deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into atp-new-api

Browse Source
This commit is contained in:
Joey Caparas 2018-10-19 16:01:25 -07:00
commit d829d5d419
64 changed files with 695 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
View File

@ -159,7 +159,7 @@ This table includes the attributes used by the Enterprise Mode schema.
</tr>
<tr>
<td>&lt;exclude&gt;</td>
<td>Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the &lt;domain&gt; and &lt;path&gt; elements.
<td>Specifies the domain or path excluded from applying the behavior and is supported on the &lt;domain&gt; and &lt;path&gt; elements.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
@ -230,4 +230,4 @@ If you want to target specific sites in your organization.
|You can specify subdomains in the domain tag. |<code>&lt;docMode&gt;<br>&lt;domain docMode="5"&gt;contoso.com&lt;/domain&gt;<br>&lt;domain docMode="9"&gt;info.contoso.com&lt;/domain&gt;<br>&lt;docMode&gt;</code> |<ul><li>contoso.com uses document mode 5.</li><li>info.contoso.com uses document mode 9.</li><li>test.contoso.com also uses document mode 5.</li></ul>|
|You can specify exact URLs by listing the full path. |<code>&lt;emie&gt;<br>&lt;domain exclude="false"&gt;bing.com&lt;/domain&gt;<br>&lt;domain exclude="false" forceCompatView="true"&gt;contoso.com&lt;/domain&gt;<br>&lt;emie&gt;</code>|<ul><li>bing.com uses IE8 Enterprise Mode.</li><li>contoso.com uses IE7 Enterprise Mode.</li></ul>|
|You can nest paths underneath domains. |<code>&lt;emie&gt;<br>&lt;domain exclude="true"&gt;contoso.com<br>&lt;path exclude="false"&gt;/about&lt;/path&gt;<br>&lt;path exclude="true"&gt;<br>/about/business&lt;/path&gt;<br>&lt;/domain&gt;<br>&lt;/emie&gt;</code> |<ul><li>contoso.com will use the default version of IE.</li><li>contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.</li></ul> |
|You cant add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<code>&lt;emie&gt;<br>&lt;domain exclude="true"&gt;contoso.com<br>&lt;path&gt;/about<br>&lt;path exclude="true"&gt;/business&lt;/path&gt;<br>&lt;/path&gt;<br>&lt;/domain&gt;<br>&lt;/emie&gt;</code> |<ul><li>contoso.com will use the default version of IE.</li><li>contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.</li></ul> |
|You cant add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<code>&lt;emie&gt;<br>&lt;domain exclude="true"&gt;contoso.com<br>&lt;path&gt;/about<br>&lt;path exclude="true"&gt;/business&lt;/path&gt;<br>&lt;/path&gt;<br>&lt;/domain&gt;<br>&lt;/emie&gt;</code> |<ul><li>contoso.com will use the default version of IE.</li><li>contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.</li></ul> |

2
education/index.md
View File

@ -25,7 +25,7 @@ ms.date: 10/30/2017
</div>
</li>
<li>
<a href="https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx" target="_blank">
<a href="https://docs.microsoft.com/en-us/microsoft-365/education/deploy/top-10" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">

18
education/windows/set-up-school-pcs-provisioning-package.md
View File

@ -10,7 +10,7 @@ ms.pagetype: edu
ms.localizationpriority: medium
author: lenewsad
ms.author: lanewsad
ms.date: 07/13/2018
ms.date: 10/17/2018
---
# What's in my provisioning package?
@ -107,6 +107,22 @@ Set up School PCs uses the Universal app install policy to install school-releva
* OneNote
* Sway
## Provisioning time estimates
The time it takes to install a package on a device depends on the:
* Strength of network connection
* Number of policies and apps within the package
* Additional configurations made to the device
Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes pre-installed apps, through CleanPC, will take much longer to provision.
|Configurations |Connection type |Estimated provisioning time |
|---------|---------|---------|
|Default settings only | Wi-Fi | 3 to 5 minutes |
|Default settings + apps | Wi-Fi | 10 to 15 minutes |
|Default settings + remove pre-installed apps (CleanPC) | Wi-Fi | 60 minutes |
|Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes |
## Next steps
Learn more about setting up devices with the Set up School PCs app.
* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)

10
windows/application-management/msix-app-packaging-tool.md
View File

@ -8,19 +8,19 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: mikeblodge
ms.topic: article
ms.date: 10/16/2018
ms.date: 10/18/2018
---
# Repackage existing win32 applications to the MSIX format
The MSIX Packaging Tool is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store.
The MSIX Packaging Tool 1.2018.1005.0 is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store.
> Prerequisites:
- Participate in the Windows Insider Program or update to Windows 10 October 2018 Update (version 1809)
- Minimum Windows 10 build 17701
- Windows 10, version 1809 (or later)
- Participation in the Windows Insider Program (if you're using an Insider build)
- A valid Micorsoft account (MSA) alias to access the app from the Microsoft Store
- Admin privileges on your PC account
- A valid Micorsoft account (MSA) alias to access the app from the Store
## Installing the MSIX Packaging Tool

4
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -50,6 +50,10 @@ These tools were included in previous versions of Windows and the associated doc
>[!TIP]  
>If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content. 
## Related topics
[Diagnostic Data Viewer](https://docs.microsoft.com/windows/privacy/diagnostic-data-viewer-overview)
 

2
windows/deployment/TOC.md
View File

@ -228,6 +228,7 @@
### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
#### [Whitepaper: Windows Updates using forward and reverse differentials](update/PSFxWhitepaper.md)
### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md)
#### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md)
#### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md)
@ -239,6 +240,7 @@
#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md)
#### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
#### [Enable FoD and language pack updates in Windows Update](update/fod-and-lang-packs.md)
### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)

2
windows/deployment/s-mode.md
View File

@ -27,7 +27,7 @@ Start-ups are quick, and S mode is built to keep them that way. With Microsoft E
**Choice and flexibility**
Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you dont find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode) at any time and search the web for more choices.
Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you dont find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode) to Home, Pro, or Enterprise at any time and search the web for more choices, as shown below.
![Switching out of S mode flow chart](images/s-mode-flow-chart.png)

203
windows/deployment/update/PSFxWhitepaper.md Normal file
View File

@ -0,0 +1,203 @@
---
title: Windows Updates using forward and reverse differentials
description: A technique to produce compact software updates optimized for any origin and destination revision pair
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: Jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.date: 10/18/2018
---
# Windows Updates using forward and reverse differentials
Windows 10 monthly quality updates are cumulative, containing all previously
released fixes to ensure consistency and simplicity. For an operating system
platform like Windows 10, which stays in support for multiple years, the size of
monthly quality updates can quickly grow large, thus directly impacting network
bandwidth consumption.
Today, this problem is addressed by using express downloads, where differential
downloads for every changed file in the update are generated based on selected
historical revisions plus the base version. In this paper, we introduce a new
technique to build compact software update packages that are applicable to any
revision of the base version, and then describe how Windows 10 quality updates
uses this technique.
## General Terms
The following general terms apply throughout this document:
- *Base version*: A major software release with significant changes, such as
Windows 10, version 1809 (Windows 10 Build 17763.1)
- *Revision*: Minor releases in between the major version releases, such as
KB4464330 (Windows 10 Build 17763.55)
- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that
contain full binaries or files
## Introduction
In this paper, we introduce a new technique that can produce compact software
updates optimized for any origin/destination revision pair. It does this by
calculating forward the differential of a changed file from the base version and
its reverse differential back to the base version. Both forward and reverse
differentials are then packaged as an update and distributed to the endpoints
running the software to be updated. The update package contents can be symbolized as follows:
![Symbolic representation of update package contents. a box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png)
The endpoints that have the base version of the file (V<sub>0</sub>) hydrate the target
revision (V<sub>N</sub>) by applying a simple transformation:
![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png)
The endpoints that have revision N of the file (V<sub>N</sub>), hydrate the target revision
(V<sub>R</sub>) by applying the following set of transformations:
![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png)
The endpoints retain the reverse differentials for the software revision they
are on, so that it can be used for hydrating and applying next revision update.
By using a common baseline, this technique produces a single update package with
numerous advantages:
- Compact in size
- Applicable to all baselines
- Simple to build
- Efficient to install
- Redistributable
Historically, download sizes of Windows 10 quality updates (Windows 10, version
1803 and older supported versions of Windows 10) are optimized by using express
download. Express download is optimized such that updating Windows 10 systems
will download the minimum number of bytes. This is achieved by generating
differentials for every updated file based on selected historical base revisions
of the same file + its base or RTM version.
For example, if the October monthly quality update has updated Notepad.exe,
differentials for Notepad.exe file changes from September to October, August to
October, July to October, June to October, and from the original feature release
to October are generated. All these differentials are stored in a Patch Storage
File (PSF, also referred to as “express download files”) and hosted or cached on
Windows Update or other update management or distribution servers (for example,
Windows Server Update Services (WSUS), System Center Configuration Manager, or a
non-Microsoft update management or distribution server that supports express
updates). A device leveraging express updates uses network protocol to determine
optimal differentials, then downloads only what is needed from the update
distribution endpoints.
The flipside of express download is that the size of PSF files can be very large
depending on the number of historical baselines against which differentials were
calculated. Downloading and caching large PSF files to on-premises or remote
update distribution servers is problematic for most organizations, hence they
are unable to leverage express updates to keep their fleet of devices running
Windows 10 up to date. Secondly, due to the complexity of generating
differentials and size of the express files that need to be cached on update
distribution servers, it is only feasible to generate express download files for
the most common baselines, thus express updates are only applicable to selected
baselines. Finally, calculation of optimal differentials is expensive in terms
of system memory utilization, especially for low-cost systems, impacting their
ability to download and apply an update seamlessly.
In the following sections, we describe how Windows 10 quality updates will
leverage this technique based on forward and reverse differentials for newer
releases of Windows 10 and Windows Server to overcome the challenges with
express downloads.
## High-level Design
### Update packaging
Windows 10 quality update packages will contain forward differentials from
quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM
(∆N→RTM) for each file that has changed since RTM. By using the RTM version as
the baseline, we ensure that all devices will have an identical payload. Update
package metadata, content manifests, and forward and reverse differentials will
be packaged into a cabinet file (.cab). This .cab file, and the applicability
logic, will also be wrapped in Microsoft Standalone Update (.msu) format.
There can be cases where new files are added to the system during servicing.
These files will not have RTM baselines, thus forward and reverse differentials
cannot be used. In these scenarios, null differentials will be used to handle
servicing. Null differentials are the slightly compressed and optimized version
of the full binaries. Update packages can have either
forward or reverse differentials, or null differential of any given binary in
them. The following image symbolizes the content of a Windows 10 quality update installer:
![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containg four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png)
### Hydration and installation
Once the usual applicability checks are performed on the update package and are
determined to be applicable, the Windows component servicing infrastructure will
hydrate the full files during pre-installation and then proceed with the usual
installation process.
Below is a high-level sequence of activities that the component servicing
infrastructure will run in a transaction to complete installation of the update:
- Identify all files that are required to install the update.
- Hydrate each of necessary files using current version (V<sub>N</sub>) of the file,
reverse differential (V<sub>N</sub>--->RTM) of the file back to quality update RTM/base
version and forward differential (V<sub>RTM</sub>--->R) from feature update RTM/base
version to the target version. Also, use null differential hydration to
hydrate null compressed files.
- Stage the hydrated files (full file), forward differentials (under f
folder) and reverse differentials (under r folder) or null compressed
files (under n folder) in the component store (%windir%\\WinSxS folder).
- Resolve any dependencies and install components.
- Clean up older state (V<sub>N-1</sub>); the previous state V<sub>N</sub> is retained for
uninstallation and restoration or repair.
### **Resilient Hydration**
To ensure resiliency against component store corruption or missing files that
could occur due to susceptibility of certain types of hardware to file system
corruption, a corruption repair service has been traditionally used to recover
the component store automatically (“automatic corruption repair”) or on demand
(“manual corruption repair”) using an online or local repair source. This
service will continue to offer the ability to repair and recover content for
hydration and successfully install an update, if needed.
When corruption is detected during update operations, automatic corruption
repair will start as usual and use the Baseless Patch Storage File published to
Windows Update for each update to fix corrupted manifests, binary differentials,
or hydrated or full files. Baseless patch storage files will contain reverse and
forward differentials and full files for each updated component. Integrity of
the repair files will be hash verified.
Corruption repair will use the component manifest to detect missing files and
get hashes for corruption detection. During update installation, new registry
flags for each differential staged on the machine will be set. When automatic
corruption repair runs, it will scan hydrated files using the manifest and
differential files using the flags. If the differential cannot be found or
verified, it will be added to the list of corruptions to repair.
### Lazy automatic corruption repair
“Lazy automatic corruption repair” runs during update operations to detect
corrupted binaries and differentials. While applying an update, if hydration of
any file fails, "lazy" automatic corruption repair automatically starts,
identifies the corrupted binary or differential file, and then adds it to the
corruption list. Later, the update operation continues as far as it can go, so
that "lazy" automatic corruption repair can collect as many corrupted files to fix
as possible. At the end of the hydration section, the update fails, and
automatic corruption repair starts. Automatic corruption repair runs as usual
and at the end of its operation, adds the corruption list generated by "lazy"
automatic corruption repair on top of the new list to repair. Automatic
corruption repair then repairs the files on the corruption list and installation
of the update will succeed on the next attempt.

23
windows/deployment/update/fod-and-lang-packs.md Normal file
View File

@ -0,0 +1,23 @@
---
title: Windows 10 - How to make FoDs and language packs available when you're using WSUS/SCCM
description: Learn how to make FoDs and language packs available for updates when you're using WSUS/SCCM.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: article
ms.author: elizapo
author: lizap
ms.localizationpriority: medium
ms.date: 10/18/2018
---
# How to make Features on Demand and language packs available when you're using WSUS/SCCM
> Applies to: Windows 10
As of Windows 10, version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) and language packs for Windows 10 clients. Instead, you can pull them directly from Windows Update - you just need to change a Group Policy setting that lets clients download these directly from Windows Update. You can also host Features on Demand and language packs on a network share, but starting with Windows 10, version 1809, language packs can only be installed from Windows Update.
For Active Directory and Group Policy environments running in a WSUS\SCCM environment change the **Specify settings for optional component installation and component repair** policy to enable downloading Features on Demand directly from Windows Update or a local share. This setting is located in Computer Configuration\Administrative Templates\System in the Group Policy Editor.
Changing this policy only enables Features on Demand and language pack downloads from Windows Update - it doesn't affect how clients get feature and quality updates. Feature and quality updates will continue to come directly from WSUS\SCCM. It also doesn't affect the schedule for your clients to receive updates.
Learn about other client management options, including using Group Policy and ADMX, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/).

BIN
windows/deployment/update/images/PSF1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.4 KiB

BIN
windows/deployment/update/images/PSF2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

BIN
windows/deployment/update/images/PSF3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
windows/deployment/update/images/PSF4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

2
windows/deployment/update/servicing-stack-updates.md
View File

@ -45,5 +45,5 @@ Typically, the improvements are reliability, security, and performance improveme
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
* Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
* Search to install latest available (Servicing stack update for Windows 10)[https://support.microsoft.com/en-us/search?query=servicing%20stack%20update%20Windows%2010].
* Search to install latest available [Servicing stack update for Windows 10](https://support.microsoft.com/en-us/search?query=servicing%20stack%20update%20Windows%2010).

4
windows/deployment/update/waas-quick-start.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: Jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.date: 05/29/2018
ms.date: 10/17/2018
---
# Quick guide to Windows as a service
@ -35,6 +35,8 @@ Some new terms have been introduced as part of Windows as a service, so you shou
See [Overview of Windows as a service](waas-overview.md) for more information.
For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md).
## Key Concepts
Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.

2
windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
View File

@ -22,7 +22,7 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi
## Proof-of-concept environment
For the purposes of this topic, we will use four machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
![figure 1](../images/upgrademdt-fig1-machines.png)

2
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -382,7 +382,7 @@ WDSUTIL /Set-Server /AnswerClients:None
In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
```
STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C)
STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
```
11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.

1
windows/deployment/windows-autopilot/TOC.md
View File

@ -4,6 +4,7 @@
### [Network requirements](windows-autopilot-requirements-network.md)
### [Licensing requirements](windows-autopilot-requirements-licensing.md)
## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
### [Support for existing devices](existing-devices.md)
### [User-driven mode](user-driven.md)
### [Self-deploying mode](self-deploying.md)
### [Enrollment status page](enrollment-status.md)

4
windows/deployment/windows-autopilot/add-devices.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/18
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Adding devices to Windows Autopilot

4
windows/deployment/windows-autopilot/configure-autopilot.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/18
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Configure Autopilot deployment

2
windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greg-lindsay
ms.date: 07/13/18
ms.date: 10/02/2018
---
# Demonstrate Autopilot deployment on a VM

6
windows/deployment/windows-autopilot/enrollment-status.md
View File

@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype:
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Windows Autopilot Enrollment Status page
@ -42,7 +42,7 @@ The Enrollment Status page tracks a subset of the available MDM CSP policies tha
Presently the following types of policies are not tracked:
- Intune Management Extentions PowerShell scripts.
- Intune Management Extensions PowerShell scripts.
- Office 365 ProPlus installations.
- System Center Configuration Manager apps, packages, and task sequences.

270
windows/deployment/windows-autopilot/existing-devices.md
View File

@ -1,5 +1,5 @@
---
title: Autopilot for existing devices
title: Windows Autopilot for existind devices
description: Listing of Autopilot scenarios
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
@ -8,12 +8,272 @@ ms.localizationpriority: low
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 10/11/2018
ms.author: greg-lindsay
ms.date: 10/19/2018
---
# Autopilot for existing devices
# Windows Autopilot for existing devices
**Applies to: Windows 10**
Placeholder. Content coming.
Modern desktop management with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away.
This topic describes how to convert Windows 7 domain-joined computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot.
## Prerequisites
- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808)
- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later
- Assigned Microsoft Intune Licenses
- Azure Active Directory Premium
- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image
## Procedures
### Create the JSON file
>[!TIP]
>To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/en-us/download/details.aspx?id=54616).
1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window
2. Enter the following lines to install the necessary modules
#### Install required modules
```
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module AzureAD -Force
Install-Module WindowsAutopilotIntune -Force
```
3. Enter the following lines and provide Intune administrative credentials
- In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights.
```
Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com
```
The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**.
<br>See the following example:
![Azure AD authentication](images/pwd.png)
If this is the first time youve used the Intune Graph APIs, youll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions:
- Select **Consent on behalf or your organization**
- Click **Accept**
4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format:
#### Retrieve profiles in Autopilot for existing devices JSON format
```
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON >
```
See the following sample output:
<pre style="overflow-y: visible">
PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
{
"CloudAssignedTenantId": "1537de22-988c-4e93-b8a5-83890f34a69b",
"Version": 2049,
"Comment_CloudAssignedOobeConfig": "0x7FFFFFFF",
"Comment_Version": "0x801",
"Comment_File": "Profile Autopilot Profile",
"CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
"CloudAssignedOobeConfig": 30,
"CloudAssignedDomainJoinMethod": 0,
"ZtdCorrelationId": "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC",
"CloudAssignedLockdownConfig": 0,
"CloudAssignedTenantDomain": "M365x373186.onmicrosoft.com"
}</pre>
Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed.
See the following table for a description of properties used in the JSON file.
| Property | Description |
| --- | --- |
| Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. |
| CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. |
| CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. |
| CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16
| CloudAssignedDomainJoinMethod (number, required) | This property should be set to 0 and specifies that the device should join Azure AD. |
| CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment. <br>0 = not required, 1 = required. |
| ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration.|
| CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled. <br> Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}"|
| CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer. This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. |
5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below:
```
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
```
**IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII or ANSI.
If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example.
![Notepad JSON](images/notepad.png)
After saving the file, move the file to a location suitable as an SCCM package source.
>[!IMPORTANT]
>Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI. Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience.
### Create a package containing the JSON file
1. In Configuration Manager, navigate to **\Software Library\Overview\Application Management\Packages**
2. On the ribbon, click **Create Package**
3. In the **Create Package and Program Wizard** enter the following **Package** and **Program Type** details:<br>
- <u>Name</u>: **Autopilot for existing devices config**
- Select the **This package contains source files** checkbox
- <u>Source folder</u>: Click **Browse** and specify a UNC path containing the AutopilotConfigurationFile.json file.
- Click **OK** and then click **Next**.
- <u>Program Type</u>: **Do not create a program**
4. Click **Next** twice and then click **Close**.
### Create a target collection
>[!NOTE]
>You can also choose to reuse an existing collection
1. Navigate to **\Assets and Compliance\Overview\Device Collections**
2. On the ribbon, click **Create** and then click **Create Device Collection**
3. In the **Create Device Collection Wizard** enter the following **General** details:
- <u>Name</u>: **Autopilot for existing devices collection**
- Comment: (optional)
- <u>Limiting collection</u>: Click **Browse** and select **All Systems**
>[!NOTE]
>You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select.
4. Click **Next**, then enter the following **Membership Rules** details:
- Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection.
- For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples.
![Named resource1](images/pc-01a.png)
![Named resource2](images/pc-01b.png)
5. Continue creating the device collection with the default settings:
- Use incremental updates for this collection: not selected
- Schedule a full update on this collection: default
- Click **Next** twice and then click **Close**
### Create an Autopilot for existing devices Task Sequence
>[!TIP]
>The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the Configuration Manager conole under **Software Library\Overview\Operating Systems\Boot images** and verify that the **OS Version** is 10.0.17134.1 (Windows 10 version 1803) or later.
1. In the Configuration Manager console, navigate to **\Software Library\Overview\Operating Systems\Task Sequences**
2. On the Home ribbon, click **Create Task Sequence**
3. Select **Install an existing image package** and then click **Next**
4. In the Create Task Sequence Wizard enter the following details:
- <u>Task sequence name</u>: **Autopilot for existing devices**
- <u>Boot Image</u>: Click **Browse** and select a Windows 10 boot image (1803 or later)
- Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later.
- Select the **Partition and format the target computer before installing the operating system** checkbox.
- Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional.
- <u>Product Key</u> and <u>Server licensing mode</u>: Optionally enter a product key and server licencing mode.
- <u>Randomly generate the local administrator password and disable the account on all support platforms (recommended)</u>: Optional.
- <u>Enable the account and specify the local administrator password</u>: Optional.
- Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**.
>[!IMPORTANT]
>The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain.
5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page.
6. On the State Migration page, enter the following details:
- Clear the **Capture user settings and files** checkbox.
- Clear the **Capture network settings** checkbox.
- Clear the **Capture Microsoft Windows settings** checkbox.
- Click **Next**.
>[!NOTE]
>The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined devices.
7. On the Include Updates page, choose one of the three available options. This selection is optional.
8. On the Install applications page, add applications if desired. This is optional.
9. Click **Next**, confirm settings, click **Next** and then click **Close**.
10. Right click on the Autopilot for existing devices task sequence and click **Edit**.
11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action.
12. Click **Add** then click **New Group**.
13. Change the group **Name** from **New Group** to **Autopilot for existing devices config**.
14. Click **Add**, point to **General**, then click **Run Command Line**.
15. Verify that the **Run Command Line** step is nested under the **Autopilot for existing devices config** group.
16. Change the **Name** to **Apply Autopilot for existing devices config file** and paste the following into the **Command line** text box, and then click **Apply**:
```
cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c
```
- **AutopilotConfigurationFile.json** must be the name of the JSON file present in the Autopilot for existing devices package created earlier.
17. In the **Apply Autopilot for existing devices config file** step, select the **Package** checkbox and then click **Browse**.
18. Select the **Autopilot for existing devices config** package created earlier and click **OK**. An example is displayed at the end of this section.
19. Under the **Setup Operating System** group, click the **Setup Windows and Configuration Manager** task.
20. Click **Add** and then click **New Group**.
21. Change **Name** from **New Group** to **Prepare Device for Autopilot**
22. Verify that the **Prepare Device for Autopilot** group is the very last step in the task sequence. Use the **Move Down** button if necessary.
23. With the **Prepare device for Autopilot** group selected, click **Add**, point to **Images** and then click **Prepare ConfigMgr Client for Capture**.
24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step:
- <u>Automatically build mass storage driver list</u>: **Not selected**
- <u>Do not reset activation flag</u>: **Not selected**
- <u>Shutdown the computer after running this action</u>: **Optional**
![Autopilot task sequence](images/ap-ts-1.png)
25. Click **OK** to close the Task Sequence Editor.
### Deploy Content to Distribution Points
Next, ensure that all content required for the task sequence is deployed to distribution points.
1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**.
2. Click **Next**, **Review the content to distribute** and then click **Next**.
3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**.
4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run.
5. When you are finished specifying content distribution, click **Next** twice then click **Close**.
### Deploy the OS with Autopilot Task Sequence
1. Right click on the **Autopilot for existing devices** task sequence and then click **Deploy**.
2. In the Deploy Software Wizard enter the following **General** and **Deployment Settings** details:
- <u>Task Sequence</u>: **Autopilot for existing devices**.
- <u>Collection</u>: Click **Browse** and then select **Autopilot for existing devices collection** (or another collection you prefer).
- Click **Next** to specify **Deployment Settings**.
- <u>Action</u>: **Install**.
- <u>Purpose</u>: **Available**. You can optionally select **Required** instead of **Available**. This is not recommended during the test owing to the potential impact of inadvertent configurations.
- <u>Make available to the following</u>: **Only Configuration Manager Clients**. Note: Choose the option here that is relevant for the context of your test. If the target client does not have the Configuration Manager agent or Windows installed, you will need to select an option that includes PXE or Boot Media.
- Click **Next** to specify **Scheduling** details.
- <u>Schedule when this deployment will become available</u>: Optional
- <u>Schedule when this deployment will expire</u>: Optional
- Click **Next** to specify **User Experience** details.
- <u>Show Task Sequence progress</u>: Selected.
- <u>Software Installation</u>: Not selected.
- <u>System restart (if required to complete the installation)</u>: Not selected.
- <u>Commit changed at deadline or during a maintenance windows (requires restart)</u>: Optional.
- <u>Allow task sequence to be run for client on the Internet</u>: Optional
- Click **Next** to specify **Alerts** details.
- <u>Create a deployment alert when the threshold is higher than the following</u>: Optional.
- Click **Next** to specify **Distribution Points** details.
- <u>Deployment options</u>: **Download content locally when needed by the running task sequence**.
- <u>When no local distribution point is available use a remote distribution point</u>: Optional.
- <u>Allow clients to use distribution points from the default site boundary group</u>: Optional.
- Click **Next**, confirm settings, click **Next**, and then click **Close**.
### Complete the client installation process
1. Open the Software Center on the target Windows 7 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt:
```
C:\Windows\CCM\SCClient.exe
```
2. In the software library, select **Autopilot for existing devices** and click **Install**. See the following example:
![Named resource2](images/sc.png)
![Named resource2](images/sc1.png)
The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience.
### Register the device for Windows Autopilot
Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. There is currently no automatic registration into Windows Autopilot. Therefore, once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset.

BIN
windows/deployment/windows-autopilot/images/ap-ts-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 117 KiB

BIN
windows/deployment/windows-autopilot/images/ap-ts.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

BIN
windows/deployment/windows-autopilot/images/notepad.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
windows/deployment/windows-autopilot/images/pc-01a.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
windows/deployment/windows-autopilot/images/pc-01b.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/deployment/windows-autopilot/images/pwd.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/deployment/windows-autopilot/images/sc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
windows/deployment/windows-autopilot/images/sc1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

4
windows/deployment/windows-autopilot/profiles.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/18
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Configure Autopilot profiles

4
windows/deployment/windows-autopilot/self-deploying.md
View File

@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype:
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Windows Autopilot Self-Deploying mode (Preview)

4
windows/deployment/windows-autopilot/troubleshooting.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Troubleshooting Windows Autopilot

6
windows/deployment/windows-autopilot/user-driven-aad.md
View File

@ -8,12 +8,12 @@ ms.localizationpriority: low
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 10/11/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Windows Autopilot user-driven mode for Azure Active Directory
**Applies to: Windows 10**
Placeholder. Content coming.
PLACEHOLDER. This topic is a placeholder for the AAD-specific instuctions currently in user-driven.md.

8
windows/deployment/windows-autopilot/user-driven-hybrid.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: low
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 10/11/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
@ -17,4 +17,8 @@ ms.date: 10/11/2018
**Applies to: Windows 10**
<<<<<<< HEAD
PLACEHOLDER. This topic is a placeholder for the AD-specific (hybrid) instuctions.
=======
Placeholder. Content coming.
>>>>>>> 01422d156afc7ab2286b8769aee1c4c39351a5f6

9
windows/deployment/windows-autopilot/user-driven.md
View File

@ -8,14 +8,11 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.date: 10/02/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Windows Autopilot User-Driven Mode
**Applies to: Windows 10 version 1703 and above**
Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions:
- Unbox the device, plug it in, and turn it on.

4
windows/deployment/windows-autopilot/windows-10-autopilot.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 08/22/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Overview of Windows Autopilot

4
windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Windows Autopilot configuration requirements

7
windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
View File

@ -8,9 +8,10 @@ ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
---
ms.author: greg-lindsay
ms.date: 10/02/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
# Windows Autopilot licensing requirements

4
windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Windows Autopilot networking requirements

4
windows/deployment/windows-autopilot/windows-autopilot-requirements.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Windows Autopilot requirements

4
windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
View File

@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype:
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Reset devices with local Windows Autopilot Reset

4
windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
View File

@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype:
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Reset devices with remote Windows Autopilot Reset (Preview)

4
windows/deployment/windows-autopilot/windows-autopilot-reset.md
View File

@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype:
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Windows Autopilot Reset

4
windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Windows Autopilot scenarios

4
windows/deployment/windows-autopilot/windows-autopilot.md
View File

@ -8,8 +8,8 @@ ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
ms.date: 06/01/2018
ms.author: greg-lindsay
ms.date: 10/02/2018
---
# Overview of Windows Autopilot

2
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -325,7 +325,7 @@ If you're running into compatibility issues where your app is incompatible with
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list**
1. In **Mobile apps - App protection policies**, click **Exempt apps**.
1. In **Client apps - App protection policies**, click **Exempt apps**.
![Exempt apps](images/exempt-apps.png)

82
windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
View File

@ -50,7 +50,7 @@ After youve set up Intune for your organization, you must create a WIP-specif
The Microsoft Intune Overview blade appears.
2. Click **Mobile apps**, click **App protection policies**, and then click **Add a policy**.
2. Click **Client apps**, click **App protection policies**, and then click **Add a policy**.
![Microsoft Intune management console: App policy link](images/wip-azure-portal-start-mam.png)
@ -71,12 +71,12 @@ After youve set up Intune for your organization, you must create a WIP-specif
4. Click **Create**.
The policy is created and appears in the table on the **Mobile apps - App protection policies** blade.
The policy is created and appears in the table on the **Client apps - App protection policies** blade.
>[!NOTE]
>Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available.
## Add apps to your Allowed apps list
## Add apps to your Protected apps list
During the policy-creation process in Intune, you can choose the apps you want to allow, as well as deny, access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app. You can also import a list of approved apps or add exempt apps.
@ -84,19 +84,19 @@ The steps to add your apps are based on the type of template being applied. You
In addition, you can create an app deny list related to the policy based on an **action** value. The action can be either **Allow** or **Deny**. When you specify the deny action for an app using the policy, corporate access is denied to the app.
>[!Important]
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<br><br>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you dont get this statement, its possible that you could experience app compatibility issues due to an app losing the ability to access a necessary file after revocation.
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<br><br>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Protected apps** list. If you dont get this statement, its possible that you could experience app compatibility issues due to an app losing the ability to access a necessary file after revocation.
### Add a Recommended app to your Allowed apps list
For this example, were going to add a few recommended apps to the **Allowed apps** list.
### Add a Recommended app to your Protected apps list
For this example, were going to add a few recommended apps to the **Protected apps** list.
**To add a recommended app**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy.
![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png)
2. From the **Allowed apps** blade, click **Add apps**.
2. From the **Protected apps** blade, click **Add apps**.
The **Add apps** blade appears, showing you all **Recommended apps**.
@ -104,27 +104,27 @@ For this example, were going to add a few recommended apps to the **Allowed a
3. Select each app you want to access your enterprise data, and then click **OK**.
The **Allowed apps** blade updates to show you your selected apps.
The **Protected apps** blade updates to show you your selected apps.
![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)
![Microsoft Intune management console: Protected apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)
4. Click **Save** to save the **Allowed apps** list to your policy.
4. Click **Save** to save the **Protected apps** list to your policy.
### Add a Store app to your Allowed apps list
For this example, were going to add Microsoft Power BI, a Windows store app, to the **Allowed apps** list.
### Add a Store app to your Protected apps list
For this example, were going to add Microsoft Power BI, a Windows store app, to the **Protected apps** list.
**To add a Store app**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy.
2. From the **Allowed apps** blade, click **Add apps**.
2. From the **Protected apps** blade, click **Add apps**.
3. On the **Add apps** blade, click **Store apps** from the dropdown list.
4. Type the friendly name of the app, the publisher info, and the product name. For this example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.MicrosoftPowerBIForWindows`.
5. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list, and then click **Save** to save the **Allowed apps** list to your policy.
5. After youve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy.
>[!NOTE]
>To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and continue to add more apps. When youre done, click **OK**.
@ -180,15 +180,15 @@ If you don't know the publisher or product name for your Store app, you can find
>The JSON file might also return a windowsPhoneLegacyId value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as windowsPhoneLegacyId, and set the **Publisher Name** as CN= followed by the windowsPhoneLegacyId.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
### Add a Desktop app to your Allowed apps list
For this example, were going to add WordPad, a Desktop app, to the **Allowed apps** list.
### Add a Desktop app to your Protected apps list
For this example, were going to add WordPad, a Desktop app, to the **Protected apps** list.
**To add a Desktop app**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy.
2. From the **Allowed apps** blade, click **Add apps**.
2. From the **Protected apps** blade, click **Add apps**.
3. On the **Add apps** blade, click **Desktop apps** from the dropdown list.
@ -233,7 +233,7 @@ For this example, were going to add WordPad, a Desktop app, to the **Allowed
</tr>
</table>
4. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list, and then click **Save** to save the **Allowed apps** list to your policy.
4. After youve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy.
>[!Note]
>To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
@ -257,10 +257,10 @@ Path Publisher
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box.
### Import a list of apps to your Allowed apps list
For this example, were going to add an AppLocker XML file to the **Allowed apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
### Import a list of apps to your Protected apps list
For this example, were going to add an AppLocker XML file to the **Protected apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of Allowed apps using the AppLocker tool**
**To create a list of Protected apps using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
@ -334,9 +334,9 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import your list of Allowed apps using Microsoft Intune**
**To import your list of Protected apps using Microsoft Intune**
1. From the **Allowed apps** area, click **Import apps**.
1. From the **Protected apps** area, click **Import apps**.
The blade changes to let you add your import file.
@ -349,7 +349,7 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
### Add exempt apps to your policy
If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list**
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list**
1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears.
@ -361,13 +361,13 @@ If you're running into compatibility issues where your app is incompatible with
3. Fill out the rest of the app info, based on the type of app youre adding:
- **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic.
- **Recommended app.** Follow the instructions in the [Add a Recommended app to your Protected apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic.
- **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic.
- **Store app.** Follow the instructions in the [Add a Store app to your Protected apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic.
- **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic.
- **Desktop app.** Follow the instructions in the [Add a Desktop app to your Protected apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic.
- **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps.
- **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Protected apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps.
4. Click **OK**.
@ -384,7 +384,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
**To add your protection mode**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
The **Required settings** blade appears.
@ -406,7 +406,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
**To change your corporate identity**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
The **Required settings** blade appears.
@ -427,7 +427,7 @@ Intune will add SharePoint sites that are discovered through the Graph API. You
**To define where your allowed apps can find and send enterprise data on you network**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
@ -501,7 +501,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to
>Using a DRA certificate isnt mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) topic.
**To upload your DRA certificate**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
@ -514,7 +514,7 @@ After you've decided where your protected apps can access enterprise data on you
**To set your optional settings**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
@ -572,7 +572,7 @@ You can turn on Windows Hello for Business, letting your employees use it as a s
**To turn on and configure Windows Hello for Business**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
@ -636,7 +636,7 @@ After youve created your policy, you'll need to deploy it to your employees.
**To deploy your policy**
1. On the **Mobile apps - App protection policies** pane, click your newly-created policy, click **Assignments** from the menu that appears, and then click **Select groups**.
1. On the **Client apps - App protection policies** pane, click your newly-created policy, click **Assignments** from the menu that appears, and then click **Select groups**.
A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane.

4
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -1,7 +1,7 @@
---
title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise.
keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Allowed apps list
keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Protected apps list
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.|
|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.|
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if its incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|

2
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -77,7 +77,7 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Using allowed apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.

4
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.author: justinha
ms.date: 05/30/2018
ms.date: 10/18/2018
ms.localizationpriority: medium
---
@ -20,7 +20,7 @@ ms.localizationpriority: medium
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically.
## Recommended Enterprise Cloud Resources
This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.

2
windows/security/threat-protection/auditing/event-4779.md
View File

@ -23,7 +23,7 @@ ms.date: 04/19/2017
***Event Description:***
This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://docs.microsoft.com/windows-hardware/drivers/display/fast-user-switching).
This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example.

53
windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
View File

@ -1,16 +1,16 @@
---
title: How to get a list of XML elements in <EventData> (Windows 10)
description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML elements that can appear in <EventData>.
title: How to get a list of XML data name elements in <EventData> (Windows 10)
description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in <EventData>.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: tedhardyMSFT
ms.date: 10/15/2018
ms.date: 10/18/2018
---
# How to get a list of XML elements in EventData
# How to get a list of XML data name elements in EventData
**Applies to**
- Windows 10
@ -82,3 +82,48 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template
</template>
```
## Mapping data name elements to the names in an event description
You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description.
The <Description> is just the format string (if youre used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>.
Using Security event 4734 as an example:
```xml
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>
Description : A security-enabled local group was deleted.
Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7
Group:
Security ID: %3
Group Name: %1
Group Domain: %2
Additional Information:
Privileges: %8
```
For the "Subject: Security Id:" text element, it will use the fourth element in the Template, "SubjectUserSid".
For "Additional Information Privileges:", it would use the eighth element "PrivelegeList".
A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.

2
windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
View File

@ -32,4 +32,4 @@ Organizations participating in the CME effort work together to help eradicate se
Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join CME, [VIA](./virus-information-alliance-criteria.md), or [MVI](./virus-initiative-criteria.md).
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

2
windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
View File

@ -46,4 +46,4 @@ To be eligible for VIA your organization must:
3. Be willing to sign and adhere to the VIA membership agreement.
If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join VIA, [MVI](./virus-initiative-criteria.md), or [CME](./coordinated-malware-eradication.md).
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

4
windows/security/threat-protection/intelligence/virus-initiative-criteria.md
View File

@ -52,6 +52,6 @@ Your organization must meet the following eligibility requirements to participat
7. Submit your AM app to Microsoft for periodic performance testing.
### Apply to MVI
### Apply now
If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join MVI, [VIA](./virus-information-alliance-criteria.md), or [CME](./coordinated-malware-eradication.md).
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

4
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
ms.date: 10/19/2017
ms.date: 10/17/2017
---
# Configure Windows Defender Application Guard policy settings
@ -46,5 +46,5 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.<br><br></ul>**Important**<br>Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<br><br></ul>**Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Windows Defender Application Guard to use Root Certificate Authorities from users's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Multiple certificates can be specified by using a common to separate.<br><br></ul>**Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.|
|Allow Windows Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<br><br></ul>**Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.|
|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.<br><br></ul>**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.|

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-settings-powerbi.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

8
windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
View File

@ -9,8 +9,10 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
ms.localizationpriority: medium
ms.date: 04/24/2018
ms.date: 10/19/2018
---
# Create and build Power BI reports using Windows Defender ATP data
**Applies to:**
@ -122,7 +124,9 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t
### Before you begin
1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
2. In the navigation pane, select **Settings** > **Power BI reports**.
2. In the Windows Defender Security Center navigation pane, select **Settings** > **Power BI reports**.
![Image of settings Power BI reports](images/atp-settings-powerbi.png)
3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.

2
windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md
View File

@ -31,7 +31,7 @@ Each layer in the threat protection stack plays a critical role in protecting cu
Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources.
## Office 365 Advanced Threat Protection (Office 365 ATP)
The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
## Azure Advanced Threat Protection (Azure ATP)
Suspicious activities are processes running under a user context. The integration between Windows Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities.

8
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 10/17/2018
---
# Reduce attack surfaces with attack surface reduction rules
@ -56,7 +56,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
The rules apply to the following Office apps:
@ -120,8 +120,6 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
This rule prevents scripts that appear to be obfuscated from running.
It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
### Rule: Block Win32 API calls from Office macro
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
@ -168,7 +166,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block only Office communication applications from creating child processes
### Rule: Block Office communication applications from creating child processes
Office communication apps will not be allowed to create child processes. This includes Outlook.

4
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 10/17/2018
---
# Customize attack surface reduction rules
@ -61,7 +61,7 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block only Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 10/17/2018
---
# Enable attack surface reduction rules
@ -46,7 +46,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.