +| Enable this setting | Microsoft Edge opens a new tab with the New Tab page. | +| Disable this setting | Microsoft Edge opens a new tab with a blank page. | +| Do not configure this setting (default) | Employees can choose how new tabs appear. | +| ### Configure additional search engines -- **Supported versions:** Windows 10, version 1703 +>*Supported versions: Windows 10, version 1703* -- **Description:** This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting. - - > [!Important] - > This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). - - - If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine, using this format: - - https://www.contoso.com/opensearch.xml - - For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. - - - If you disable this setting (default), any added search engines are removed from your employee's devices. - - - If you don't configure this setting, the search engine list is set to what is specified in App settings. +This policy setting lets you add up to 5 additional search engines, which cannot be removed by your employees but can make a personal default engine. This setting does not set the default search engine. For that, you must use the "Set default search engine" setting. +| If you… | Then… | +| --- | --- | +| Enable this setting | You can add up to 5 additional search engines. For each additional search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:

``

For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. | Disable this setting (default) | Any added search engines are removed from the employee’s device. | +| Do not configure this setting | The search engine list is set to what is specified in App settings. | +| ### Configure Autofill -- **Supported versions:** Windows 10 or later +>*Supported versions: Windows 10* -- **Description:** This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill. - - - If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge. - - - If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge. - - - If you don’t configure this setting (default), employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. +This policy setting lets you decide whether employees can use Autofill the form fields automatically while using Microsoft Edge. By default, employees can choose whether to use Autofill. +| If you… | Then… | +| --- | --- | +| Enable this setting | Employees can use Autofill to populate form fields automatically. | +| Disable this setting | Employees cannot use Autofill to populate form fields automatically. | +| Do not configure this setting (default) | Employees can choose whether to use Autofill to populate the form fields automatically. | +| ### Configure cookies -- **Supported versions:** Windows 10 or later +>*Supported versions: Windows 10* -- **Description:** This setting lets you configure how to work with cookies. - - - If you enable this setting, you must also decide whether to: - - **Allow all cookies (default):** Allows all cookies from all websites. - - - **Block all cookies:** Blocks all cookies from all websites. - - - **Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites. - - - If you disable or don't configure this setting, all cookies are allowed from all sites. +This setting lets you configure how to work with cookies. +| If you… | Then… | +| --- | --- | +| Enable this setting (default) | You must also decide whether to:

| +| Disable or do not configure this setting | All cookies are allowed from all sites. | +| ### Configure Do Not Track -- **Supported versions:** Windows 10 or later +>*Supported versions: Windows 10* -- **Description:** This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests. - - - If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info. - - - If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info. - - - If you don’t configure this setting (default), employees can choose whether to send Do Not Track requests to websites asking for tracking info. +This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests are never sent, but employees can choose to turn on and send requests. +| If you… | Then… | +| --- | --- | +| Enable this setting | Do Not Track requests are always sent to websites asking for tracking information. | +| Disable this setting | Do Not Track requests are never sent to websites asking for tracking information. | +| Do not configure this setting (default) | Employees can choose whether to send Do Not Track requests to websites asking for tracking information. | +| ### Configure Favorites -- **Supported versions:** Windows 10, version 1511 or later +>*Supported versions: Windows 10, version 1511 or later* -- **Description:** This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time. - - - If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed. - - - If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub. +This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time. +| If you… | Then… | +| --- | --- | +| Enable this setting | You must provide a list of Favorites in the Options section. The list imports automatically after you deploy this policy. | +| Disable or do not configure this setting | Employees will see the Favorites that they set in the Favorites hub. | +| ### Configure Password Manager -- **Supported versions:** Windows 10 or later +>*Supported versions: Windows 10* -- **Description:** This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. - - - If you enable this setting (default), employees can use Password Manager to save their passwords locally. - - - If you disable this setting, employees can’t use Password Manager to save their passwords locally. - - - If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally. +This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. +| If you… | Then… | +| --- | --- | +| Enable this setting (default) | Employees can use Password Manager to save their passwords locally. | +| Disable this setting | Employees can’t use Password Manager to save their passwords locally. | +| Do not configure this setting | Employees can choose whether to use Password Manager to save their passwords locally. | +| ### Configure Pop-up Blocker -- **Supported versions:** Windows 10 or later +>*Supported versions: Windows 10* -- **Description:** This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on. - - - If you enable this setting (default), Pop-up Blocker is turned on, stopping pop-up windows from appearing. - - - If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear. - - - If you don’t configure this setting, employees can choose whether to use Pop-up Blocker. +This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on. +| If you… | Then… | +| --- | --- | +| Enable this setting (default) | Pop-up Blocker is turned on, stopping pop-up windows from appearing. | +| Disable this setting | Pop-up Blocker is turned off, letting pop-up windows appear. | +| Do not configure this setting | Employees can choose whether to use Pop-up Blocker. | +| ### Configure search suggestions in Address bar -- **Supported versions:** Windows 10 or later +>*Supported versions: Windows 10* -- **Description:** This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. - - - If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge. - - - If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge. - - - If you don’t configure this setting (default), employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. +This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. +| If you… | Then… | +| --- | --- | +| Enable this setting | Employees can see search suggestions in the Address bar. | +| Disable this setting | Employees cannot see search suggestions in the Address bar. | +| Do not configure this setting (default) | Employees can choose whether search suggestions appear in the Address bar. | +| ### Configure Start pages -- **Supported versions:** Windows 10, version 1511 or later +>*Supported versions: Windows 10, version 1511 or later* -- **Description:** This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it. - - - If you enable this setting, you can configure one or more Start pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format: - - - - - If you disable or don’t configure this setting (default), your default Start page is the webpage specified in App settings. +This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees will not be able to change this after you set it. +| If you… | Then… | +| --- | --- | +| Enable this setting | You must include URLs to the pages, separating multiple pages by using angle brackets in this format:

`` | +| Disable or do not configure this setting (default) | The default Start page is the webpage specified in App settings. | +| ### Configure the Adobe Flash Click-to-Run setting -- **Supported versions:** Windows 10, version 1703 +>*Supported versions: Windows 10, version 1703* -- **Description:** This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. - - - If you enable or don’t configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. - - - If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge. +This policy setting lets you decide whether employees must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. +| If you… | Then… | +| --- | --- | +| Enable or don’t configure this setting< | Employees must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. | +| Disable this setting | Adobe Flash loads automatically and runs in Microsoft Edge. | +| ### Configure the Enterprise Mode Site List -- **Supported versions:** Windows 10 or later +>*Supported versions: Windows 10* -- **Description:** This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. +This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. +| If you… | Then… | +| --- | --- | +| Enable this setting | You must add the location to your site list in the **{URI}** box. When configured, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. | +Disable or do not configure this setting (default) | Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. | +| - - If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. If you use this option, you must also add the location to your site list in the **{URI}** box. When configured, any site on the list will always open in Internet Explorer 11. - - - If you disable or don’t configure this setting (default), Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. - - >[!Note] - >If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

- >If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. +>[!Note] +>If there is a .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server has a different version number than the version in the cache container, the server file is used and stored in the cache container.

+>If you already use a site list, enterprise mode continues to work during the 65-second wait; it just uses the existing site list instead of the new one. ### Configure Windows Defender SmartScreen -- **Supported versions:** Windows 10 or later +>*Supported versions: Windows 10* -- **Description:** This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. - - - If you enable this setting, Windows Defender SmartScreen is turned on and employees can’t turn it off. - - - If you disable this setting, Windows Defender SmartScreen is turned off and employees can’t turn it on. - - - If you don’t configure this setting (default), employees can choose whether to use Windows Defender SmartScreen. +This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. +| If you… | Then… | +| --- | --- | +| Enable this setting | Windows Defender SmartScreen is turned on, and employees cannot turn it off. | +| Disable this setting | Windows Defender SmartScreen is turned off, and employees cannot turn it on. | +| Do not configure this setting | Employees can choose whether to use Windows Defender SmartScreen. | +| ### Disable lockdown of Start pages -- **Supported versions:** Windows 10, version 1703 +>*Supported versions: Windows 10, version 1703* -- **Description:** This policy setting lets you disable the lock down of Start pages, letting employees modify the Start pages when the "Configure Start pages" setting is in effect. +This policy setting lets you disable the lockdown of Start pages if the Configure Start pages setting is in effect . This setting only applies to domain-joined or MDM-enrolled devices. - >[!Important] - >This setting only applies when you're using the “Configure Start pages" setting and can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). - - - If you enable this setting, you can't lock down any Start pages that are configured using the "Configure Start pages" setting, which means that employees can modify them. - - - If you disable or don't configure this setting (default), employees can't change any Start pages configured using the "Configure Start pages" setting, thereby locking down the Start pages. +For more info, see the [Microsoft browser extension policy](http://aka.ms/browserpolicy). + +| If you… | Then… | +| --- | --- | +| Enable this setting | You cannot lock down Start pages that are configured using the “Configure Start pages” setting. Employees can, therefore, modify the pages. | +| Disable or do not configure this setting (default) | Employees cannot change Start pages configured using the “Configure Start pages” setting. | +| ### Keep favorites in sync between Internet Explorer and Microsoft Edge -- **Supported versions:** Windows 10, version 1703 +>*Supported versions: Windows 10, version 1703* -- **Description:** This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge, including additions, deletions, changes, and position. +This policy setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge, including additions, deletions, changes, and position. - >[!Note] - >Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices. - - - If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge. - - - If you disable or don't configure this setting (default), employees can’t sync their favorites between Internet Explorer and Microsoft Edge. + +| If you… | Then… | +| --- | --- | +| Enable this setting | Employees can sync their favorites between Internet Explorer and Microsoft Edge.

Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices. | +| Disable or do not configure this setting | Employees cannot sync their favorites between Internet Explorer and Microsoft Edge. | +| ### Prevent access to the about:flags page -- **Supported versions:** Windows 10, version 1607 or later +>*Supported versions: Windows 10, version 1607 or later* -- **Description:** This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. - - - If you enable this policy setting, employees can’t access the about:flags page. - - - If you disable or don’t configure this setting (default), employees can access the about:flags page. +This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. +| If you… | Then… | +| --- | --- | +| Enable this setting | Employees cannot access the about:flags page. | +| Disable or do not configure this setting (default) | Employees can access the about:flags page. | +| ### Prevent bypassing Windows Defender SmartScreen prompts for files -- **Supported versions:** Windows 10, version 1511 or later - -- **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. - - - If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from downloading the unverified files. - - - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue the download process. +>*Supported versions: Windows 10, version 1511 or later* +This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. +| If you… | Then… | +| --- | --- | +| Enable this setting | Employees cannot ignore Windows Defender SmartScreen warnings when downloading files. | +| Disable or do not configure this setting (default) | Employees can ignore Windows Defender SmartScreen warnings and can continue the download process. | +| ### Prevent bypassing Windows Defender SmartScreen prompts for sites -- **Supported versions:** Windows 10, version 1511 or later +>*Supported versions: Windows 10, version 1511 or later* -- **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. - - - If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from continuing to the site. - - - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue to the site. +This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. +| If you… | Then… | +| --- | --- | +| Enable this setting | Employees cannot ignore Windows Defender SmartScreen warnings and prevents them from continuing to the site. | +| Disable or do not configure this setting (default) | Employees can ignore Windows Defender SmartScreen warnings, allowing them to continue to the site. | +| ### Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start -- **Supported versions:** Windows 10, version 1703 +>*Supported versions: Windows 10, version 1703* -- **Description:** This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. +This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. +| If you… | Then… | +| --- | --- | +| Enable this setting | Microsoft Edge does not gather the Live Tile metadata, providing a minimal experience. | +| Disable or do not configure this setting (default) | Microsoft Edge gathers the Live Tile metadata, providing a fuller and complete experience. | +| - - If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. - - - If you disable or don't configure this setting (default), Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu. ### Prevent the First Run webpage from opening on Microsoft Edge -- **Supported versions:** Windows 10, version 1703 +>*Supported versions: Windows 10, version 1703* -- **Description:** This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time. - - - If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time. - - - If you disable or don't configure this setting (default), employees will see the First Run page when opening Microsoft Edge for the first time. +This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time. +| If you… | Then… | +| --- | --- | +| Enable this settin | Employees do not see the First Run page. | +| Disable or do not configure this setting (default) | Employees see the First Run page. | +| ### Prevent using Localhost IP address for WebRTC -- **Supported versions:** Windows 10, version 1511 or later +>*Supported versions: Windows 10, version 1511 or later* -- **Description:** This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off. - - - If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol. - - - If you disable or don’t configure this setting (default), Localhost IP addresses are shown while making calls using the WebRTC protocol. +This policy setting lets you decide whether localhost IP addresses are visible or hidden while making calls to the WebRTC protocol. +| If you… | Then… | +| --- | --- | +| Enable this setting | Localhost IP addresses are hidden. | +| Disable or do not configure this setting (default) | Localhost IP addresses are visible. | +| ### Send all intranet sites to Internet Explorer 11 -- **Supported versions:** Windows 10 or later +>*Supported versions: Windows 10* -- **Description:** This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. - - - If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11. - - - If you disable or don’t configure this setting (default), all websites, including intranet sites, are automatically opened using Microsoft Edge. +This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. +| If you… | Then… | +| --- | --- | +| Enable this setting | All intranet sites are opened in Internet Explorer 11 automatically. | +| Disable or do not configure this setting (default) | All websites, including intranet sites, open in Microsoft Edge. | +| ### Set default search engine -- **Supported versions:** Windows 10, version 1703 +>*Supported versions: Windows 10, version 1703* -- **Description:** This policy setting lets you configure the default search engine for your employees. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. +This policy setting applies only to domain-joined or MDM-enrolled devices and lets you configure the default search engine for Microsoft Edge. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. - >[!Important] - >This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).

- >If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. +For more info, see the [Microsoft browser extension policy](http://aka.ms/browserpolicy). - - If you enable this setting, you can choose a default search engine for your employees. To choose the default engine, you must add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine, using this format: - - https://fabrikam.com/opensearch.xml - - - If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market. - - - If you don't configure this setting (default), the default search engine is set to the one specified in App settings. +| If you… | Then… | +| --- | --- | +| Enable this setting | To set a default search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:

`https://fabrikam.com/opensearch.xml` | +| Disable this setting | The policy-set default search engine is removed. If this is also the current in-use default, the search engine changes to the Microsoft Edge specified engine for the market . | +| Do not configure this setting | The default search engine is set to the one specified in App settings. | +| +>[!Important] +>If you'd like your employees to use the default Microsoft Edge settings for each market , you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. ### Show message when opening sites in Internet Explorer -- **Supported versions:** Windows 10, version 1607 and later +>*Supported versions: Windows 10, version 1607 and later* -- **Description:** This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. - - - If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. - - - If you disable or don’t configure this setting (default), the default app behavior occurs and no additional page appears. +This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. +| If you… | Then… | +| --- | --- | +| Enable this setting | Employees see an additional page. | +| Disable or do not configure this setting (default) | No additional pages display. | +| ## Using Microsoft Intune to manage your Mobile Device Management (MDM) settings for Microsoft Edge If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page. @@ -397,7 +407,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1 (default).** Allowed. Address bar drop-down is enabled. ### AllowAutofill -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Desktop @@ -414,7 +424,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1 (default).** Employees can use Autofill to complete form fields. ### AllowBrowser -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Mobile @@ -431,7 +441,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1 (default).** Employees can use Microsoft Edge. ### AllowCookies -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Both @@ -462,12 +472,12 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **Allowed values:** - - **0.** Employees can't use the F12 Developer Tools. + - **0.** Employees cannot use the F12 Developer Tools. - **1 (default).** Employees can use the F12 Developer Tools. ### AllowDoNotTrack -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Both @@ -501,7 +511,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1 (default).** Employees can use Edge Extensions. ### AllowFlash -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Desktop @@ -564,12 +574,12 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **Allowed values:** - - **0.** Additional search engines aren't allowed and the default can’t be changed in the Address bar. + - **0.** Additional search engines are not allowed and the default can’t be changed in the Address bar. - **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar. ### AllowPasswordManager -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Both @@ -581,12 +591,12 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **Allowed values:** - - **0 (default).** Employees can't use Password Manager to save passwords locally. + - **0 (default).** Employees cannot use Password Manager to save passwords locally. - **1.** Employees can use Password Manager to save passwords locally. ### AllowPopups -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Desktop @@ -621,7 +631,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U ### AllowSearchSuggestionsinAddressBar -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Both @@ -638,7 +648,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Employees can see search suggestions in the Address bar of Microsoft Edge. ### AllowSmartScreen -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Both @@ -706,7 +716,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Disable lockdown of the Start pages and allow users to modify them. ### EnterpriseModeSiteList -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Desktop @@ -747,7 +757,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11. + URLs must be on separate lines and are not shared between Microsoft Edge and Internet Explorer 11. ### FirstRunURL - **Supported versions:** Windows 10, version 1511 or later @@ -802,7 +812,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **0 (default).** Employees can access the about:flags page in Microsoft Edge. - - **1.** Employees can't access the about:flags page in Microsoft Edge. + - **1.** Employees cannot access the about:flags page in Microsoft Edge. ### PreventFirstRunPage - **Supported versions:** Windows 10, version 1703 @@ -819,7 +829,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **0 (default).** Employees see the First Run webpage. - - **1.** Employees don't see the First Run webpage. + - **1.** Employees do not see the First Run webpage. ### PreventLiveTileDataCollection - **Supported versions:** Windows 10, version 1703 @@ -887,10 +897,10 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol. - - **1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol. + - **1.** Does not show an employee's LocalHost IP address while using the WebRTC protocol. ### SendIntranetTraffictoInternetExplorer -- **Supported versions:** Windows 10 or later +- **Supported versions:** Windows 10 - **Supported devices:** Desktop @@ -968,9 +978,9 @@ These are additional Windows 10-specific Group Policy settings that work with M - **Description:** This policy settings lets you decide whether employees can use Cortana. - - If you enable or don't configure this setting, employees can use Cortana on their devices. + - If you enable or do not configure this setting, employees can use Cortana on their devices. - - If you disable this setting, employees won't be able to use Cortana on their devices. + - If you disable this setting, employees will not be able to use Cortana on their devices. >[!Note] >Employees can still perform searches even with Cortana turned off. @@ -982,7 +992,7 @@ These are additional Windows 10-specific Group Policy settings that work with M - If you enable this setting, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting. - - If you disable or don't configure this setting (default), the Sync your Settings options are turned on, letting employees pick what can sync on their device. + - If you disable or do not configure this setting (default), the Sync your Settings options are turned on, letting employees pick what can sync on their device. ### Do not sync browser settings - **Location:** Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings @@ -991,7 +1001,7 @@ These are additional Windows 10-specific Group Policy settings that work with M - If you enable this setting, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting. - - If you disable or don't configure this setting (default), the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. + - If you disable or do not configure this setting (default), the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. ## Microsoft Edge and Windows 10-specific MDM policy settings diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index 433e1061bf..cffe549908 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -13,15 +13,15 @@ ms.date: 07/27/2017 # Use Enterprise Mode to improve compatibility -**Applies to:** - -- Windows 10 +> Applies to: Windows 10 If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. -> **Note**
+ +[@Reviewer: will RS5 have the need for the following note?] +>[!NOTE] >If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714). ## Fix specific websites @@ -98,7 +98,5 @@ You can add the **Send all intranet traffic over to Internet Explorer** Group Po * [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714)   -  - diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md index 6c45062cc6..81c4a2c980 100644 --- a/browsers/edge/hardware-and-software-requirements.md +++ b/browsers/edge/hardware-and-software-requirements.md @@ -13,15 +13,13 @@ ms.date: 07/27/2017 # Microsoft Edge requirements and language support -**Applies to:** - -- Windows 10 -- Windows 10 Mobile +>Applies to: Windows 10, Windows 10 Mobile Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list. ->**Note**
The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. +>[!NOTE] +>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. ## Minimum system requirements Some of the components in this table might also need additional system resources. Check the component's documentation for more information. diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md index ca6eea8b48..05335d7416 100644 --- a/browsers/edge/microsoft-edge-faq.md +++ b/browsers/edge/microsoft-edge-faq.md @@ -12,10 +12,7 @@ ms.date: 09/19/2017 # Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros -**Applies to:** - -- Windows 10 -- Windows 10 Mobile +>Applies to: Windows 10, Windows 10 Mobile **Q: What is the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?** diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md index 2e06bbe027..40952d55dc 100644 --- a/browsers/edge/security-enhancements-microsoft-edge.md +++ b/browsers/edge/security-enhancements-microsoft-edge.md @@ -11,19 +11,16 @@ ms.date: 10/16/2017 # Security enhancements for Microsoft Edge -**Applies to:** - -- Windows 10 -- Windows 10 Mobile +>Applies to: Windows 10, Windows 10 Mobile Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. ## Help to protect against web-based security threats While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking: -- **Trickery.** Means using things like “phishing” attacks to convince a person to enter a banking password into a website that looks like the bank, but isn’t. +- **Trickery** uses things like “phishing” attacks to convince a person to enter a banking password into a website that looks like the bank, but isn’t. -- **Hacking.** Means attacking a system through malformed content that exploits subtle flaws in a browser, or in various browser extensions, such as video decoders. This exploit lets an attacker run code on a device, taking over first a browsing session, and perhaps ultimately the entire device. +- **Hacking** attacks a system through malformed content that exploits subtle flaws in a browser, or in various browser extensions, such as video decoders. This exploit lets an attacker run code on a device, taking over first a browsing session, and perhaps ultimately the entire device. While trickery and hacking are threats faced by every browser, it’s important that we explore how Microsoft Edge addresses these threats and is helping make the web a safer experience. @@ -55,8 +52,8 @@ The Microsoft EdgeHTML engine also helps to defend against hacking through these - Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured. - **Note**
- Both Microsoft Edge and Internet Explorer 11 support HSTS. +>[!NOTE] +>Both Microsoft Edge and Internet Explorer 11 support HSTS. #### All web content runs in an app container sandbox Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins. diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index 237d0411b6..df6a01cb68 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -191,6 +191,17 @@ The <url> attribute, as part of the <site> element in the v.2 versio +allow-redirect +A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser). +

Example +

+<site url="contoso.com/travel">
+  <open-in allow-redirect="true">IE11</open-in>
+</site>
+In this example, if http://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. +Internet Explorer 11 and Microsoft Edge + + version Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. Internet Explorer 11 and Microsoft Edge diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index 428a49e956..1412357e31 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -12,7 +12,7 @@ ms.date: 07/27/2017 # Enroll HoloLens in MDM -You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens) and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies). +You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business), the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens), and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies). >[!NOTE] >Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md). diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 595a61e131..b82d427482 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 01/17/2018 +ms.date: 02/16/2018 ms.localizationpriority: medium --- @@ -16,6 +16,14 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## February 2018 + +New or changed topic | Description +--- | --- +[Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md) | Updated instructions for custom settings using Microsoft Intune. +[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Updated instructions and scripts. +| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated instructions and scripts. + ## January 2018 New or changed topic | Description diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index 1a16c46d86..44cc9145f9 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -31,7 +31,7 @@ When connecting external devices and displays to a Surface Hub, there are severa ## Guest Mode -Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be re-routed through an alternate path, allowing the source to be displayed full-screen without violating HDCP requirements. +Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be be displayed as a black image. To display your content without violating HDCP requirements, use the keypad on the right side of the Surface Hub to directly choose the external source. >[!NOTE] >When an HDCP source is connected, use the side keypad to change source inputs. diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 47f53254f6..f6f48f6401 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -91,7 +91,7 @@ From here on, you'll need to finish the account creation process using PowerShel In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console: - [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](https://go.microsoft.com/fwlink/?LinkId=718149) -- [Windows Azure Active Directory Module for Windows PowerShell](https://go.microsoft.com/fwlink/p/?linkid=236297) +- [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids) - [Skype for Business Online, Windows PowerShell Module](http://www.microsoft.com/download/details.aspx?id=39366) ### Connecting to online services diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index 1281d6ae51..de3ffd59ee 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 10/20/2017 +ms.date: 02/21/2018 ms.localizationpriority: medium --- @@ -38,11 +38,11 @@ Use this procedure if you use Exchange on-premises. -3. Enable the remote mailbox. +2. Enable the remote mailbox. Open your on-premises Exchange Management Shell with administrator permissions, and run this cmdlet. - ```ps1 + ```PowerShell Enable-RemoteMailbox 'HUB01@contoso.com' -RemoteRoutingAddress 'HUB01@contoso.com' -Room ``` >[!NOTE] @@ -54,7 +54,7 @@ Use this procedure if you use Exchange on-premises. > >msExchRecipientTypeDetails = 8589934592 -2. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online. +3. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online. 4. Connect to Microsoft Exchange Online and set some properties for the account in Office 365. @@ -62,8 +62,8 @@ Use this procedure if you use Exchange on-premises. The next steps will be run on your Office 365 tenant. - ```ps1 - Set-ExecutionPolicy Unrestricted + ```PowerShell + Set-ExecutionPolicy RemoteSigned $cred=Get-Credential -Message "Please use your Office 365 admin credentials" $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $sess @@ -77,13 +77,13 @@ Use this procedure if you use Exchange on-premises. If you haven’t created a compatible policy yet, use the following cmdlet—-this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. - ```ps1 + ```PowerShell $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false ``` Once you have a compatible policy, then you will need to apply the policy to the device account. - ```ps1 + ```PowerShell Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id ``` @@ -91,31 +91,44 @@ Use this procedure if you use Exchange on-premises. Setting Exchange properties on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. - ```ps1 + ```PowerShell Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse 'This is a Surface Hub room!' ``` 7. Connect to Azure AD. + You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command : + ```PowerShell + Install-Module -Name AzureAD + ``` + You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. - ```ps1 - Connect-MsolService -Credential $cred + ```PowerShell + Import-Module AzureAD + Connect-AzureAD -Credential $cred ``` - 8. Assign an Office 365 license. The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. + + You can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. - Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant. + Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. - Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*). - - ```ps1 - Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US' - Get-MsolAccountSku - Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense + ```PowerShell + Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" + + Get-AzureADSubscribedSku | Select Sku*,*Units + $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense + $License.SkuId = SkuId You selected + + $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses + $AssignedLicenses.AddLicenses = $License + $AssignedLicenses.RemoveLicenses = @() + + Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses ``` Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-premises](#skype-for-business-on-premises), or [Skype for Business hybrid](#skype-for-business-hybrid). @@ -144,25 +157,25 @@ The following table lists the Office 365 plans and Skype for Business options. 1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment. - ```ps1 - Import-Module LyncOnlineConnector + ```PowerShell + Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: - ```ps1 + ```PowerShell Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName ``` If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: - ```ps1 + ```PowerShell Get-CsOnlineUser -Identity ‘HUB01@contoso.com’| fl *registrarpool* ``` -2. Assign Skype for Business license to your Surface Hub account. +3. Assign Skype for Business license to your Surface Hub account. Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device. @@ -215,10 +228,10 @@ Use this procedure if you use Exchange online. Start a remote PowerShell session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets. - ```ps1 - Set-ExecutionPolicy Unrestricted + ```PowerShell + Set-ExecutionPolicy RemoteSigned $cred=Get-Credential -Message "Please use your Office 365 admin credentials" - $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/ps1-liveid/ -Credential $cred -Authentication Basic -AllowRedirection + $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $sess ``` @@ -228,13 +241,13 @@ Use this procedure if you use Exchange online. If you're changing an existing resource mailbox: - ```ps1 + ```PowerShell Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` If you’re creating a new resource mailbox: - ```ps1 + ```PowerShell New-Mailbox -MicrosoftOnlineServicesID 'HUB01@contoso.com' -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` @@ -246,13 +259,13 @@ Use this procedure if you use Exchange online. If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. - ```ps1 + ```PowerShell $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false ``` Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too. - ```ps1 + ```PowerShell Set-Mailbox 'HUB01@contoso.com' -Type Regular Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id Set-Mailbox 'HUB01@contoso.com' -Type Room @@ -264,7 +277,7 @@ Use this procedure if you use Exchange online. Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. - ```ps1 + ```PowerShell Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" ``` @@ -294,24 +307,38 @@ Use this procedure if you use Exchange online. 7. Connect to Azure AD. + You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command : + + ```PowerShell + Install-Module -Name AzureAD + ``` You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. - ```ps1 - Connect-MsolService -Credential $cred + ```PowerShell + Import-Module AzureAD + Connect-AzureAD -Credential $cred ``` 8. Assign an Office 365 license. The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. - Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant. + Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. - Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*). + Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. - ```ps1 - Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US' - Get-MsolAccountSku - Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense + ```PowerShell + Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" + + Get-AzureADSubscribedSku | Select Sku*,*Units + $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense + $License.SkuId = SkuId You selected + + $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses + $AssignedLicenses.AddLicenses = $License + $AssignedLicenses.RemoveLicenses = @() + + Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses ``` Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-premises](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid). @@ -323,22 +350,22 @@ In order to enable Skype for Business, your environment will need to meet the [p 1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC. - ``` - Import-Module LyncOnlineConnector + ```PowerShell + Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: - ``` + ```PowerShell Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName ``` If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: - ``` + ```PowerShell Get-CsOnlineUser -Identity 'HUB01@contoso.com'| fl *registrarpool* ``` @@ -368,7 +395,7 @@ For validation, you should be able to use any Skype for Business client (PC, And To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run: -``` +```PowerShell Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName ``` @@ -383,7 +410,7 @@ In a hybrid Skype environment, you have to create the user on-premises first, th In order to have a functional Surface Hub account in a Skype hybrid configuration, create the Skype account as a normal user type account, instead of creating the account as a meetingroom. First follow the Exchange steps - either [online](#exchange-online) or [on-premises](#exchange-on-premises) - and, instead of enabling the user for Skype for Business Online as described, [enable the account](https://technet.microsoft.com/library/gg398711.aspx) on the on-premises Skype server: -``` +```PowerShell Enable-CsUser -Identity 'HUB01@contoso.com' -RegistrarPool "registrarpoolfqdn" -SipAddressType UserPrincipalName ``` diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 23eb0e418f..7e530429bf 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: surfacehub, mobility author: jdeckerms ms.author: jdecker -ms.date: 01/17/2018 +ms.date: 02/16/2018 ms.localizationpriority: medium --- @@ -212,38 +212,9 @@ The data type is also stated in the CSP documentation. The most common data type ## Example: Manage Surface Hub settings with Microsoft Intune -You can use Microsoft Intune to manage Surface Hub settings. +You can use Microsoft Intune to manage Surface Hub settings. For custom settings, follow the instructions in [How to configure custom device settings in Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-configure). For **Platform**, select **Windows 10 and later**, and in **Profile type**, select **Device restrictions (Windows 10 Team)**. -**To create a configuration policy from a template** -You'll use the **Windows 10 Team general configuration policy** as the template. - -1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account. -2. On the left-hand navigation menu, click **Policy**. -3. In the Overview page, click **Add Policy**. -4. On **Select a template for the new policy**, expand **Windows**, select **General Configuration (Windows 10 Team and later)**, and then click **Create Policy**. - - ![template for Windows 10 Team](images/intune-template.png) -5. Configure your policy, then click **Save Policy** - - ![save policy](images/intune-save-policy.png) -6. When prompted, click **Yes** to deploy your new policy to a user or device group. For more information, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune). - -**To create a custom configuration policy** - -You’ll need to create a custom policy using the **Custom Configuration (Windows 10 Desktop and Mobile and later)** template to manage settings that are not available in the **Windows 10 Team general configuration policy** template. - -1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account. -2. On the left-hand navigation menu, click **Policy**. -3. On the Overview page, click **Add Policy**. -4. On **Select a template for the new policy**, expand **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. -5. Type a name and optional description for the policy. -6. Under OMA-URI Settings, click **Add**. -7. Complete the form to create a new setting, and then click **OK**. - - ![example of OMA URI form](images/oma-uri.png) -8. Repeat Steps 6 and 7 for each setting you want to configure with this policy. -9. After you're done, click **Save Policy** and deploy it to a user or device group. ## Example: Manage Surface Hub settings with System Center Configuration Manager diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 6dc990e855..6a314c317a 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 08/29/2017 +ms.date: 02/21/2018 ms.localizationpriority: medium --- @@ -25,7 +25,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow Be sure you have the right permissions set to run the associated cmdlets. ```PowerShell - Set-ExecutionPolicy Unrestricted + Set-ExecutionPolicy RemoteSigned $org='contoso.microsoft.com' $cred=Get-Credential admin@$org $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection @@ -70,37 +70,52 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow ``` 5. Connect to Azure AD. - + + You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command : + + ```PowerShell + Install-Module -Name AzureAD + ``` You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. ```PowerShell - Connect-MsolService -Credential $cred + Import-Module AzureAD + Connect-AzureAD -Credential $cred ``` 6. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. ```PowerShell - Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true + Set-AzureADUser -ObjectId "HUB01@contoso.com" -PasswordPolicies "DisablePasswordExpiration" ``` 7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online). - Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant. + Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. - Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*). + Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. ```PowerShell - Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation "US" - Get-MsolAccountSku - Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense + Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" + + Get-AzureADSubscribedSku | Select Sku*,*Units + $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense + $License.SkuId = SkuId You selected + + $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses + $AssignedLicenses.AddLicenses = $License + $AssignedLicenses.RemoveLicenses = @() + + Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses ``` 8. Enable the device account with Skype for Business. + If the Skype for Business PowerShell module is not installed, [download the Skype for Business Online Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366). - Start by creating a remote PowerShell session from a PC. ```PowerShell - Import-Module LyncOnlineConnector + Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` @@ -108,12 +123,13 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*): ```PowerShell - Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool* + (Get-CsTenant).TenantPoolExtension ``` OR by setting a variable ```PowerShell - $strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool + $strRegistrarPool = (Get-CsTenant).TenantPoolExtension + $strRegistrarPool = $strRegistrarPool[0].Substring($strRegistrarPool[0].IndexOf(':') + 1) ``` - Enable the Surface Hub account with the following cmdlet: diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md index 0f3defa248..07671c8e12 100644 --- a/devices/surface-hub/surface-hub-start-menu.md +++ b/devices/surface-hub/surface-hub-start-menu.md @@ -28,7 +28,7 @@ The customized Start menu is defined in a Start layout XML file. You have two op - Configure the desired Start menu on a desktop (pinning only apps that are available on Surface Hub), and then [export the layout](https://docs.microsoft.com/windows/configuration/customize-and-export-start-layout#export-the-start-layout). >[!TIP] ->To add a tile with a web link to your desktop start menu, go the the link in Microsoft Edge, select `...` in the top right corner, and select **Pin this page to Start**. See [a Start layout that includes a Microsoft Edge link](#edge) for an example of how links will appear in the XML. +>To add a tile with a web link to your desktop start menu, go to the link in Microsoft Edge, select `...` in the top right corner, and select **Pin this page to Start**. See [a Start layout that includes a Microsoft Edge link](#edge) for an example of how links will appear in the XML. To edit the default XML or the exported layout, familiarize yourself with the [Start layout XML](https://docs.microsoft.com/en-us/windows/configuration/start-layout-xml-desktop). There are a few [differences between Start layout on a deskop and a Surface Hub.](#differences) @@ -176,4 +176,8 @@ This example shows a link to a website and a link to a .pdf file. -``` \ No newline at end of file +``` + +## More information + +- [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index d115d86ecf..a12b0c33f7 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -5,19 +5,25 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.date: 01/29/2018 +ms.date: 02/12/2018 --- # Change history for Surface documentation This topic lists new and updated topics in the Surface documentation library. +## February 2018 + +|New or changed topic | Description | +| --- | --- | +|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.46.0 information | + ## January 2018 |New or changed topic | Description | | --- | --- | |[Windows AutoPilot and Surface devices](windows-autopilot-and-surface-devices.md) | New article | -|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.45 information | +|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.45.0 information | |[Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC)](surface-device-compatibility-with-windows-10-ltsc.md) | Updated Current Branch (CB) or Current Branch for Business (CBB) servicing options with Semi-Annual Channel (SAC) information | |[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | Added Surface Book 2, Surface Laptop, Surface Pro, Surface Pro with LTE Advanced, and Surface Pro information | diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index fd67224039..b1f7c26052 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -10,7 +10,7 @@ ms.pagetype: surface, devices, security ms.sitesec: library author: brecords ms.author: jdecker -ms.date: 01/03/2018 +ms.date: 02/12/2018 --- # Microsoft Surface Data Eraser @@ -139,25 +139,32 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo 8. Click the **Yes** button to continue erasing data on the Surface device. +>[!NOTE] +>When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder. + ## Changes and updates Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: -### Version 3.2.45 +### Version 3.2.46.0 +This version of Microsoft Surface Data Eraser adds support for the following: + +- Surface Pro with LTE Advanced + + +### Version 3.2.45.0 This version of Microsoft Surface Data Eraser adds support for the following: - Surface Book 2 -- Surface Pro with LTE Advanced - - Surface Pro 1TB >[!NOTE] ->Surface Data Eraser v3.2.45 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/en-us/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information. +>Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/en-us/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information. -### Version 3.2.36 +### Version 3.2.36.0 This version of Microsoft Surface Data Eraser adds support for the following: diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md index b57970b3ce..ec173a261d 100644 --- a/education/get-started/configure-microsoft-store-for-education.md +++ b/education/get-started/configure-microsoft-store-for-education.md @@ -23,7 +23,7 @@ You'll need to configure Microsoft Store for Education to accept the services ag You can watch the video to see how this is done, or follow the step-by-step guide.
- +> [!VIDEO https://www.youtube.com/embed/Jnbssq0gC_g] You can watch the descriptive audio version here: [Microsoft Education: Configure Microsoft Store for Education (DA)](https://www.youtube.com/watch?v=bStgEpHbEXw) @@ -53,11 +53,6 @@ You can watch the descriptive audio version here: [Microsoft Education: Configur Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next. - - > [!div class="step-by-step"] [<< Use School Data Sync to import student data](use-school-data-sync.md) [Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md) diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md index 09326b1e2e..6c74c506b0 100644 --- a/education/get-started/enable-microsoft-teams.md +++ b/education/get-started/enable-microsoft-teams.md @@ -46,10 +46,6 @@ To get started, IT administrators need to use the Office 365 Admin Center to ena You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the Meet Microsoft Teams page. - > [!div class="step-by-step"] [<< Use School Data Sync to import student data](use-school-data-sync.md) diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md index 7dd5513764..55a52faa11 100644 --- a/education/get-started/finish-setup-and-other-tasks.md +++ b/education/get-started/finish-setup-and-other-tasks.md @@ -26,7 +26,7 @@ Once you've set up your Windows 10 education device, it's worth checking to veri You can watch the video to see how this is done, or follow the step-by-step guide.
- +> [!VIDEO https://www.youtube.com/embed/nhQ_4okWFmk] You can watch the descriptive audio version here: [Microsoft Education: Verify Windows 10 education devices are Azure AD joined and managed (DA)](https://www.youtube.com/watch?v=_hVIxaEsu2Y) @@ -78,7 +78,7 @@ You can follow the rest of the walkthrough to finish setup and complete other ta You can watch the following video to see how to update group settings in Intune for Education and configure Azure settings. Or, you can follow the step-by-step guide for these tasks and the other tasks listed above. - +> [!VIDEO https://www.youtube.com/embed/M6-k73dZOfw] You can watch the descriptive audio version here: [Microsoft Education: Update settings, apps, and Azure AD settings for your education tenant (DA)](https://www.youtube.com/watch?v=-Rz3VcDXbzs) diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md index 3fcbd5064e..59d939c2eb 100644 --- a/education/get-started/set-up-office365-edu-tenant.md +++ b/education/get-started/set-up-office365-edu-tenant.md @@ -23,7 +23,7 @@ Schools can use Office 365 to save time and be more productive. Built with power Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
- +> [!VIDEO https://www.youtube.com/embed/X7bscA-knaY] You can watch the descriptive audio version here: [Microsoft Education: Set up an Office 365 Education tenant (DA)](https://www.youtube.com/watch?v=d5tQ8KoB3ic) diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md index 3398db7d3f..edb76d6448 100644 --- a/education/get-started/set-up-windows-education-devices.md +++ b/education/get-started/set-up-windows-education-devices.md @@ -19,7 +19,7 @@ If you are setting up a Windows 10 device invidividually, and network bandwidth You can watch the video to see how this is done, or follow the step-by-step guide.
- +> [!VIDEO https://www.youtube.com/embed/nADWqBYvqXk] You can watch the descriptive audio version here: [Microsoft Education: Set up a new Windows 10 education devices using the Windows setup experience (DA)](https://www.youtube.com/watch?v=_UtS1Cz2Pno) diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md index 5541526c47..646d7b8e16 100644 --- a/education/get-started/use-intune-for-education.md +++ b/education/get-started/use-intune-for-education.md @@ -41,7 +41,7 @@ Note that for verified education tenants, Microsoft automatically provisions you You can watch the video to see how this is done, or follow the step-by-step guide.
- +> [!VIDEO https://www.youtube.com/embed/c3BLoZZw3TQ] You can watch the descriptive audio version here: [Microsoft Education: Use Intune for Education to manage groups, apps, and settings (DA)](https://youtu.be/Tejxfc4V7cQ) diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md index a370bb71b8..c5392b41b9 100644 --- a/education/get-started/use-school-data-sync.md +++ b/education/get-started/use-school-data-sync.md @@ -25,7 +25,7 @@ Follow all the steps in this section to use SDS and sample CSV files in a trial You can watch the video to see how this is done, or follow the step-by-step guide.
-
+> [!VIDEO https://www.youtube.com/embed/ehSU8jr8T24] You can watch the descriptive audio version here: [Microsoft Education: Use School Data Sync to import student data (DA)](https://www.youtube.com/watch?v=l4b086IMtvc) diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index 125ea5cd60..b932073a8f 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -31,10 +31,10 @@ ms.date: 01/12/2017
- + ![Log in to Device A and connect to the school network](images/edu-TIB-setp-1-jump.png) ## 1. Log in and connect to the school network @@ -49,10 +49,10 @@ To try out the educator tasks, start by logging in as a teacher. ![Improve student reading speed and comprehension](images/edu-TIB-setp-2-jump.png) ## 2. Significantly improve student reading speed and comprehension - + Learning Tools and the Immersive Reader can be used in the Microsoft Edge browser, Microsoft Word, and Microsoft OneNote to: * Increase fluency for English language learners @@ -80,10 +80,10 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse ![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png) ## 3. Spark communication, critical thinking, and creativity in the classroom - + Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. This guided tour walks you through the essential teaching features of the app. Then, through interactive prompts, experience how you can use this tool in your own classroom to spark digital classroom discussions, respond to student questions, organize content, and more! @@ -99,10 +99,10 @@ Take a guided tour of Microsoft Teams and test drive this digital hub. ![Expand classroom collaboration and interaction with OneNote](images/edu-TIB-setp-4-jump.png) ## 4. Expand classroom collaboration and interaction between students - + Microsoft OneNote organizes curriculum and lesson plans for teachers and students to work together and at their own pace. It provides a digital canvas to store text, images, handwritten drawings, attachments, links, voice, and video. @@ -130,10 +130,9 @@ See how a group project comes together with opportunities to interact with other ![Further collaborate and problem solve with Minecraft: Education Edition](images/edu-TIB-setp-5-jump.png) ## 5. Get kids to further collaborate and problem solve - Minecraft: Education Edition provides an immersive environment to develop creativity, collaboration, and problem-solving in an immersive environment where the only limit is your imagination. diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 2dbb835a36..62510022e6 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -20,9 +20,9 @@ ms.date: 12/11/2017
- +> [!VIDEO https://www.youtube.com/embed/azoxUYWbeGg] + +
Welcome to Microsoft Education Trial in a Box. We built this trial to make it easy to try our latest classroom technologies. We have two scenarios for you to try: one for educators and one for IT. We recommend starting with Educators. To begin, click **Get started** below. diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index 5164c21a1d..bd1c4b36cd 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -35,9 +35,8 @@ To get the most out of Microsoft Education, we've pre-configured your tenant for If you run into any problems while following the steps in this guide, or you have questions about Trial in a Box or Microsoft Education, see [Microsoft Education Trial in a Box Support](support-options.md).
- + +> [!VIDEO https://www.youtube.com/embed/cVVKCpO2tyI]
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 21ac36db3c..7cd7884f9b 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -42,7 +42,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide.
- +> [!VIDEO https://www.youtube.com/embed/2ZLup_-PhkA] You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI) @@ -89,9 +89,19 @@ You can watch the descriptive audio version here: [Microsoft Education: Use the 5. Click **Just remove my files**. 6. Click **Reset**. +* **Use an NTFS-formatted USB key** + + If you're planning to install several apps, the Set up School PCs package may exceed 4 GB. Check if your USB drive format is FAT32. If it is, you won't be able to save more than 4 GB of data on the drive. To work around this, reformat the USB drive to use the NTFS format. To do this: + + 1. Insert the USB key into your computer. + 2. Go to the Start menu and type **This PC** and then select the **This PC (Desktop app)** from the search results. + 3. In the **Devices and drivers** section, find the USB drive, select and then right-click to bring up options. + 4. Select **Format** from the list to bring up the **Format ** window. + 5. Set **File system** to **NTFS** and then click **Start** to format the drive. + * **Use more than one USB key** - If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on. + If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on. * **Keep it clean** @@ -112,7 +122,8 @@ You can watch the descriptive audio version here: [Microsoft Education: Use the - You must have the Microsoft Store for Education configured. - You must be a global admin in the Microsoft Store for Education. - It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app. -- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office. +- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office. +- Check the default file system format for your USB drive. You may need to set this to NTFS to save a provisioning package that's 4 GB or larger. ## Set up School PCs step-by-step diff --git a/mdop/mbam-v25/TOC.md b/mdop/mbam-v25/TOC.md index d465652210..22008a42bb 100644 --- a/mdop/mbam-v25/TOC.md +++ b/mdop/mbam-v25/TOC.md @@ -55,6 +55,7 @@ #### [How to Enable BitLocker by Using MBAM as Part of a Windows Deployment](how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md) #### [How to Deploy the MBAM Client by Using a Command Line](how-to-deploy-the-mbam-client-by-using-a-command-line.md) ### [MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md) +### [Upgrading to MBAM 2.5 SP1 from MBAM 2.5](upgrading-to-mbam-25-sp1-from-mbam-25.md) ### [Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md) ### [Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md) ## [Operations for MBAM 2.5](operations-for-mbam-25.md) diff --git a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md new file mode 100644 index 0000000000..f650f130b3 --- /dev/null +++ b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md @@ -0,0 +1,44 @@ +--- +title: Upgrading to MBAM 2.5 SP1 from MBAM 2.5 +description: Upgrading to MBAM 2.5 SP1 from MBAM 2.5 +author: kaushika-msft +ms.assetid: +ms.pagetype: mdop, security +ms.mktglfcycl: manage +ms.sitesec: library +ms.prod: w10 +ms.date: 2/16/2018 +--- + +# Upgrading to MBAM 2.5 SP1 from MBAM 2.5 +This topic describes the process for upgrading the Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 and the MBAM Client from 2.5 to MBAM 2.5 SP1. + +### Before you begin, download the September 2017 servicing release +[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126) + +#### Steps to upgrade the MBAM Database (SQL Server) +1. Using the MBAM Configurator; remove the Reports roll from the SQL server, or wherever the SSRS database is housed (Could be on the same server or different one, depending on your environment) +Note: You will not see an option to remove the Databases; this is expected.   +2. Install 2.5 SP1 (Located with MDOP - Microsoft Desktop Optimization Pack 2015 from the Volume Licensing Service Center site: +3. Do not configure it at this time  +4. Install the September Rollup: https://www.microsoft.com/en-us/download/details.aspx?id=56126 +5. Using the MBAM Configurator; re-add the Reports rollup +6. This will configure the SSRS connection using the latest MBAM code from the rollup  +7. Using the MBAM Configurator; re-add the SQL Database roll on the SQL Server. +- At the end, you will be warned that the DBs already exist and weren’t created, but this is  expected. +- This process updates the existing databases to the current version being installed       + +#### Steps to upgrade the MBAM Server (Running MBAM and IIS) +1. Using the MBAM Configurator; remove the Admin and Self Service Portals from the IIS server +2. Install MBAM 2.5 SP1 +3. Do not configure it at this time   +4. Install the September 2017 Rollup on the IIS server(https://www.microsoft.com/en-us/download/details.aspx?id=56126) +5. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server  +6. This will configure the sites using the latest MBAM code from the June Rollup +- Open an elevated command prompt, Type: **IISRESET** and Hit Enter. + +#### Steps to upgrade the MBAM Clients/Endpoints +1. Uninstall the 2.5 Agent from client endpoints +2. Install the 2.5 SP1 Agent on the client endpoints +3. Push out the September Rollup Client update to clients running the 2.5 SP1 Agent  +4. There is no need to uninstall existing client prior to installing the September Rollup.   diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md index d63ff3800d..20536b0115 100644 --- a/store-for-business/add-profile-to-devices.md +++ b/store-for-business/add-profile-to-devices.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: store author: TrudyHa ms.author: TrudyHa -ms.date: 1/29/2018 +ms.date: 2/9/2018 ms.localizationpriority: high --- @@ -20,7 +20,7 @@ Windows AutoPilot Deployment Program simplifies device set up for IT Admins. For Watch this video to learn more about Windows AutoPilot in Micrsoft Store for Business.
-[!video https://www.microsoft.com/en-us/videoplayer/embed/3b30f2c2-a3e2-4778-aa92-f65dbc3ecf54?autoplay=false] +> [!video https://www.microsoft.com/en-us/videoplayer/embed/3b30f2c2-a3e2-4778-aa92-f65dbc3ecf54?autoplay=false] ## What is Windows AutoPilot Deployment Program? In Microsoft Store for Business, you can manage devices for your organization and apply an *AutoPilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. diff --git a/store-for-business/images/invite-people.png b/store-for-business/images/invite-people.png new file mode 100644 index 0000000000..b004d3ad7f Binary files /dev/null and b/store-for-business/images/invite-people.png differ diff --git a/store-for-business/images/mpsa-link.png b/store-for-business/images/mpsa-link.png new file mode 100644 index 0000000000..74f1496935 Binary files /dev/null and b/store-for-business/images/mpsa-link.png differ diff --git a/store-for-business/images/msfb-products-services.png b/store-for-business/images/msfb-products-services.png new file mode 100644 index 0000000000..1ddba79518 Binary files /dev/null and b/store-for-business/images/msfb-products-services.png differ diff --git a/store-for-business/images/msfb-ps-collection-idp.png b/store-for-business/images/msfb-ps-collection-idp.png new file mode 100644 index 0000000000..ddd8907d6b Binary files /dev/null and b/store-for-business/images/msfb-ps-collection-idp.png differ diff --git a/store-for-business/images/msfb-settings-icon.png b/store-for-business/images/msfb-settings-icon.png new file mode 100644 index 0000000000..1601965566 Binary files /dev/null and b/store-for-business/images/msfb-settings-icon.png differ diff --git a/store-for-business/images/msfb-wn-1801-products-services.png b/store-for-business/images/msfb-wn-1801-products-services.png new file mode 100644 index 0000000000..dc98ffd2e4 Binary files /dev/null and b/store-for-business/images/msfb-wn-1801-products-services.png differ diff --git a/store-for-business/images/office-logo.png b/store-for-business/images/office-logo.png new file mode 100644 index 0000000000..04d970bb47 Binary files /dev/null and b/store-for-business/images/office-logo.png differ diff --git a/store-for-business/images/perf-improvement-icon.png b/store-for-business/images/perf-improvement-icon.png new file mode 100644 index 0000000000..74be488894 Binary files /dev/null and b/store-for-business/images/perf-improvement-icon.png differ diff --git a/store-for-business/images/private-store-icon.png b/store-for-business/images/private-store-icon.png new file mode 100644 index 0000000000..f09679693f Binary files /dev/null and b/store-for-business/images/private-store-icon.png differ diff --git a/store-for-business/images/product-and-service-icon.png b/store-for-business/images/product-and-service-icon.png new file mode 100644 index 0000000000..c18d3c8266 Binary files /dev/null and b/store-for-business/images/product-and-service-icon.png differ diff --git a/store-for-business/images/products-and-services-photoshop.png b/store-for-business/images/products-and-services-photoshop.png new file mode 100644 index 0000000000..f20c074aeb Binary files /dev/null and b/store-for-business/images/products-and-services-photoshop.png differ diff --git a/store-for-business/images/products-and-services-ppt.png b/store-for-business/images/products-and-services-ppt.png new file mode 100644 index 0000000000..9b4d77fb7c Binary files /dev/null and b/store-for-business/images/products-and-services-ppt.png differ diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index dc2a945599..93d1f09234 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.date: 11/30/2017 +ms.date: 2/15/2018 ms.localizationpriority: high --- @@ -25,21 +25,25 @@ The name of your private store is shown on a tab in Microsoft Store app, or on [ ![Image showing Microsoft Store app with private store tab highlighted.](images/wsfb-wsappprivatestore.png) You can change the name of your private store in Microsoft Store. - \ No newline at end of file diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 4d706c69f6..705b6a6199 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.date: 1/8/2018 +ms.date: 2/8/2018 --- # Microsoft Store for Business and Education release history @@ -15,6 +15,10 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## December 2017 + +- Bug fixes and permformance improvements. + ## November 2017 - **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 80d4cc6d6c..fd595f2771 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.date: 1/8/2018 +ms.date: 2/16/2018 --- # What's new in Microsoft Store for Business and Education @@ -15,14 +15,23 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**December 2017** +**January & February, 2018** + +| | | +|--------------------------------------|---------------------------------| +| ![Microsoft Store for Business Products & services page.](images/product-and-service-icon.png) |**One place for apps, software, and subscriptions**

The new **Products & services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services. This includes Apps, Software, and Subscriptions that your organization acquired or manages through Microsoft Store for Business. This change centralizes these products, but the platform changes also improve overall performance.

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Private store collections](images/private-store-icon.png) |**Create collections of apps in your private store**

Use **collections** to customize your private store. Collections allow you to create groups of apps that are commonly used in your organization or school -- you might create a collection for a Finance department, or a 6th-grade class.

[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Upgrade Office 365 trial subscription.](images/office-logo.png) |**Upgrade Office 365 trial subscription**

Customers with Office 365 trials can now transition their trial to a paid subscription in Microsoft Store for Business. This works for trials you acquired from Microsoft Store for Business, or Office Admin Portal.

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Image showing Settings icon.](images/mpsa-link.png) |**Supporting Microsoft Product and Services Agreement customers**

If you are purchasing under the Microsoft Products and Services Agreement (MPSA), you can use Microsoft Store for Business. Here you will find access to Products & Services purchased, Downloads & Keys, Software Assurance benefits, Order history, and Agreement details. Also, we added the ability to associate your purchasing account to your tenant.

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Image showing Settings icon.](images/invite-people.png) |**Microsoft Product and Services Agreement customers can invite people to take roles**

MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role.

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | + -We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features! + + + + + + + + + + - + ``` ## Example AssignedAccessConfiguration XML @@ -560,3 +650,480 @@ Example of the Delete command. ``` + +## StatusConfiguration XSD + +``` syntax + + + + + + + + + + + + + + + + + + + + +``` + +## StatusConfiguration example + +StatusConfiguration Add OnWithAlerts + +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + chr + + + + + OnWithAlerts + + ]]> + + + + + + +``` + + +StatusConfiguration Delete +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + + + + +``` + +StatusConfiguration Get + +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + + + + +``` + +StatusConfiguration Replace On + +```syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + chr + + + + + On + + ]]> + + + + + + +``` + +## Status example + +Status Get +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Status + + + + + + +``` + +## ShellLauncherConfiguration XSD + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## ShellLauncherConfiguration examples + +ShellLauncherConfiguration Add +``` + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + +``` + +ShellLauncherConfiguration Add AutoLogon +``` + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + +``` + +ShellLauncherConfiguration Get +``` + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + + + + +``` + +## AssignedAccessAlert XSD + +```syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 564378ac63..4d6da38792 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -7,12 +7,15 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/01/2017 +ms.date: 02/22/2018 --- # AssignedAccess DDF +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML. You can download the DDF files from the links below: @@ -20,7 +23,7 @@ You can download the DDF files from the links below: - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -The XML below is for Windows 10, version 1709. +The XML below is for Windows 10, version 1803. ``` syntax @@ -48,7 +51,7 @@ The XML below is for Windows 10, version 1709. - com.microsoft/1.1/MDM/AssignedAccess + com.microsoft/2.0/MDM/AssignedAccess @@ -111,6 +114,84 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu + + Status + + + + + This read only node contains kiosk health event xml + + + + + + + + + + + + + + text/plain + + + + + ShellLauncher + + + + + + + + This node accepts a ShellLauncherConfiguration xml as input. Please check out samples and required xsd on MSDN. + + + + + + + + + + + + + + text/plain + + + + + StatusConfiguration + + + + + + + + This node accepts a StatusConfiguration xml as input. Please check out samples and required xsd on MSDN. + + + + + + + + + + + + + + text/plain + + + ``` diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png index c8db9ee059..b1ebee57d9 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 8fdf97effb..6c82e08937 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1403,10 +1403,29 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware + +[Policy CSP](policy-configuration-service-provider.md) +

Added the following new policies for Windows 10, next major update:

+
    +
  • Display/DisablePerProcessDpiForApps
    • +
  • Display/EnablePerProcessDpi
    • +
  • Display/EnablePerProcessDpiForApps
    • +
      + [VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md)

      Updated the XSD and Plug-in profile example for VPNv2 CSP.

      + +[AssignedAccess CSP](assignedaccess-csp.md) +

      Added the following nodes in Windows 10, version 1803:

      +
        +
      • Status
        • +
      • ShellLauncher
        • +
      • StatusConfiguration
        • +
      +

      Updated the AssigneAccessConfiguration schema.

      + @@ -1426,7 +1445,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [Policy CSP](policy-configuration-service-provider.md) -

      Added the following new policies for Windows 10, next major update:

      +

      Added the following new policies for Windows 10, version 1803:

      • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration
      • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold
        • @@ -1539,11 +1558,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [BitLocker CSP](bitlocker-csp.md) -

        Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, next major update.

        +

        Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

        [DMClient CSP](dmclient-csp.md) -

        Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, next major update:

        +

        Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

        • AADSendDeviceToken
        • BlockInStatusPage
          • @@ -1555,7 +1574,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [RemoteWipe CSP](remotewipe-csp.md) -

          Added the following nodes in Windows 10, next major update:

          +

          Added the following nodes in Windows 10, version 1803:

          • AutomaticRedeployment
          • doAutomaticRedeployment
            • @@ -1565,11 +1584,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [Defender CSP](defender-csp.md) -

            Added new node (OfflineScan) in Windows 10, next major update.

            +

            Added new node (OfflineScan) in Windows 10, version 1803.

            [UEFI CSP](uefi-csp.md) -

            Added a new CSP in Windows 10, next major update.

            +

            Added a new CSP in Windows 10, version 1803.

            diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 07dec60956..3791a903e5 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -943,6 +943,15 @@ The following diagram shows the Policy configuration service provider in tree fo ### Display policies
            +
            + Display/DisablePerProcessDpiForApps +
            +
            + Display/EnablePerProcessDpi +
            +
            + Display/EnablePerProcessDpiForApps +
            Display/TurnOffGdiDPIScalingForApps
            diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index fbfc7878d5..481bc438d3 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -6,12 +6,14 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 02/05/2018 --- # Policy CSP - Display +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
            @@ -19,6 +21,15 @@ ms.date: 01/30/2018 ## Display policies
            +
            + Display/DisablePerProcessDpiForApps +
            +
            + Display/EnablePerProcessDpi +
            +
            + Display/EnablePerProcessDpiForApps +
            Display/TurnOffGdiDPIScalingForApps
            @@ -28,6 +39,180 @@ ms.date: 01/30/2018
            +
            + + +**Display/DisablePerProcessDpiForApps** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            check mark4check mark4check mark4check mark4check mark4cross markcross mark
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. + + + + + + + + + + + + + +
            + + +**Display/EnablePerProcessDpi** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            check mark4check mark4check mark4check mark4check mark4cross markcross mark
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
            + + + +Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that have not been updated to display properly in this scenario will be blurry until you log out and back in to Windows. + +When you enable this policy some blurry applications will be crisp after they are restarted, without requiring the user to log out and back in to Windows. + +Be aware of the following: + +Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display that has the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors. + +Per Process System DPI will not work for all applications as some older desktop applications will always be blurry on high DPI displays. + +In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled. + +Enabling this setting lets you specify the system-wide default for desktop applications as well as per-application overrides. If you disable or do not configure this setting, Per Process System DPI will not apply to any processes on the system. + + + +The following list shows the supported values: + +- 0 - Disable. +- 1 - Enable. + + + + + + + + + + + +
            + + +**Display/EnablePerProcessDpiForApps** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            check mark4check mark4check mark4check mark4check mark4cross markcross mark
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. + + + + + + + + + + + + +
            diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 6b6afaec07..710bbc8021 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -34,14 +34,18 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se **Settings/ClipboardFileType**

            Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

            -- 0 - Allow text copying. -- 1 - Allow text and image copying. +- 0 - Disables content copying. +- 1 - Allow text copying. +- 2 - Allow image copying. +- 3 - Allow text and image copying. **Settings/ClipboardSettings**

            This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete

            - 0 (default) - Completely turns Off the clipboard functionality for the Application Guard. -- 1 - Turns On the clipboard functionality and lets you choose whether to additionally enable copying of certain content from Application Guard into Microsoft Edge and enable copying of certain content from Microsoft Edge into Application Guard. +- 1 - Turns On clipboard operation from an isolated session to the host +- 2 - Turns On clipboard operation from the host to an isolated session +- 3 - Turns On clipboard operation in both the directions > [!Important] > Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 2542a03b63..e08ae3f4bd 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -2,9 +2,10 @@ ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) ## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) -## [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) ## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -## [Windows 10 diagnostic data for the Full diagnostic data level](windows-diagnostic-data-1703.md) +## [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) +## [Windows 10, version 1709 diagnostic data for the Full telemetry level](windows-diagnostic-data.md) +## [Windows 10, version 1703 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md) ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) ## [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md) diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md index 7db5063374..eac9fde18a 100644 --- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md +++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +description: Learn more about the Windows diagnostic data that is gathered at the basic level. title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10) keywords: privacy, diagnostic data ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: eross-msft ms.author: lizross -ms.date: 10/26/2017 +ms.date: 02/12/2018 --- @@ -101,7 +101,7 @@ The following fields are available: - **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. - **seqNum** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. - **iKey** Represents an ID for applications or other logical groupings of events. -- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experiences and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. - **os** Represents the operating system name. - **osVer** Represents the OS version, and its format is OS dependent. - **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. @@ -255,7 +255,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.RunContext -"This event indicates what should be expected in the data payload. " +This event indicates what should be expected in the data payload. The following fields are available: @@ -1604,6 +1604,39 @@ The following fields are available: - **SocketCount** Number of physical CPU sockets of the machine. +### Census.Security + +This event provides information on about security settings used to help keep Windows up-to-date and secure. + +- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard. +- **CGRunning** Is Credential Guard running? +- **DGState** A summary of the Device Guard state. +- **HVCIRunning** Is HVCI running? +- **IsSawGuest** Describes whether the device is running as a Secure Admin Workstation Guest. +- **IsSawHost** Describes whether the device is running as a Secure Admin Workstation Host. +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Is this device capable of running Secure Boot? +- **VBSState** Is virtualization-based security enabled, disabled, or running? + + +### Census.Speech + +This event is used to gather basic speech settings on the device. + +The following fields are available: + +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KWSEnabled** "Cortana setting that represents if a user has enabled the ""Hey Cortana"" keyword spotter (KWS)." +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. + + + ### Census.Storage This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. @@ -1614,34 +1647,6 @@ The following fields are available: - **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). - **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. - -### Census.VM - -This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. - -The following fields are available: - -- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. -- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. -- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. -- **isVDI** Is the device using Virtual Desktop Infrastructure? -- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#HASH#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#HASH#1 Hypervisors. -- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. -- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. - - -### Census.Xbox - -This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. - -The following fields are available: - -- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. -- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. -- **XboxLiveDeviceId** Retrieves the unique device id of the console. -- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS. - - ### Census.Userdefault This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. @@ -1664,6 +1669,25 @@ The following fields are available: - **KeyboardInputLanguages** The Keyboard input languages installed on the device. - **SpeechInputLanguages** The Speech Input languages installed on the device. +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. + +The following fields are available: + +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **isVDI** Is the device using Virtual Desktop Infrastructure? +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#HASH#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#HASH#1 Hypervisors. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. + + + + + + ### Census.WU @@ -1695,34 +1719,18 @@ The following fields are available: - **WUPauseState** Retrieves WU setting to determine if updates are paused - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). +### Census.Xbox -### Census.Speech - -This event is used to gather basic speech settings on the device. +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. The following fields are available: -- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. -- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. -- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. -- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. -- **KWSEnabled** "Cortana setting that represents if a user has enabled the ""Hey Cortana"" keyword spotter (KWS)." -- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. -- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities. -- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. -- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxLiveDeviceId** Retrieves the unique device id of the console. +- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS. -### Census.Security -This event provides information on about security settings used to help keep Windows up-to-date and secure. - -- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard. -- **CGRunning** Is Credential Guard running? -- **DGState** A summary of the Device Guard state. -- **HVCIRunning** Is HVCI running? -- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Is this device capable of running Secure Boot? -- **VBSState** Is virtualization-based security enabled, disabled, or running? ## Diagnostic data events @@ -1812,7 +1820,7 @@ The following fields are available: - **LastEventSizeOffender** The name of the last event that exceeded the maximum event size. - **LastInvalidHttpCode** The last invalid HTTP code received from Vortex. - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. -- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experience and Telemetry component. +- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experiences and Telemetry component. - **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events. - **SettingsHttpAttempts** The number of attempts to contact the OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. @@ -1990,8 +1998,9 @@ The following fields are available: This event provides data on the installed Office Add-ins. -- **AddInCLSID** The CLSID key office the Office addin. -- **AddInId** The ID of the Office addin. +- **AddInCLSID** The CLSID key office for the Office addin. +- **AddInId** The identifier of the Office addin. +- **AddinType** The type of the Office addin. - **BinFileTimestamp** The timestamp of the Office addin. - **BinFileVersion** The version of the Office addin. - **Description** The description of the Office addin. @@ -2004,8 +2013,58 @@ This event provides data on the installed Office Add-ins. - **OfficeArchitecture** The architecture of the addin. - **OfficeVersion** The Office version for this addin. - **OutlookCrashingAddin** A boolean value that indicates if crashes have been found for this addin. +- **ProductCompany** The name of the company associated with the Office addin. +- **ProductName** The product name associated with the Office addin. +- **ProductVersion** The version associated with the Office addin. +- **ProgramId** The unique program identifier of the Office addin. - **Provider** The provider name for this addin. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +This event indicates that the particular data object represented by the objectInstanceId is no longer present. + +There are no fields in this event. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products. + +The following fields are available: + +- **OfficeApplication** The name of the Office application. +- **OfficeArchitecture** The bitness of the Office application. +- **OfficeVersion** The version of the Office application. +- **Value** The insights collected about this entity. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove + +This event indicates that the particular data object represented by the objectInstanceId is no longer present. + +There are no fields in this event. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync + +This diagnostic event indicates that a new sync is being generated for this object type. + +There are no fields in this event. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings. + +The following fields are available: + +- **BrowserFlags** Browser flags for Office-related products. +- **ExchangeProviderFlags** Provider policies for Office Exchange. +- **SharedComputerLicensing** Office shared computer licensing policies. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +There are no fields in this event. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd @@ -2036,6 +2095,18 @@ The following fields are available: - **Validation_x64** Count of files that require additional manual validation for 64-bit issues +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove + +This event indicates that the particular data object represented by the objectInstanceId is no longer present. + +There are no fields in this event. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove + +This event indicates that the particular data object represented by the objectInstanceId is no longer present. + +There are no fields in this event. + ### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent @@ -2412,6 +2483,66 @@ This event indicates that a new sync is being generated for this object type. There are no fields in this event. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +This event provides data on the installed Office identifiers. + +- **OAudienceData** The Office Audience descriptor. +- **OAudienceId** The Office Audience ID. +- **OMID** The Office machine ID. +- **OPlatform** The Office architecture. +- **OVersion** The Office version +- **OTenantId** The Office 365 Tenant GUID. +- **OWowMID** The Office machine ID. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +This event indicates that a new sync is being generated for this object type. + +There are no fields in this event. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +This event provides data on the installed Office-related Internet Explorer features. + +- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +This event indicates that a new sync is being generated for this object type. + +There are no fields in this event. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +This event describes the Office products that are installed. + +- **OC2rApps** The Office Click-to-Run apps. +- **OC2rSkus** The Office Click-to-Run products. +- **OMsiApps** The Office MSI apps. +- **OProductCodes** The Office MSI product code. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +This event indicates that a new sync is being generated for this object type. + +There are no fields in this event. + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync This event indicates that a new sync is being generated for this object type. diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index a12a531608..144f6425e6 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -8,13 +8,21 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jdeckerms -ms.date: 01/31/2018 +ms.date: 02/12/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## February 2018 + +New or changed topic | Description +--- | --- +[Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Added events and fields that were added in the February update. +[Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Added steps for configuring a kiosk in Microsoft Intune. +[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Updated the instructions for applying a customized Start layout using Microsoft Intune. + ## January 2018 New or changed topic | Description diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index eb38b5217a..ac50964c8f 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -43,7 +43,7 @@ The following example shows how apps will be pinned: Windows default apps to the 3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). >[!IMPORTANT] ->If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy. +>If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy. > >If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](https://technet.microsoft.com/itpro/windows/manage/customize-and-export-start-layout#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout. diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 25187b8f0a..0fd4cae9da 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 11/15/2017 +ms.date: 02/08/2018 --- # Customize Windows 10 Start and taskbar with mobile device management (MDM) @@ -45,86 +45,37 @@ Two features enable Start layout control:   -- In MDM, you set the path to the .xml file that defines the Start layout using an OMA-URI setting, which is based on the [Policy configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=623244). +- In Microsoft Intune, you select the Start layout XML file and add it to a device configuration profile. ## Create a policy for your customized Start layout This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy. -1. In the Start layout file created when you ran **Export-StartLayout**, replace markup characters with escape characters, and save the file. (You can replace the characters manually or use an online tool.) +1. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. - Example of a layout file produced by Export-StartLayout: +2. Select **Device configuration**. - - - - - - - - - - - - - - - -
            XML
            <LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
-      <DefaultLayoutOverride>
-        <StartLayoutCollection>
-          <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
-            <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-              <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
-              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
-              <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
-            </start:Group>        
-          </defaultlayout:StartLayout>
-        </StartLayoutCollection>
-      </DefaultLayoutOverride>
-    </LayoutModificationTemplate>
            +3. Select **Profiles**. - Example of the same layout file with escape characters replacing the markup characters: +4. Select **Create profile**. -``` - &lt;wdcml:p xmlns:wdcml=&quot;http://microsoft.com/wdcml&quot;&gt;Example of a layout file produced by Export-StartLayout:&lt;/wdcml:p&gt;&lt;wdcml:snippet xmlns:wdcml=&quot;http://microsoft.com/wdcml&quot;&gt;&lt;![CDATA[&lt;LayoutModificationTemplate Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt; - &lt;DefaultLayoutOverride&gt; - &lt;StartLayoutCollection&gt; - &lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot; xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot;&gt; - &lt;start:Group Name=&quot;Life at a glance&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot;&gt; - &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt; - &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&quot; /&gt; - &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt; - &lt;/start:Group&gt; - &lt;/defaultlayout:StartLayout&gt; - &lt;/StartLayoutCollection&gt; - &lt;/DefaultLayoutOverride&gt; - &lt;/LayoutModificationTemplate&gt;]]&gt;&lt;/wdcml:snippet&gt; -``` +5. Enter a friendly name for the profile. -2. In the Microsoft Intune administration console, click **Policy** > **Add Policy**. +6. Select **Windows 10 and later** for the platform. -3. Under **Windows**, choose a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy. +7. Select **Device restrictions for the profile type. -4. Enter a name (mandatory) and description (optional) for the policy. +8. Select **Start**. -5. In the **OMA-URI Settings** section, click **Add.** +9. In **Start menu layout**, browse to and select your Start layout XML File. -6. In **Add or Edit OMA-URI Setting**, enter the following information. +10. Select **OK** twice, and then select **Create**. - | Item | Information | - |----|----| - | **Setting name** | Enter a unique name for the OMA-URI setting to help you identify it in the list of settings. | - | **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. | - | **Data type** | **String** | - | **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** | - | **Value** | Paste the contents of the Start layout .xml file that you created. | +11. Assign the profile to a device group. -   -7. Click **OK** to save the setting and return to the **Create Policy** page. +For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=623244). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. -8. Click **Save Policy**. ## Related topics diff --git a/windows/configuration/index.md b/windows/configuration/index.md index e38d95e4ca..d8cfdf2e49 100644 --- a/windows/configuration/index.md +++ b/windows/configuration/index.md @@ -22,9 +22,10 @@ Enterprises often need to apply custom configurations to devices for their users | [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. | |[Diagnostic Data Viewer overview](diagnostic-data-viewer-overview.md) |Learn about the categories of diagnostic data your device is sending to Microsoft, along with how it's being used.| | [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1709. | -|[Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.| -| [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. | -| [Windows 10 diagnostic data for the Full diagnostic data level](windows-diagnostic-data-1703.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703 and later. | +| [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)| Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703.| +| [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.| +| [Windows 10, version 1709 diagnostic data for the Full telemetry level](windows-diagnostic-data.md) | Learn about diagnostic data that is collected at the full level in Windows 10, version 1709. | +| [Windows 10, version 1703 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md) | Learn about diagnostic data that is collected at the full level in Windows 10, version 1703. | |[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|Learn about Windows 10 and the upcoming GDPR-compliance requirements.| | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index ea121c6820..94ac63a7a7 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: high -ms.date: 01/31/2018 +ms.date: 02/08/2018 ms.author: jdecker --- @@ -20,21 +20,49 @@ ms.author: jdecker - Windows 10 -A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using Microsoft Intune or a provisioning package. +A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. + +The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. + +>[!WARNING] +>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](#policies-set-by-multi-app-kiosk-configuration) are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. + +You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). + + +## Configure a kiosk in Microsoft Intune Watch how to use Intune to configure a multi-app kiosk. >[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false] ->[!NOTE] ->For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. +1. [Generate the Start layout for the kiosk device.](#startlayout) +2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. +3. Select **Device configuration**. +4. Select **Profiles**. +5. Select **Create profile**. +6. Enter a friendly name for the profile. +7. Select **Windows 10 and later** for the platform. +8. Select **Device restrictions** for the profile type. +9. Select **Kiosk**. +10. In **Kiosk Mode**, select **Multi app kiosk**. +11. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu. +12. Enter a friendly name for the configuration. +13. Select an app type, either **Win32 App** for a classic desktop application or **UWP App** for a Universal Windows Platform app. + - For **Win32 App**, enter the fully qualified pathname of the executable, with respect to the device. + - For **UWP App**, enter the Application User Model ID for an installed app. +14. Select whether to enable the taskbar. +15. Browse to and select the Start layout XML file that you generated in step 1. +16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available. +17. Select **OK**. You can add additional configurations or finish. +18. Assign the profile to a device group to configure the devices in that group as kiosks. -The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. ->[!WARNING] ->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. + +## Configure a kiosk using a provisioning package + Process: 1. [Create XML file](#create-xml-file) 2. [Add XML file to provisioning package](#add-xml) @@ -46,14 +74,15 @@ Watch how to use a provisioning package to configure a multi-app kiosk. If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge). -## Prerequisites +### Prerequisites - Windows Configuration Designer (Windows 10, version 1709) - The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 +>[!NOTE] +>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. - -## Create XML file +### Create XML file Let's start by looking at the basic structure of the XML file. @@ -90,7 +119,7 @@ You can start your file by pasting the following XML (or any other examples in t ``` -### Profile +#### Profile A profile section in the XML has the following entries: @@ -103,7 +132,7 @@ A profile section in the XML has the following entries: - [**Taskbar**](#taskbar) -#### Id +##### Id The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. @@ -113,7 +142,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can ``` -#### AllowedApps +##### AllowedApps **AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps. @@ -155,7 +184,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula ``` -#### StartLayout +##### StartLayout After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. @@ -202,7 +231,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, ![What the Start screen looks like when the XML sample is applied](images/sample-start.png) -#### Taskbar +##### Taskbar Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. @@ -221,7 +250,7 @@ The following example hides the taskbar: >[!NOTE] >This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. -### Configs +#### Configs Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. @@ -256,7 +285,7 @@ Before applying the multi-app configuration, make sure the specified user accoun -## Add XML file to provisioning package +### Add XML file to provisioning package Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](multi-app-kiosk-xml.md#xsd-for-assignedaccess-configuration-xml). @@ -317,12 +346,12 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 15. Copy the provisioning package to the root directory of a USB drive. -## Apply provisioning package to device +### Apply provisioning package to device Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime"). -### During initial setup, from a USB drive +#### During initial setup, from a USB drive 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. @@ -346,7 +375,7 @@ Provisioning packages can be applied to a device during the first-run experience -### After setup, from a USB drive, network folder, or SharePoint site +#### After setup, from a USB drive, network folder, or SharePoint site 1. Sign in with an admin account. 2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. @@ -365,7 +394,7 @@ Provisioning packages can be applied to a device during the first-run experience -## Use MDM to deploy the multi-app configuration +### Use MDM to deploy the multi-app configuration Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index efdd0f54a8..f37871b6d2 100644 --- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -36,6 +36,7 @@ You should not extract this package to the windows\\system32 folder because it w Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article. It is recommended that you restart a device after making configuration changes to it. +Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. @@ -88,17 +89,17 @@ See the following table for a summary of the management settings for Windows 10 | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | | | -| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | | | [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | @@ -1065,7 +1066,17 @@ To turn off **Choose apps that can use your microphone**: ### 17.5 Notifications -In the **Notifications** area, you can choose which apps have access to notifications. +To turn off notifications network usage: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage** + + - Set to **Enabled**. + + -or- + +- Create a REG\_DWORD registry setting in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one) + +In the **Notifications** area, you can also choose which apps have access to notifications. To turn off **Let apps access my notifications**: diff --git a/windows/configuration/manage-windows-endpoints-version-1709.md b/windows/configuration/manage-windows-endpoints-version-1709.md index 1c52da910b..1ce981a341 100644 --- a/windows/configuration/manage-windows-endpoints-version-1709.md +++ b/windows/configuration/manage-windows-endpoints-version-1709.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: high author: brianlic-msft -ms.author: brianlic-msft +ms.author: brianlic ms.date: 11/21/2017 --- # Manage Windows 10 connection endpoints @@ -318,7 +318,6 @@ If you turn off traffic for these endpoints, users won't be able to save documen | system32\Auth.Host.exe | HTTPS | outlook.office365.com | The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -ently used documents. | Source process | Protocol | Destination | |----------------|----------|------------| diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index 0fe1c5b458..d68048c98d 100644 --- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -32,7 +32,8 @@ A single-use or *kiosk* device is easy to set up in Windows 10 for desktop edit - For a kiosk device to run a Classic Windows application, use [Shell Launcher](#shell-launcher) to set a custom user interface as the shell (Windows 10 Enterprise or Education only). -To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). +>[!TIP] +>To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). >[!NOTE] >A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 62ab60728d..f0eda613ab 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -51,7 +51,7 @@ The following policy settings can be configured for UE-V.

            The default is enabled.

            -

            Roam Windows settings

            +

            Synchronize Windows settings

            Computers and Users

            This Group Policy setting configures the synchronization of Windows settings.

            Select which Windows settings synchronize between computers.

            diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index dc86093dd9..fa754b467b 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -425,6 +425,7 @@ The following table shows the scenarios supported by this customization: Multivariant setting set?|SPN provisioned?|MSISDN (last 4 digits: 1234, for example) provisioned?|Default SIM name +--- | --- | --- | --- Yes|Yes|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234 Yes|No|No|*MultivariantProvisionedSPN* (up to 16 characters) Yes|Yes|No|*MultivariantProvisionedSPN* (up to 16 characters) diff --git a/windows/configuration/windows-diagnostic-data-1703.md b/windows/configuration/windows-diagnostic-data-1703.md index 954a8fc5e0..67fd23abec 100644 --- a/windows/configuration/windows-diagnostic-data-1703.md +++ b/windows/configuration/windows-diagnostic-data-1703.md @@ -8,13 +8,13 @@ ms.sitesec: library ms.localizationpriority: high author: eross-msft ms.author: lizross -ms.date: 04/05/2017 +ms.date: 11/28/2017 --- # Windows 10 diagnostic data for the Full diagnostic data level **Applies to:** -- Windows 10, version 1703 and later +- Windows 10, version 1703 Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md). diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md new file mode 100644 index 0000000000..e3c5fb9fa4 --- /dev/null +++ b/windows/configuration/windows-diagnostic-data.md @@ -0,0 +1,262 @@ +--- +title: Windows 10, version 1709 diagnostic data for the Full level (Windows 10) +description: Use this article to learn about the types of diagnostic data that is collected at the Full level. +keywords: privacy,Windows 10 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: brianlic-msft +ms.author: brianlic +ms.date: 01/30/2018 +--- + +# Windows 10, version 1709 diagnostic data for the Full level + +Applies to: +- Windows 10, version 1709 + +Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md). + +In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard. + +The data covered in this article is grouped into the following types: + +- Common data (diagnostic header information) + +- Device, Connectivity, and Configuration data + +- Product and Service Usage data + +- Product and Service Performance data + +- Software Setup and Inventory data + +- Browsing History data + +- Inking, Typing, and Speech Utterance data + +## Common data +Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944:2017. + +**Data Use for Common data** +Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category. + +### Data Description for Common data type +|Sub-type|Description and examples| +|- |- | +|Common Data|Information that is added to most diagnostic events, if relevant and available:
            • Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
            • Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
            • Event collection time (8.2.3.2.2 Telemetry data)
            • User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data (8.2.5 Account data)
            • Xbox UserID (8.2.5 Account data)
            • Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
            • Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
            • Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
            • Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
            • HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
            • Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
            | + +## Device, Connectivity, and Configuration data +This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data. + +### Data Use for Device, Connectivity, and Configuration data + +**For Diagnostics:**
            +[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft products and services. For example: + +- Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example: + + - Data about the use of cellular modems and their configuration on your devices is used to troubleshoot cellular modem issues. + + - Data about the use of USB hubs use and their configuration on your devices is used to troubleshoot USB hub issues. + + - Data about the use of connected Bluetooth devices is used to troubleshoot compatibility issues with Bluetooth devices. + +- Data about device properties, such as the operating system version and available memory, is used to determine whether the device is due to, and able to, receive a Windows update. + +- Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update. + +- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users. + +**With (optional) Tailored experiences:**
            +If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example: + +- Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience. + +- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps. +  +### Data Description for Device, Connectivity, and Configuration data type +|Sub-type|Description and examples| +|- |- | +|Device properties |Information about the operating system and device hardware, such as:
            • Operating system - version name, edition
            • Installation type, subscription status, and genuine operating system status
            • Processor architecture, speed, number of cores, manufacturer, and model
            • OEM details --manufacturer, model, and serial number
            • Device identifier and Xbox serial number
            • Firmware/BIOS operating system -- type, manufacturer, model, and version
            • Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
            • Storage -- total capacity and disk type
            • Battery -- charge capacity and InstantOn support
            • Hardware chassis type, color, and form factor
            • Is this a virtual machine?
            | +|Device capabilities|Information about the specific device capabilities, such as:
            • Camera -- whether the device has a front facing camera, a rear facing camera, or both.
            • Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
            • Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
            • Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
            • Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
            • Voice -- whether voice interaction is supported and the number of active microphones
            • Number of displays, resolutions, and DPI
            • Wireless capabilities
            • OEM or platform face detection
            • OEM or platform video stabilization and quality-level set
            • Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
            | +|Device preferences and settings |Information about the device settings and user preferences, such as:
            • User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
            • User-provided device name
            • Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
            • Hashed representation of the domain name
            • MDM (mobile device management) enrollment settings and status
            • BitLocker, Secure Boot, encryption settings, and status
            • Windows Update settings and status
            • Developer Unlock settings and status
            • Default app choices
            • Default browser choice
            • Default language settings for app, input, keyboard, speech, and display
            • App store update settings
            • Enterprise OrganizationID, Commercial ID
            | +|Device peripherals |Information about the device peripherals, such as:
            • Peripheral name, device model, class, manufacturer, and description
            • Peripheral device state, install state, and checksum
            • Driver name, package name, version, and manufacturer
            • HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
            • Driver state, problem code, and checksum
            • Whether driver is kernel mode, signed, and image size
            | +|Device network info |Information about the device network configuration, such as:
            • Network system capabilities
            • Local or Internet connectivity status
            • Proxy, gateway, DHCP, DNS details, and addresses
            • Whether it's a paid or free network
            • Whether the wireless driver is emulated
            • Whether it's access point mode-capable
            • Access point manufacturer, model, and MAC address
            • WDI Version
            • Name of networking driver service
            • Wi-Fi Direct details
            • Wi-Fi device hardware ID and manufacturer
            • Wi-Fi scan attempt and item counts
            • Whether MAC randomization is supported and enabled
            • Number of supported spatial streams and channel frequencies
            • Whether Manual or Auto-connect is enabled
            • Time and result of each connection attempt
            • Airplane mode status and attempts
            • Interface description provided by the manufacturer
            • Data transfer rates
            • Cipher algorithm
            • Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
            • Mobile operator and service provider name
            • Available SSIDs and BSSIDs
            • IP Address type -- IPv4 or IPv6
            • Signal Quality percentage and changes
            • Hotspot presence detection and success rate
            • TCP connection performance
            • Miracast device names
            • Hashed IP address
            + +## Product and Service Usage data +This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability. + +### Data Use for Product and Service Usage data + +**For Diagnostics:**
            +[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: + +- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps. + +- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users. + +- Data about whether devices have Suggestions turned off from the **Settings Phone** screen is to improve the Suggestions feature. + +- Data about whether a user canceled the authentication process in their browser is used to help troubleshoot issues with and improve the authentication process. + +- Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana. + +- Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app. + +**With (optional) Tailored experiences:**
            +If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example: + +- If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature. + +- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps. + + +### Data Description for Product and Service Usage data type +|Sub-type|Description and examples | +|- |- | +|App usage|Information about Windows and application usage, such as:
            • Operating system component and app feature usage
            • User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
            • Time of and count of app and component launches, duration of use, session GUID, and process ID
            • App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
            • User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
            • Cortana launch entry point and reason
            • Notification delivery requests and status
            • Apps used to edit images and videos
            • SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines
            • Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
            • Emergency alerts are received or displayed statistics
            • Content searches within an app
            • Reading activity -- bookmarked, printed, or had the layout changed
            | +|App or product state|Information about Windows and application state, such as:
            • Start Menu and Taskbar pins
            • Online and offline status
            • App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to share a picture
            • Personalization impressions delivered
            • Whether the user clicked on, or hovered over, UI controls or hotspots
            • User provided feedback, such as Like, Dislike or a rating
            • Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
            | +|Purchasing|Information about purchases made on the device, such as:
            • Product ID, edition ID and product URI
            • Offer details -- price
            • Date and time an order was requested
            • Microsoft Store client type -- web or native client
            • Purchase quantity and price
            • Payment type -- credit card type and PayPal
            | +|Login properties|Information about logins on the device, such as:
            • Login success or failure
            • Login sessions and state
            | + +## Product and Service Performance data +This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944:2017 8.2.3.2.2 EUII Telemetry data. + +### Data Use for Product and Service Performance data + +**For Diagnostics:**
            +[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: + +- Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations. + +- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening peformance. + +- Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance. + +- Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance. + +**With (optional) Tailored experiences:**
            +If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. + +- Data about battery performance on a device may be used to recommend settings changes that can improve battery performance. + +- If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space. + +- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps. + +**Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.** + +### Data Description for Product and Service Performance data type +|Sub-type|Description and examples | +|- |- | +|Device health and crash data|Information about the device and software health, such as:
            • Error codes and error messages, name and ID of the app, and process reporting the error
            • DLL library predicted to be the source of the error -- for example, xyz.dll
            • System generated files -- app or product logs and trace files to help diagnose a crash or hang
            • System settings, such as registry keys
            • User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
            • Details and counts of abnormal shutdowns, hangs, and crashes
            • Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
            • Crash and hang dumps, including:
              • The recorded state of the working memory at the point of the crash
              • Memory in-use by the kernel at the point of the crash.
              • Memory in-use by the application at the point of the crash
              • All the physical memory used by Windows at the point of the crash
              • Class and function name within the module that failed.
              | +|Device performance and reliability data|Information about the device and software performance, such as:
              • User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
              • Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
              • In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
              • User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
              • UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
              • Disk footprint -- Free disk space, out of memory conditions, and disk score
              • Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
              • Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
              • Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
              • Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
              • Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
              • Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
              • Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
              | +|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.
              • Video Width, height, color palette, encoding (compression) type, and encryption type
              • Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
              • URL for a specific two-second chunk of content if there is an error
              • Full-screen viewing mode details
              | +|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening, or habits.
              • Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
              • Content type (video, audio, or surround audio)
              • Local media library collection statistics -- number of purchased tracks and number of playlists
              • Region mismatch -- User's operating system region and Xbox Live region
              | +|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.
              • App accessing content and status and options used to open a Microsoft Store book
              • Language of the book
              • Time spent reading content
              • Content type and size details
              | +|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening, or habits.
              • File source data -- local, SD card, network device, and OneDrive
              • Image and video resolution, video length, file sizes types, and encoding
              • Collection view or full screen viewer use and duration of view
              | +|On-device file query |Information about local search activity on the device, such as:
              • Kind of query issued and index type (ConstraintIndex or SystemIndex)
              • Number of items requested and retrieved
              • File extension of search result with which the user interacted
              • Launched item type, file extension, index of origin, and the App ID of the opening app
              • Name of process calling the indexer and the amount of time to service the query
              • A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
              | +|Entitlements |Information about entitlements on the device, such as:
              • Service subscription status and errors
              • DRM and license rights details -- Groove subscription or operating system volume license
              • Entitlement ID, lease ID, and package ID of the install package
              • Entitlement revocation
              • License type (trial, offline versus online) and duration
              • License usage session
              | + +## Software Setup and Inventory data +This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability. + +### Data Use for Software Setup and Inventory data + +**For Diagnostics:**
              +[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: + +- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update. + +- Data about when a download starts and finishes on a device is used to understand and address download problems. + +- Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device. + +- Data about the antimalware installed on a device is used to understand malware transmissions vectors. + +**With (optional) Tailored experiences:**
              +If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example: + +- Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store. + +### Data Description for Software Setup and Inventory data type +|Sub-type|Description and examples | +|- |- | +|Installed Applications and Install History|Information about apps, drivers, update packages, or operating system components installed on the device, such as:
              • App, driver, update package, or component’s Name, ID, or Package Family Name
              • Product, SKU, availability, catalog, content, and Bundle IDs
              • Operating system component, app or driver publisher, language, version and type (Win32 or UWP)
              • Install date, method, install directory, and count of install attempts
              • MSI package and product code
              • Original operating system version at install time
              • User, administrator, or mandatory installation or update
              • Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
              | +|Device update information |Information about Windows Update, such as:
              • Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
              • Number of applicable updates, importance, and type
              • Update download size and source -- CDN or LAN peers
              • Delay upgrade status and configuration
              • Operating system uninstall and rollback status and count
              • Windows Update server and service URL
              • Windows Update machine ID
              • Windows Insider build details
              | + +## Browsing History data +This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history. + +### Data Use for Browsing History data + +**For Diagnostics:**
              +[Pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: + +- Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content. + +- Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about the domain. + +- Data about when the **Address** bar is used for navigation purposes is used to improve the Suggested Sites feature and to understand and address problems arising from navigation. + +- Data about when a Web Notes session starts is used to measure popular domains and URLs for the Web Notes feature. + +- Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page. + +**With (optional) Tailored experiences:**
              +If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example: + +- We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app. + +### Data Description for Browsing History data type +|Sub-type|Description and examples | +|- |- | +|Microsoft browser data|Information about **Address** bar and **Search** box performance on the device, such as:
              • Text typed in **Address** bar and **Search** box
              • Text selected for an **Ask Cortana** search
              • Service response time
              • Auto-completed text, if there was an auto-complete
              • Navigation suggestions provided based on local history and favorites
              • Browser ID
              • URLs (may include search terms)
              • Page title
              | + +## Inking Typing and Speech Utterance data +This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information. + +### Data Use for Inking, Typing, and Speech Utterance data + +**For Diagnostics:**
              +[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example: + +- Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature. + +- Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature. + +- Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature. + +- Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition. + +- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition. + +**With (optional) Tailored experiences:** + +**Microsoft doesn't use Windows Inking, Typing, and Speech Utterance data for Tailored experiences.** + +### Data Description for Inking, Typing, and Speech Utterance data type +|Sub-type|Description and examples | +|- |- | +|Voice, inking, and typing|Information about voice, inking and typing features, such as:
              • Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
              • Pen gestures (click, double click, pan, zoom, or rotate)
              • Palm Touch x,y coordinates
              • Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
              • Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
              • Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
              • Text of speech recognition results -- result codes and recognized text
              • Language and model of the recognizer and the System Speech language
              • App ID using speech features
              • Whether user is known to be a child
              • Confidence and success or failure of speech recognition
              | + +## ISO/IEC 19944:2017-specific terminology +This table provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article. + +|Term |ISO/IEC 19944:2017 Reference |Microsoft usage notes | +|-|-|-| +|Provide |9.3.2 Provide |Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.| +|Improve |9.3.3 Improve |Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users.| +|Personalize |9.3.4 Personalize |Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service.| +|Recommend |9.3.4 Personalize |“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money.

              Use of the specified data categories give recommendations about Microsoft products or services the end user may act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation for the placement.| +|Offer |9.3.5 Offer upgrades or upsell |Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.

              Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.| +|Promote|9.3.6 Market/advertise/promote|Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.| + +

              +|Data identification qualifiers |ISO/IEC 19944:2017 Reference |Microsoft usage notes | +|-|-|-| +|Pseudonymized Data |8.3.3 Pseudonymized data|As defined| +|Anonymized Data |8.3.5 Anonymized data|As defined| +|Aggregated Data |8.3.6 Aggregated data|As defined| \ No newline at end of file diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index d306bd8ea5..c2d63ceca8 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -15,6 +15,7 @@ ### [Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md) ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) +#### [Windows 10 downgrade paths](upgrade/windows-10-downgrade-paths.md) ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) ### [Windows 10 volume license media](windows-10-media.md) diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 1f0ef3d834..8e67035c39 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 10/27/2017 +ms.date: 02/13/2018 ms.localizationpriority: high --- @@ -70,7 +70,7 @@ If any of these checks fails, the conversion will not proceed and an error will |/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| |/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| |/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | -|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.| +|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
              **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.| ## Examples @@ -236,15 +236,18 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: -1. The existing MBR system partition is reused if it meets these requirements: - a. It is not also the OS or Windows Recovery Environment partition - b. It is at least 100MB (or 260MB for 4K sector size disks) in size - c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition. - d. If the conversion is being performed from the full OS, the disk being converted is not the system disk. +1. The existing MBR system partition is reused if it meets these requirements:
              + a. It is not also the OS or Windows Recovery Environment partition.
              + b. It is at least 100MB (or 260MB for 4K sector size disks) in size.
              + c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
              + d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed. 2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32. If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified. +>[!IMPORTANT] +>If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter. + ### Partition type mapping and partition attributes Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules: diff --git a/windows/deployment/update/images/SAC_vid_crop.jpg b/windows/deployment/update/images/SAC_vid_crop.jpg new file mode 100644 index 0000000000..9d08215fc9 Binary files /dev/null and b/windows/deployment/update/images/SAC_vid_crop.jpg differ diff --git a/windows/deployment/update/images/UC-vid-crop.jpg b/windows/deployment/update/images/UC-vid-crop.jpg new file mode 100644 index 0000000000..47e74febbc Binary files /dev/null and b/windows/deployment/update/images/UC-vid-crop.jpg differ diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 91d87362f3..7fc29c58f5 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -31,7 +31,7 @@ To request an Olympia Corp account, please fill out the survey at [https://aka.m ## Enrollment guidelines -Welcome to Olympia Corp. Here are the steps to add your account to your PC. +Welcome to Olympia Corp. Here are the steps needed to Enroll. As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. @@ -43,7 +43,9 @@ Choose one of the following two enrollment options: -### Keep your current Windows 10 edition +### Set up an Azure Active Directory REGISTERED Windows 10 device + +- This is the Bring Your Own Device (BYOD) method - your device will receive Olympia policies and features, but a new account will not be created ([additional info]).(https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). @@ -77,7 +79,9 @@ Choose one of the following two enrollment options: -### Upgrade your Windows 10 edition from Pro to Enterprise +### Set up Azure Active Directory JOINED Windows 10 device + +- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account ([additional info]).(https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup) 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index cc368c6633..638cb4079e 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/13/2017 +author: Jaimeo +ms.author: jaimeo +ms.date: 02/09/2018 --- # Monitor Windows Updates and Windows Defender Antivirus with Update Compliance @@ -35,9 +35,9 @@ See the following topics in this guide for detailed information about configurin - [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. - [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. - +Click the following link to see a video demonstrating Update Compliance features. -An overview of the processes used by the Update Compliance solution is provided below. +[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube.com/embed/1cmF5c_R8I4) ## Update Compliance architecture diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index dc565440b6..a3a8becf16 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -4,10 +4,10 @@ description: In Windows 10, Microsoft has streamlined servicing to make operatin ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: Jaimeo ms.localizationpriority: high -ms.author: daniha -ms.date: 10/16/2017 +ms.author: jaimeo +ms.date: 02/09/2018 --- # Overview of Windows as a service @@ -23,7 +23,10 @@ ms.date: 10/16/2017 The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. - +Click the following Microsoft Mechanics video for an overview of the release model, particularly the Semi-Annual Channel. + + +[![YouTube video of Michael Niehouse explaining how the Semi-Annual Channel works](images/SAC_vid_crop.jpg)](https://youtu.be/qSAsiM01GOU) ## Building diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 5716edbdd3..8ea214bbb5 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -4,10 +4,10 @@ description: In Windows 10, Microsoft has streamlined servicing to make operatin ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: Jaimeo ms.localizationpriority: high -ms.author: daniha -ms.date: 07/27/2017 +ms.author: jaimeo +ms.date: 02/09/2018 --- # Quick guide to Windows as a service @@ -58,7 +58,10 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window ## Video: An overview of Windows as a service - +Click the following Microsoft Mechanics video for an overview of the updated release model, particularly the Semi-Annual Channel. + + +[![YouTube video of Michael Niehouse explaining how the Semi-Annual Channel works](images/SAC_vid_crop.jpg)](https://youtu.be/qSAsiM01GOU) ## Learn more diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 16de770ebb..d3d5edf9a2 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 01/26/2018 +ms.date: 02/22/2018 ms.localizationpriority: high --- @@ -657,7 +657,7 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
              Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly. -
              See the following general troubleshooting procedures associated with a result code of 0x800xxxxx: +
              See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:

              @@ -694,6 +694,39 @@ This error has more than one possible cause. Attempt [quick fixes](#quick-fixes) + + + + +
              + +
              Code +
              + +0x80073BC3 - 0x20009
              +0x8007002 - 0x20009
              +0x80073B92 - 0x20009 + +
              + +
              +
              Cause +
              + +The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria. + +
              +              		 + + +
              Mitigation +
              + +These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition. + +
              +
              +
              Code
              diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 5c45338c1d..858aed34fc 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -18,7 +18,7 @@ This topic provides information on additional features that are available in Upg The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. > [!NOTE] -> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, data will be collected on all sites visited by Microsoft Edge on computers running Windows 10 version 1803 (including Insider Preview builds) or newer. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. +> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. ### Install prerequisite security update for Internet Explorer diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index ae10dbe161..8691c8f111 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -57,7 +57,6 @@ If you are not using OMS: 5. To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness. - ### Copy your commercial ID key Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. This should be generated for you automatically. Copy your commercial ID key in OMS and then deploy it to user computers. @@ -85,7 +84,7 @@ To enable data sharing, whitelist the following endpoints. Note that you may nee | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10 computers. User computers send data to Microsoft through this endpoint. | `https://vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for operating systems older than Windows 10 | `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. -| `https://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | +| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | Note: The compatibility update KB runs under the computer’s system account. diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index aaea599116..023c8405c5 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -82,7 +82,7 @@ Before you get started configuring Upgrade Anatlyics, review the following tips **Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises. -**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported. +**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. Upgrade Readiness is supported in all OMS regions; however, selecting an international OMS region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US. ### Tips diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md index d74712221f..f1e9422095 100644 --- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md +++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md @@ -35,7 +35,7 @@ The following color-coded status changes are reflected on the upgrade overview b Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](upgrade-readiness-get-started.md#deploy-the-compatibility-update-and-related-kbs) for information on required KBs. -In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version: +In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require a KB update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version: ![Upgrade overview](../images/ur-overview.png) @@ -43,9 +43,9 @@ In the following example, there is no delay in data processing, less than 4% of --> -If data processing is delayed, you can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed. Data is typically refreshed and the display will return to normal again within 24 hours. +If data processing is delayed, the "Last updated" banner will indicate the date on which data was last updated. You can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed until data is refreshed. When your workspace is in this state, there is no action required; data is typically refreshed and the display will return to normal again within 24 hours. -If there are computers with incomplete data, verify that you have installed the latest compatibilty update and run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. +If there are computers with incomplete data, verify that you have installed the latest compatibilty update KBs. Install the updated KBs if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script. Select **Total computers** for a list of computers and details about them, including: diff --git a/windows/deployment/upgrade/windows-10-downgrade-paths.md b/windows/deployment/upgrade/windows-10-downgrade-paths.md new file mode 100644 index 0000000000..d095a3d449 --- /dev/null +++ b/windows/deployment/upgrade/windows-10-downgrade-paths.md @@ -0,0 +1,160 @@ +--- +title: Windows 10 downgrade paths (Windows 10) +description: You can downgrade Windows 10 if the downgrade path is supported. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: high +ms.pagetype: mobile +author: greg-lindsay +ms.date: 02/15/2018 +--- + +# Windows 10 downgrade paths +**Applies to** + +- Windows 10 + +## Downgrading Windows 10 + +This topic provides a summary of supported Windows 10 downgrade paths. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired. + +If a downgrade is supported, then your apps and settings can be migrated from the current edition to the downgraded edition. If a path is not supported, then a clean install is required. + +To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md). + +Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not supported, unless you are performing a rollback of a previous upgrade. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. + +>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. + +>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown below. + +### Supported Windows 10 downgrade paths + +>[!NOTE] +>Edition changes that are considered upgrades (Ex: Pro to Enterprise) are not shown here. Switching between different editions of Pro is supported. This is not strictly considered an edition downgrade, but is included here for clarity. + +✔ = Supported downgrade path
              + +
              + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
              Destination edition
                    HomeProPro for WorkstationsPro EducationSEducationEnterprise LTSCEnterprise
              Starting edition
              Home
              Pro
              Pro for Workstations
              Pro Education
              S
              Education
              Enterprise LTSC
              Enterprise
              + + +## Related Topics + +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
              +[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
              +[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
              +[Windows 10 upgrade paths](windows-10-upgrade-paths.md) + + + + + diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 359c1cb9bc..f46f0eb146 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -8,7 +8,7 @@ ms.localizationpriority: high ms.sitesec: library ms.pagetype: mobile author: greg-lindsay -ms.date: 01/18/2018 +ms.date: 02/9/2018 --- # Windows 10 edition upgrade @@ -20,7 +20,7 @@ ms.date: 01/18/2018 With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). -The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. Note that the reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. +The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. ![not supported](../images/x_blk.png) (X) = not supported
              ![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
              @@ -46,25 +46,28 @@ X = unsupported
              | **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | | **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | | **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **S > Pro** | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![supported, no reboot](../images/check_blu.png) (version 1709) | -| **S > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![supported, no reboot](../images/check_blu.png) (version 1709) | -| **S > Pro Education** | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png) (version 1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![not supported](../images/x_blk.png) | -| **S > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **S > Enterprise** | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png) (version 1703 - PC), (version 1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) (version 1709) | ![not supported](../images/x_blk.png) | -| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | -| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)) (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) (version 1703 - PC), (version 1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)) (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) (version 1703 - PC), (version 1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)) (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)) (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **S > Pro** | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![supported, no reboot](../images/check_blu.png)
              (1709) | +| **S > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![supported, no reboot](../images/check_blu.png)
              (1709) | +| **S > Pro Education** | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png)
              (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![not supported](../images/x_blk.png) | +| **S > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png)
              (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **S > Enterprise** | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![not supported](../images/x_blk.png) | ![supported, no reboot](../images/check_blu.png)
              (1703 - PC)
              (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png)
              (1709) | ![not supported](../images/x_blk.png) | +| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
              (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | +| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
              (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
              (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
              (1703 - PC)
              (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
              (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
              (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
              (1703 - PC)
              (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
              (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
              (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Enterprise LTSC > Enterprise** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
              (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
              (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | | **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | > [!NOTE] > Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. - +>
              +>
              Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. ## Upgrade using mobile device management (MDM) - To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). @@ -88,6 +91,11 @@ You can run the changepk.exe command-line tool to upgrade devices to a supported `changepk.exe /ProductKey ` +You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. + +`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` + + ## Upgrade by manually entering a product key If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually. diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 4ac4288fcb..45eeec2f16 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -20,14 +20,17 @@ ms.date: 01/18/2018 This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). ->**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported. (Note that Windows 10 LTSB 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSB 2016 release, which will now only allow data-only and clean install options.) +>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. + +>In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. >**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. ✔ = Full upgrade is supported including personal data, settings, and applications.
              D = Edition downgrade; personal data is maintained, applications and settings are removed. - +
              +
              @@ -36,6 +39,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -51,6 +55,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -61,6 +66,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -71,6 +77,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -81,6 +88,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -91,6 +99,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -101,6 +110,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -114,6 +124,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -124,6 +135,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -134,6 +146,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -144,6 +157,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -154,6 +168,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -164,6 +179,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -174,6 +190,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -187,6 +204,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -197,6 +215,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -207,6 +226,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -217,6 +237,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -227,6 +248,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -237,6 +259,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -247,6 +270,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -257,6 +281,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -265,11 +290,12 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + - + @@ -280,6 +306,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -290,6 +317,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -300,6 +328,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -310,6 +339,18 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + + + + + + + + + + + + @@ -318,6 +359,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar + @@ -328,16 +370,19 @@ D = Edition downgrade; personal data is maintained, applications and settings ar +
                     Windows 10 Pro Education Windows 10 Education Windows 10 EnterpriseWindows 10 Enterprise LTSC Windows 10 Mobile Windows 10 Mobile Enterprise
              Home Basic
              Home Premium
              Professional
              Ultimate
              Enterprise
              Windows 8
              Professional
              Professional WMC
              Enterprise
              Embedded Industry
              Windows RT
              Windows Phone 8
              Windows 8.1
              Connected
              Professional
              Professional Student
              Professional WMC
              Enterprise
              Embedded Industry
              Windows RT
              Windows Phone 8.1
              Windows 10Windows 10
              Home
              Professional
              EducationD
              Enterprise
              Enterprise LTSC
              Mobile
              D
              + ## Related Topics -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
              -[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md) -  +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
              +[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
              +[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
              +[Windows 10 downgrade paths](windows-10-downgrade-paths.md) diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index f7f5d176dd..de3ae148a3 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -68,7 +68,7 @@ With Windows 10 Enterprise, businesses can benefit from enterprise-level securit You can benefit by moving to Windows as an online service in the following ways: 1. Licenses for Windows 10 Enterprise are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. -2. Azure AD logon triggers a silent edition upgrade, with no reboot required +2. User logon triggers a silent edition upgrade, with no reboot required 3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. 4. Compliance support via seat assignment. diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 73e64850ce..7fde2f9d2f 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -67,6 +67,7 @@ ### [VPN auto-triggered profile options](vpn\vpn-auto-trigger-profile.md) ### [VPN security features](vpn\vpn-security-features.md) ### [VPN profile options](vpn\vpn-profile-options.md) +### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md) ### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) ### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md new file mode 100644 index 0000000000..7b30f32d4d --- /dev/null +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -0,0 +1,44 @@ +--- +title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) +description: Explains how to secure VPN connections for Diffie Hellman Group 2 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, networking +author: shortpatti +ms.author: pashort +ms.localizationpriority: medium +ms.date: 02/08/2018 +--- + +# How to configure Diffie Hellman protocol over IKEv2 VPN connections + +>Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10 + +In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. +To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets. + +## VPN server + +For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration. + +```powershell +Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy +``` + +On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](https://technet.microsoft.com/library/hh918373(v=wps.620).aspx). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server. + +```powershell +Set-VpnServerIPsecConfiguration -CustomPolicy +``` + +## VPN client + +For VPN client, you need to configure each VPN connection. +For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection: + + +```powershell +Set-VpnConnectionIPsecConfiguration -ConnectionName +``` + diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 6e06c0988e..fdfc93411b 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -16,12 +16,13 @@ ## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md) -### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md) -### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md) +###Get started +#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md) +#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md) #### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) -### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md) -### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md) -### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) +#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md) +#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md) +#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) ### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) #### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) @@ -30,25 +31,29 @@ ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) #### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) +#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) #### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) -### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) -### [Use the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) +### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) +#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) #### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md) #### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md) -#### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md) -#### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md) -##### [Alert process tree](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) -##### [Incident graph](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph) -##### [Alert timeline](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) -#### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md) -#### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md) -#### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md) -#### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) -#### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md) + +###Investigate and remediate threats +####Alerts queue +##### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md) +##### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md) +##### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md) +##### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md) +##### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md) +##### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md) +##### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md) +##### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md) + +####Machines list +##### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) ##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) ##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) ##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) @@ -56,8 +61,8 @@ ###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) ###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) ###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) -#### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md) -#### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md) + + #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md) ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md) ###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) @@ -77,105 +82,111 @@ ####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) ####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) ####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) -### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md) -#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) -#### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md) -#### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md) -#### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md) -#### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) -#### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md) -### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md) -#### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -#### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) -#### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md) -#### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md) -#### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md) -#### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md) -#### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) -### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md) -#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md) -##### Actor -###### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md) -###### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md) -##### Alerts -###### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md) -###### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md) -###### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -##### Domain -###### [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md) -###### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) -##### File -###### [Block file API](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md) -###### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md) -###### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md) -###### [Get FileActions collection API](windows-defender-atp\get-fileactions-collection-windows-defender-advanced-threat-protection.md) -###### [Unblock file API](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md) +###API and SIEM support +#### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md) +##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) +##### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md) +##### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md) +##### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md) +##### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md) -##### IP -###### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md) -###### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md) -##### Machines -###### [Collect investigation package API](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md) -###### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) -###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineActions collection API](windows-defender-atp\get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) -###### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md) -###### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md) -###### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get MachineActions collection API](windows-defender-atp\get-machineactions-collection-windows-defender-advanced-threat-protection.md) -###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md) -###### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md) -###### [Isolate machine API](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md) -###### [Release machine from isolation API](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md) -###### [Remove app restriction API](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Request sample API](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md) -###### [Restrict app execution API](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Run antivirus scan API](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine file API](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md) +#### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +##### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md) +##### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md) +##### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md) +##### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md) +##### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md) +######Actor +####### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md) +####### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +######Alerts +####### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md) +####### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +####### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +######Domain +####### [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md) +####### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) + +######File +####### [Block file API](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md) +####### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md) +####### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md) +####### [Get FileActions collection API](windows-defender-atp\get-fileactions-collection-windows-defender-advanced-threat-protection.md) +####### [Unblock file API](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md) + +######IP +####### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md) +####### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md) +######Machines +####### [Collect investigation package API](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md) +####### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +####### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md) +####### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +####### [Get FileMachineActions collection API](windows-defender-atp\get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +####### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md) +####### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +####### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md) +####### [Get MachineActions collection API](windows-defender-atp\get-machineactions-collection-windows-defender-advanced-threat-protection.md) +####### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md) +####### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md) +####### [Isolate machine API](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md) +####### [Release machine from isolation API](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md) +####### [Remove app restriction API](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +####### [Request sample API](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md) +####### [Restrict app execution API](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md) +####### [Run antivirus scan API](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md) +####### [Stop and quarantine file API](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md) -##### User -###### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md) -###### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md) -###### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md) +######User +####### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +####### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md) +####### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md) +###Reporting +#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) -### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) -### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) -#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +###Check service health and sensor state +#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) +##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) ##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) -### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) +#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) ### [Configure Windows Defender ATP preferences settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md) #### [Update general settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md) -#### [Turn on advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) -#### [Turn on preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md) +#### [Enable advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) +#### [Enable preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md) #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) #### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) #### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) #### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md) -### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) +### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) ### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) -### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) +#### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) ### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) + ## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index 6f5966a3e8..20caac1504 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -31,9 +31,9 @@ This subcategory allows you to audit events generated by changes to security gro | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
              This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
              This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
              This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
              We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.| +| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
              We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.| +| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
              We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.| **Events List:** diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md index 9c6c3d0c31..4c10382574 100644 --- a/windows/security/threat-protection/change-history-for-threat-protection.md +++ b/windows/security/threat-protection/change-history-for-threat-protection.md @@ -12,6 +12,13 @@ ms.date: 10/31/2017 # Change history for threat protection This topic lists new and updated topics in the [Threat protection](index.md) documentation. +## February 2018 + +New or changed topic | Description +---------------------|------------ +[Security Compliance Toolkit](security-compliance-toolkit-10.md) | Added Office 2016 Security Baseline. +[Audit security group management](auditing/audit-security-group-management.md)| Added recommendation to audit Failure events. + ## January 2018 |New or changed topic |Description | |---------------------|------------| diff --git a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md index 3b2d35881e..891d33a3be 100644 --- a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md +++ b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md @@ -70,13 +70,13 @@ RuleOption -Help** in a Windows PowerShell session. Table 2 describes each rule | **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. | | **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. | | **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. | -| **5 Enabled:Inherent Default Policy** | This option is not currently supported. | +| **5 Enabled:Inherit Default Policy** | This option is not currently supported. | | **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. | | **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | | **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. | | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | -| **11 Disabled:Script Enforcement** | WDAC policies also restrict scripts and MSIs, and PowerShell runs in constrained language mode. Enabling this rule option will allow unsigned scripts to run and will leave PowerShell in full language mode. | +| **11 Disabled:Script Enforcement** | This option is not currently supported. | | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as System Center Configuration Manager, that has been defined as a managed installer. | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md index 755ea84cfe..be8ccb2590 100644 --- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 11/02/2017 +ms.date: 02/13/2018 --- # Steps to Deploy Windows Defender Application Control @@ -142,6 +142,12 @@ Microsoft recommends that you block the following Microsoft-signed applications + + + + + + @@ -392,7 +398,58 @@ Microsoft recommends that you block the following Microsoft-signed applications - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -430,6 +487,12 @@ Microsoft recommends that you block the following Microsoft-signed applications + + + + + + @@ -678,6 +741,40 @@ Microsoft recommends that you block the following Microsoft-signed applications + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md index 4483edb168..158b2fede1 100644 --- a/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md @@ -16,7 +16,7 @@ ms.date: 11/28/2017 - Windows 10 - Windows Server 2016 -Virtualization-based protection of code integrity (herein referred to as Hypervisor-protected Code Integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. +Virtualization-based protection of code integrity (herein referred to as hypervisor-protected code integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Some applications, including device drivers, may be incompatible with HVCI. diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index 06f04138ac..28676d4b1b 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.author: sagaudre author: brianlic-msft -ms.date: 10/16/2017 +ms.date: 02/16/2018 --- # Microsoft Security Compliance Toolkit 1.0 @@ -32,6 +32,9 @@ The Security Compliance Toolkit consists of: - Windows Server 2016 - Windows Server 2012 R2 +- Microsoft Office Security Baselines + - Office 2016 + - Tools - Policy Analyzer tool - Local Group Policy Object (LGPO) tool diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index 86e3a1b15f..b32948c986 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -34,7 +34,7 @@ The **Interactive logon: Prompt user to change password before expiration** poli ### Location -Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options +Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options ### Default values diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 6ab49143bd..75dda71497 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: tedhardyMSFT -ms.date: 10/27/2017 +ms.date: 02/16/2018 --- # Use Windows Event Forwarding to help with intrusion detection @@ -636,9 +636,9 @@ Here are the minimum steps for WEF to operate: - + - + ``` diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 84a88683e7..7efd232814 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 02/08/2018 --- @@ -38,7 +38,9 @@ Block at first sight is a feature of Windows Defender Antivirus cloud-delivered It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled. -You can also [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. +You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. + +You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. > [!IMPORTANT] > There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index 6cdf425a42..e3847a41ad 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -57,8 +57,8 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull Topic | Description :---|:--- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools. -[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. +[Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API. [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png b/windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png new file mode 100644 index 0000000000..13b0392123 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md index c3705bb1d8..a7f177c650 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -72,7 +72,7 @@ The numbers beside the green triangle icon on each recommended action represents >[!IMPORTANT] >Recommendations that do not display a green triangle icon are informational only and no action is required. -Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. +Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. The following image shows an example list of machines where the EDR sensor is not turned on. diff --git a/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md index d928035ce4..b376019c6a 100644 --- a/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Advanced Threat Protection settings +title: Windows Defender Advanced Threat Protection time zone settings description: Use the menu to configure the time zone and view license information. keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh @@ -8,12 +8,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: macapara -author: DulceMV +author: mjcaparas ms.localizationpriority: high -ms.date: 10/30/2017 +ms.date: 02/13/2018 --- -# Windows Defender Advanced Threat Protection settings +# Windows Defender Advanced Threat Protection time zone settings **Applies to:** @@ -27,7 +27,7 @@ ms.date: 10/30/2017 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink) -Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone and view license information. +Use the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png) to configure the time zone and view license information. ## Time zone settings The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks. @@ -36,7 +36,7 @@ Cyberforensic investigations often rely on time stamps to piece together the seq Windows Defender ATP can display either Coordinated Universal Time (UTC) or local time. -Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Settings** menu ![Settings icon](images/settings.png). +Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png). ### UTC time zone Windows Defender ATP uses UTC time by default. @@ -55,7 +55,7 @@ The Windows Defender ATP time zone is set by default to UTC. Setting the time zone also changes the times for all Windows Defender ATP views. To set the time zone: -1. Click the **Settings** menu ![Settings icon](images/settings.png). +1. Click the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png). 2. Select the **Timezone UTC** indicator. 3. Select **Timezone UTC** or your local time zone, for example -7:00. @@ -88,5 +88,4 @@ The following date and time formats are currently not supported: **Decimal symbol used in numbers**
              Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K. -## License -Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP. + diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 487679607d..0dd01e9e60 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -307,5 +307,6 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us ## Related topics +- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index 114d11828b..c384aeaa9e 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 02/13/2018 --- # Troubleshoot SIEM tool integration issues @@ -36,7 +36,7 @@ If your client secret expires or if you've misplaced the copy provided when you 1. Login to the [Azure management portal](https://ms.portal.azure.com). -2. Select **Active Directory**. +2. Select **Azure Active Directory**. 3. Select your tenant. @@ -48,10 +48,27 @@ If your client secret expires or if you've misplaced the copy provided when you 7. Copy the value and save it in a safe place. +## Error when getting a refresh access token +If you encounter an error when trying to get a refresh token when using the threat intelligence API or SIEM tools, you'll need to add reply URL for relevant application in Azure Active Directory. + +1. Login to the [Azure management portal](https://ms.portal.azure.com). + +2. Select **Azure Active Directory**. + +3. Select your tenant. + +4. Click **App Registrations**. Then in the applications list, select the application: + - For SIEM: `https://WindowsDefenderATPSiemConnector` + - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector` + +5. Add the following URL: + - For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`. + - For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` + +6. Click **Save**. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) - ## Related topics - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index 336ff2d686..64bd439f18 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -71,6 +71,6 @@ Support of use of comma as a separator in numbers are not supported. Regions whe >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) -### Related topic +## Related topics - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index 8e87ecf9ea..c4691b7324 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -40,4 +40,5 @@ Topic | Description [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization. [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API. [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API. +[Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) | This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API. [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) | Learn how to address possible issues you might encounter while using the threat intelligence API. diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index 7068cb4a06..75aed7ba70 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 02/13/2018 --- # Use the Windows Defender Advanced Threat Protection portal @@ -27,32 +27,19 @@ ms.date: 10/16/2017 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) -A typical security breach investigation requires a member of a security operations team to: +You can use the Windows Defender ATP portal to carry out an end-to-end security breach investigation through the dashboards. -1. View an alert on the **Security operations dashboard** or **Alerts queue** -2. Review the indicators of compromise (IOC) or indications of attack (IOAs) -3. Review a timeline of alerts, behaviors, and events from the machine -4. Manage alerts, understand the threat or potential breach, collect information to support taking action, and resolve the alert +Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. -![Flowchart describing the four stages of investigation](images/overview.png) +Use the **Security analytics** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization. -Security operation teams can use Windows Defender ATP portal to carry out this end-to-end process without having to leave the portal. - -Teams can monitor the overall status of enterprise endpoints from the **Security operations dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance. ### In this section Topic | Description :---|:--- +[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions. [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. [View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Security Analytics dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. -[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues. -[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization. -[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. -[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses. -[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. -[View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list. -[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. -[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts. -[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert. -[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks. + +