+
Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub:
## New settings
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index 5e1c0977a8..88634df13a 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -8,6 +8,8 @@ ms.mktglfcycl: support
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
+ms.author: jdecker
+ms.date: 06/19/2017
localizationpriority: medium
---
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index 6d0b8bbda7..8b90760907 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -3,6 +3,8 @@ title: Use fully qualified doman name with Surface Hub
description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"]
author: jdeckerms
+ms.author: jdecker
+ms.date: 06/19/2017
localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: support
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 39d7708dde..8a77082f26 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -8,6 +8,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
+ms.author: jdecker
+ms.date: 06/19/2017
localizationpriority: medium
---
diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md
new file mode 100644
index 0000000000..5873701961
--- /dev/null
+++ b/devices/surface-hub/whiteboard-collaboration.md
@@ -0,0 +1,77 @@
+---
+title: Set up and use Whiteboard to Whiteboard collaboration
+description: Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerms
+ms.author: jdecker
+ms.date: 06/19/2017
+localizationpriority: medium
+---
+
+# Set up and use Whiteboard to Whiteboard collaboration (Surface Hub)
+
+Microsoft Whiteboard’s latest update (17.8302.5275X or greater) includes the capability for two Surface Hubs to collaborate in real time on the same board.
+
+By ensuring that your organization meets the prerequisites, users can then ink, collaborate, and ideate together. Mobile device management (MDM) allows you to control default settings and provides access to these capabilities. For more information about mobile device management for Surface Hub, see [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md).
+
+
+
+## Prerequisites for Whiteboard to Whiteboard collaboration
+
+To get Whiteboard to Whiteboard collaboration up and running, you’ll need to make sure your organization meets the following requirements:
+
+- Office 365 with cloud-based Azure Active Directory (Azure AD) for all users
+- OneDrive for Business deployed for all users who intend to collaborate
+- Currently not utilizing Office 365 Germany or Office 365 operated by 21Vianet
+- Surface Hub needs to be updated to Windows 10, version 1607 or newer
+- Port 443 needs to be open since Whiteboard makes standard https requests
+
+
+>[!NOTE]
+>Collaborative sessions can only take place between users within the same tenant, so users outside of your organization won’t be able to join even if they have a Surface Hub.
+
+## Using Whiteboard to Whiteboard collaboration
+
+To start a collaboration session:
+
+1. In the Whiteboard app, tap the **Sign in** button.
+2. Sign in with your organization ID.
+3. Tap the **Invite** button next to your name at the top of the app.
+4. Tap **Start session**. Whiteboard will generate a link that you can share.
+
+ 
+
+5. Copy and paste this link into a Skype chat with another Surface Hub
+
+When the other Surface Hub receives the link, the recipient can tap on the link, sign in to Whiteboard, and then begin collaborating. You can copy and paste other content, use smart ink features like Ink to Shape, and co-author together.
+
+After you’re done, you can export a copy of the Whiteboard collaboration for yourself through the Share charm and leave the board for others to continue working.
+
+## How to control and manage Whiteboard to Whiteboard collaboration
+
+Whiteboard has settings that can be managed via MDM. These allow you to disable or enable collaboration functionality in case your organization can’t meet the prerequisites or you’d rather not have your organization use this feature.
+
+The value for each setting can be True or False. The default value for each setting is False.
+
+The OMA URI for each setting consists of `./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Microsoft.Office.Whiteboard_8wekyb3d8bbwe/AppSettingPolicy/` and the string from the OMA URI column in the table. For example, the full OMA URI for **Enable sign-in** is `./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Microsoft.Office.Whiteboard_8wekyb3d8bbwe/AppSettingPolicy/EnableSignIn`.
+
+| Setting | Details | OMA URI | Supported with
+ Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.
+
+ Make the most of Microsoft Teams and find out how to deploy, launch pilot teams, and launch Teams to the rest of your institution.
+
+ Learn how the new classroom experiences in Microsoft Teams can help you manage your daily workflow more easily than ever before.
+
+ Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.
+| Support for free apps only | -
|---|
-
|
-
| Support for free apps and Minecraft: Education Edition | -
|---|
-
|
-
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+  3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
Boolean value. Supported operations are Add, Get, Replace, and Delete.
+**FirewallRules_FirewallRuleName_/Profiles** +Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
+ +Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+ **FirewallRules/_FirewallRuleName_/Action**Specifies the action for the rule.
Supported operation is Get.
@@ -229,14 +236,43 @@ If not specified - a new rule is disabled by default.Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**FirewallRules/_FirewallRuleName_/Direction** +Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ +**FirewallRules/FirewallRuleName/InterfaceTypes** +Comma separated list of interface types. Valid values:
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+ **FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+**FirewallRules/_FirewallRuleName_/EdgeTraversal** +Indicates whether edge traversal is enabled or disabled for this rule.
+The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
+New rules have the EdgeTraversal property disabled by default.
+Boolean value. Supported operations are Add, Get, Replace, and Delete.
+ **FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+**FirewallRules/_FirewallRuleName_/Status** +Provides information about the specific verrsion of the rule in deployment for monitoring purposes.
+Value type is string. Supported operation is Get.
+ **FirewallRules/_FirewallRuleName_/FriendlyName**Specifies the friendly name of the rule. The string must not contain the "|" character.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md new file mode 100644 index 0000000000..ced7194e3a --- /dev/null +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -0,0 +1,1815 @@ +--- +title: Firewall DDF file +description: Firewall DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Firewall CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **Firewall** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +``` syntax + +]> +Added a section describing SyncML examples of various ADMX elements.
Added a new topic describing how to deploy and configure App-V apps using MDM.
| New or updated topic | +Description | +
|---|---|
| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | +Added a list of registry locations that ingested policies are allowed to write to. | +
| [Firewall CSP](firewall-csp.md) | +Added the following nodes:
+
|
| [TPMPolicy CSP](tpmpolicy-csp.md) | +New CSP added in Windows 10, version 1703. | +
| [Policy CSP](policy-configuration-service-provider.md) | +
+ Added the following new policies for Windows 10, version 1703: +
Added the following new policies for Windows 10, version 1709: +
|
| [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | +Updated the CSP in Windows 10, version 1709. Added the following settings:
+
|
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - @@ -19556,14 +19488,34 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. - - - **Update/EngagedRestartDeadline** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+  2 |
+
The default value is 0 days (not specified). - - - **Update/EngagedRestartSnoozeSchedule** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
The default value is 3 days. - - - **Update/EngagedRestartTransitionSchedule** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
The default value is 7 days. - - - @@ -19656,10 +19645,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Allow Windows Update drivers. - 1 – Exclude Windows Update drivers. - - - - @@ -19699,9 +19684,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Disabled. - 1 – Enabled. - - - @@ -19751,10 +19733,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego 3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - @@ -19802,10 +19780,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego 3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - @@ -19852,9 +19826,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - @@ -19896,9 +19867,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Feature Updates are not paused. - 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - - - @@ -19932,9 +19900,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - @@ -19974,9 +19939,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Quality Updates are not paused. - 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - - - @@ -20010,9 +19972,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - @@ -20055,9 +20014,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – User gets upgrades from Current Branch. - 1 – User gets upgrades from Current Branch for Business. - - - @@ -20105,14 +20061,34 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 – Not configured. The device installs all applicable updates. - 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. - - - **Update/ScheduleImminentRestartWarning** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
The default value is 15 (minutes). - - - **Update/ScheduleRestartWarning** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
The default value is 4 (hours). - - - @@ -20181,7 +20174,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
Enables the IT admin to schedule the day of the update installation. -
The data type is a string. +
The data type is a integer.
Supported operations are Add, Delete, Get, and Replace. @@ -20196,8 +20189,180 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 6 – Friday - 7 – Saturday + + + +**Update/ScheduledInstallEveryWeek** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
Added in Windows 10, the next major update. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values: +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
Added in Windows 10, the next major update. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
Added in Windows 10, the next major update. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
Added in Windows 10, the next major update. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
Added in Windows 10, the next major update. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: +
Enables the IT admin to schedule the time of the update installation. -
The data type is a string. +
The data type is a integer.
Supported operations are Add, Delete, Get, and Replace. @@ -20242,14 +20407,34 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
The default value is 3. - - - **Update/SetAutoRestartNotificationDisable** + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +MobileEnterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ + | 2 |
+ 2 |
+ |
+ 2 |
+
This policy has been deprecated. - - - @@ -20465,9 +20635,6 @@ Example
Most restricted value is 0. - - - @@ -20506,9 +20673,6 @@ Example
Most restricted value is 0. - - - @@ -20550,10 +20714,6 @@ Example > [!NOTE] > Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. - - - - @@ -20592,9 +20752,6 @@ Example
Most restricted value is 0. - - - @@ -20629,9 +20786,6 @@ Example - 0 - WiFi Direct connection is not allowed. - 1 - WiFi Direct connection is allowed. - - - @@ -20669,9 +20823,6 @@ Example
Supported operations are Add, Delete, Get, and Replace. - - - @@ -20708,9 +20859,6 @@ Example - 0 - app suggestions are not allowed. - 1 (default) -allow app suggestions. - - - @@ -20748,9 +20896,6 @@ Example - 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. - 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. - - - @@ -20763,8 +20908,6 @@ If you enable this policy setting, no app notifications are displayed on the loc If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. - - ADMX Info: @@ -20785,8 +20928,6 @@ If you enable this policy setting, the PC's network connectivity state cannot be If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. - - ADMX Info: @@ -20836,9 +20977,6 @@ ADMX Info: 1. Enable policy. 2. Verify that the Switch account button in Start is hidden. - - - @@ -20873,9 +21011,6 @@ ADMX Info: - 0 - your PC cannot discover or project to other devices. - 1 - your PC can discover and project to other devices - - - @@ -20910,9 +21045,6 @@ ADMX Info: - 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct. - 1 - your PC can discover and project to other devices over infrastructure. - - - @@ -20951,9 +21083,6 @@ ADMX Info: - 0 - projection to PC is not allowed. Always off and the user cannot enable it. - 1 (default) - projection to PC is allowed. Enabled only above the lock screen. - - - @@ -20988,9 +21117,6 @@ ADMX Info: - 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct. - 1 - your PC is discoverable and other devices can project to it over infrastructure. - - - @@ -20999,9 +21125,6 @@ ADMX Info:
Added in Windows 10, version 1703. - - - @@ -21040,9 +21163,6 @@ ADMX Info: - 0 (default) - PIN is not required. - 1 - PIN is required. - - -
Defines the root node.
+ +**IsActiveZeroExhaust** +Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:
+ +Supported operations are Get and Replace. +**DeviceTagging** +
Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. + +
Supported operations is Get. + +**DeviceTagging/Group** +
Added in Windows 10, version 1709. Device group identifiers. + +
The data type is a string. + +
Supported operations are Get and Replace. + +**DeviceTagging/Criticality** +
Added in Windows 10, version 1709. Asset criticality value. Supported values: + +- 0 - Normal +- 1 - Critical + +
The data type is an integer. + +
Supported operations are Get and Replace.
+
## Examples
@@ -98,7 +120,7 @@ The following list describes the characteristics and parameters.
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a store app rule to your policy
For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
@@ -309,13 +309,13 @@ If you're running into compatibility issues where your app is incompatible with
### Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Hide Overrides**.
|Mode |Description |
|-----|------------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
-|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
-|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
+|Hide Overrides|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Allow Overrides|WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data. After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
index 4dbf46f1e8..d8a879c4d2 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -63,7 +63,7 @@ During the policy-creation process in System Center Configuration Manager, you c
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>[!IMPORTANT]
->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a store app rule to your policy
For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
@@ -94,7 +94,9 @@ If you don't know the publisher or product name, you can find them for both desk
1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
- >**Note** For example:
+ >[!IMPORTANT]
+ >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. For example:
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
@@ -121,7 +124,8 @@ If you don't know the publisher or product name, you can find them for both desk
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
- >**Note**
```json
{
@@ -460,6 +465,9 @@ After you've decided where your protected apps can access enterprise data on you
- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
+ >[!IMPORTANT]
+ >The **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box** option is only available for Configuration Manager versions 1610 and below.
+
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
- **Yes (recommended).** Turns on the feature and provides the additional protection.
diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
new file mode 100644
index 0000000000..60eb44c676
--- /dev/null
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -0,0 +1,43 @@
+---
+title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10)
+description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
+
+**Applies to:**
+
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
+
+After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
+
+**To deploy your WIP policy**
+
+1. On the **App policy** pane, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.
+
+ A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane.
+
+2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
+
+ The policy is deployed to the selected users' devices.
+
+ 
+
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+
+## Related topics
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+
+- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
index c7dcdf364b..a3b19da3c4 100644
--- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
@@ -1,5 +1,5 @@
---
-title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
+title: Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune (Windows 10)
description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
@@ -11,11 +11,11 @@ author: eross-msft
localizationpriority: high
---
-# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune
+# Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
**Applies to:**
-- Windows 10, version 1607
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
diff --git a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 77df2d4e51..159440b9aa 100644
--- a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -1,6 +1,6 @@
---
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
-description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
+description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
@@ -21,7 +21,7 @@ localizationpriority: high
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
## Enlightened versus unenlightened apps
-Apps can be enlightened (also referred to as WIP-aware) or unenlightened (also referred to as WIP-unaware).
+Apps can be enlightened or unenlightened:
- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
@@ -31,6 +31,8 @@ Apps can be enlightened (also referred to as WIP-aware) or unenlightened (also r
- Windows **Save As** experiences only allow you to save your files as enterprise.
+- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions.
+
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
@@ -42,9 +44,13 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
-- Microsoft Photos
+- Office 365 ProPlus apps, including Word, Excel, PowerPoint, OneNote, and Outlook
-
+- OneDrive app
+
+- OneDrive sync client (OneDrive.exe, the next generation sync client)
+
+- Microsoft Photos
- Groove Music
@@ -58,6 +64,11 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft Remote Desktop
+## List of WIP-work only apps from Microsoft
+Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions.
+
+- Skype for Business
+
## Adding enlightened Microsoft apps to the allowed apps list
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
@@ -70,12 +81,14 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on. **Note**
-
+Service | Endpoint
+--- | ---
+Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.comService Endpoint
- Connected User Experience and Telemetry component v10.vortex-win.data.microsoft.com
-
settings-win.data.microsoft.com
- Windows Error Reporting watson.telemetry.microsoft.com
- Online Crash Analysis oca.telemetry.microsoft.com
-
settings-win.data.microsoft.com
+Windows Error Reporting | watson.telemetry.microsoft.com
+Online Crash Analysis | oca.telemetry.microsoft.com
-4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
+
+ 4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
## Add Update Compliance to Microsoft Operations Management Suite
-Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
-1. Go to [Operations Management Suite’s page](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+
+
+ [](images/uc-02.png)
-
- 
-
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-
- 
-
-3. Create a new OMS workspace.
+ [](images/uc-03.png)
-
- 
-
+3. Create a new OMS workspace.
+
+
+ [](images/uc-04.png)
+
4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
-
- 
-
+
+ [](images/uc-05.png)
+
5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
-
- 
-
+
+ [](images/uc-06.png)
+
6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery.
-
- 
-
-7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.
+ [](images/uc-07.png)
+
+
+7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace.
+
+
+ [](images/uc-08.png)
-
- 
-
8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
-
- 
-
+
+ [](images/uc-09.png)
+
9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
-
- 
-
+
+ [](images/uc-10.png)
+
After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
+>[!NOTE]
>You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
## Deploy your Commercial ID to your Windows 10 devices
-In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
+In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
- Using Group Policy
Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
@@ -117,4 +117,4 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th
## Related topics
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
+[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 9ee49a1e9d..1be2149594 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -1,6 +1,7 @@
---
-title: Monitor Windows Updates with Update Compliance (Windows 10)
-description: Introduction to Update Compliance.
+title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10)
+description: You can use Update Compliance in OMS to monitor the progress of updates and key antimalware protection features on devices in your network.
+keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,26 +9,26 @@ ms.pagetype: deploy
author: greg-lindsay
---
-# Monitor Windows Updates with Update Compliance
+# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance
## Introduction
-With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of Microsoft’s new servicing strategy: [Windows as a Service](waas-overview.md).
+With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md).
Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
-Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
+Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
Update Compliance provides the following:
-- An overview of your organization’s devices that just works.
-- Dedicated drill-downs for devices that might need attention.
-- An inventory of devices, including the version of Windows they are running and their update status.
-- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later).
-- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries.
-- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure.
+- Dedicated drill-downs for devices that might need attention
+- An inventory of devices, including the version of Windows they are running and their update status
+- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices
+- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later)
+- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries
+- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure
-See the following topics in this guide for detailed information about configuring and use the Update Compliance solution:
+See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
@@ -36,19 +37,20 @@ An overview of the processes used by the Update Compliance solution is provided
## Update Compliance architecture
-The Update Compliance architecture and data flow is summarized by the following five step process:
+The Update Compliance architecture and data flow is summarized by the following five-step process:
**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.
**(2)** Telemetry data is analyzed by the Update Compliance Data Service.
**(3)** Telemetry data is pushed from the Update Compliance Data Service to your OMS workspace.
**(4)** Telemetry data is available in the Update Compliance solution.
-**(5)** You are able to monitor and troubleshoot Windows updates on your network.
+**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.
These steps are illustrated in following diagram:
-
+
->This process assumes that Windows telemetry is enabled and devices are assigned your Commercial ID.
+>[!NOTE]
+>This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started#deploy-your-commercial-id-to-your-windows-10-devices.
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 08daf13df1..9daa1a5103 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -19,6 +19,7 @@ Update Compliance:
- Provides a workflow that can be used to quickly identify which devices require attention.
- Enables you to track deployment compliance targets for updates.
+>[!NOTE]
>Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
In OMS, the aspects of a solution's dashboard are usually divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow.
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index aabaf2a52c..c8811f1289 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -98,7 +98,7 @@ In the CB servicing model, feature updates are available as soon as Microsoft re
When Microsoft officially releases a feature update for Windows 10, that update is marked for CB, making it available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60 day grace period) until the most current feature update has been installed. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
-### Current Branch for Business
+ ### Current Branch for Business
Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Each feature update release will be supported and updated for 18 months from the time of its release.
@@ -120,7 +120,7 @@ Microsoft never publishes feature updates through Windows Update on devices that
>[!NOTE]
>Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
-LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices.
+LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices. Since Windows Store client is not available in Windows 10 Enterprise LTSB, if you need to run a Windows Store app, you should not use Windows 10 LTSB on that device.
>[!NOTE]
>If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the CB or CBB servicing branch, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports CB and CBB.
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index 8fe0d076bf..68eea6f9a8 100644
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -16,17 +16,19 @@ This topic provides information on additional features that are available in Upg
The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 8.1 and Windows 7. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
-> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
+> [!NOTE]
+> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
### Install prerequisite security update for Internet Explorer
Ensure the following prerequisites are met before using site discovery:
-1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.
-2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
-3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it.
+1. Install the prerequisite KBs to add Site Discovery support and the latest fixes from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). Install the following:
+ - For Windows 7 and Windows 8.1 - March, 2017 (or later) Security Monthly Rollup
+ - For Windows 10 - Cumulative Update for Windows 10 Version 1607 (KB4015217) (or later)
+2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 set **Enhanced Telemetry Level** for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
- If necessary, you can also enable it by creating the following registry entry.
+ If necessary, you can also enable data collection by creating the following registry entry.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
diff --git a/windows/device-security/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/device-security/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index f1f62943e3..60483dd6e4 100644
--- a/windows/device-security/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/device-security/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -12,7 +12,7 @@ author: brianlic-msft
# Protecting cluster shared volumes and storage area networks with BitLocker
**Applies to**
-- Windows 10
+- Windows Server 2016
This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
index d13224f45d..df7aacb570 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@@ -20,7 +20,208 @@ For an overview of the process described in the following procedures, see [Deplo
The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents.
-> **Note** Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy.
+> [!Note]
+> Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy.
+
+### Scripting and applications
+
+Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts.
+You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
+
+Members of the security community\* continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Device Guard code integrity policies.
+
+Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Device Guard:
+
+- bash.exe
+- bginfo.exe
+- cdb.exe
+- csi.exe
+- dnx.exe
+- fsi.exe
+- kd.exe
+- lxssmanager.dll
+- msbuild.exe[1]
+- mshta.exe
+- ntsd.exe
+- rcsi.exe
+- system.management.automation.dll
+- windbg.exe
+
+[1]If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+
+*Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
+
+
+
+|Name|Twitter|
+|---|---|
+|Casey Smith |@subTee|
+|Matt Graeber | @mattifestation|
+|Matt Nelson | @enigma0x3|
+|Oddvar Moe |@Oddvarmoe|
+
+
+
+>[!Note]
+>This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
+
+Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions.
+
+Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes.
+
+Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
+
+```
+
+
To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
@@ -36,7 +237,7 @@ To create a code integrity policy, copy each of the following commands into an e
` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt `
- > **Notes**
+ > [!Notes]
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
@@ -52,7 +253,8 @@ To create a code integrity policy, copy each of the following commands into an e
After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
-> **Note** We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
+> [!Note]
+> We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
We recommend that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the next section, [Audit code integrity policies](#audit-code-integrity-policies).
@@ -60,7 +262,8 @@ We recommend that every code integrity policy be run in audit mode before being
When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
-> **Note** Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
+> [!Note]
+> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
**To audit a code integrity policy with local policy:**
@@ -68,7 +271,7 @@ When code integrity policies are run in audit mode, it allows administrators to
2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
- > **Notes**
+ > [!Note]
> - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a code integrity policy that allows viruses or malware to run.
@@ -76,7 +279,7 @@ When code integrity policies are run in audit mode, it allows administrators to
3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
- > **Notes**
+ > [!Note]
> - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
@@ -124,7 +327,8 @@ Use the following procedure after you have been running a computer with a code i
` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
- > **Note** When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
+ > [!Note]
+ > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
4. Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
@@ -134,7 +338,8 @@ Use the following procedure after you have been running a computer with a code i
You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies).
-> **Note** You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
+> [!Note]
+> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
## Use a code integrity policy to control specific plug-ins, add-ins, and modules
@@ -166,7 +371,8 @@ New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
-> **Note** The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
+> [!Note]
+> The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session:
@@ -182,7 +388,8 @@ To merge two code integrity policies, complete the following steps in an elevate
` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
- > **Note** The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly.
+ > [!Note]
+ > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly.
2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new code integrity policy:
@@ -198,7 +405,8 @@ Now that you have created a new code integrity policy (for example, called **New
Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
-> **Note** Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic.
+> [!Note]
+> Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic.
1. Initialize the variables that will be used:
@@ -210,7 +418,8 @@ Every code integrity policy is created with audit mode enabled. After you have s
` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
- > **Note** The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
+ > [!Note]
+ > The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
@@ -228,7 +437,8 @@ Every code integrity policy is created with audit mode enabled. After you have s
` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
- > **Note** To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy.
+ > [!Note]
+ > To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy.
5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new code integrity policy to binary format:
@@ -244,7 +454,8 @@ Signing code integrity policies by using an on-premises CA-generated certificate
Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath
This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
- - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline code integrity policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
-
- What software does each department or role need? Should they be able to install and run other departments’ software?
If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management.
- Are there departments or roles where unique, restricted software is used?
If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy.
+ - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline code integrity policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
+
+ - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
+ In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
+
+ Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies.
+
+ For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your code integrity policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
+
+ Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps).
+
+
+
+
+
+
4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
## Getting started on the deployment process
@@ -59,3 +73,5 @@ This topic provides a roadmap for planning and getting started on the Device Gua
> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
+
+
\ No newline at end of file
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
index c0e36621af..ca5178e70e 100644
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "justinha",
+ "ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/device-security/images/tpm-capabilities.png b/windows/device-security/images/tpm-capabilities.png
new file mode 100644
index 0000000000..aecbb68522
Binary files /dev/null and b/windows/device-security/images/tpm-capabilities.png differ
diff --git a/windows/device-security/images/tpm-remote-attestation.png b/windows/device-security/images/tpm-remote-attestation.png
new file mode 100644
index 0000000000..fa092591a1
Binary files /dev/null and b/windows/device-security/images/tpm-remote-attestation.png differ
diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md
index 20d05b68d2..1b874b2988 100644
--- a/windows/device-security/tpm/tpm-recommendations.md
+++ b/windows/device-security/tpm/tpm-recommendations.md
@@ -100,8 +100,8 @@ The following table defines which Windows features require TPM support.
| Windows Features | Windows 10 TPM 1.2 | Windows 10 TPM 2.0 | Details |
|-------------------------|----------------------|----------------------|----------|
-| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure boot. |
-| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. |
+| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. |
+| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. Please note that TPM 2.0 requires UEFI Secure Boot in order for BitLocker to work properly. |
| Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. |
| Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. |
| Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. |
@@ -120,4 +120,4 @@ Government customers and enterprise customers in regulated industries may have a
## Related topics
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
+- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
diff --git a/windows/device-security/windows-security-baselines.md b/windows/device-security/windows-security-baselines.md
deleted file mode 100644
index f62ee298ba..0000000000
--- a/windows/device-security/windows-security-baselines.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Windows security baselines (Windows 10)
-description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
-author: brianlic-msft
----
-
-# Windows security baselines
-
-**Applies to**
-
-- Windows 10
-- Windows Server 2016
-- Windows Server 2012 R2
-
-Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
-
-We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
-
- > [!NOTE]
- > Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353).
-
-## What are security baselines?
-
-Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
-
-A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and
-customers.
-
-## Why are security baselines needed?
-
-Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
-
-For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 4,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be.
-
-In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats.
-
-To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
-
-## How can you use security baselines?
-
- You can use security baselines to:
-
- - Ensure that user and device configuration settings are compliant with the baseline.
- - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
-
-## Where can I get the security baselines?
-
- Here's a list of security baselines that are currently available.
-
- > [!NOTE]
- > If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
-
-### Windows 10 security baselines
-
- - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- - [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381)
- - [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380)
-
-### Windows Server security baselines
-
- - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- - [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382)
-
-## How can I monitor security baseline deployments?
-
-Microsoft’s Operation Management Services (OMS) helps you monitor security baseline deployments across your servers. To find out more, check out [Operations Management Suite](https://aka.ms/omssecscm).
-
-You can use [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) to monitor security baseline deployments on client devices within your organization.
-
\ No newline at end of file
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index e134b0e320..a95581a35a 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -35,7 +35,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "brianlic",
+ "ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 3583f8bd89..645b49ea7c 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -1,5 +1,5 @@
# [Threat protection](index.md)
-
+## [Windows Defender Security Center](windows-defender-security-center\windows-defender-security-center.md)
## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
@@ -135,9 +135,12 @@
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
-#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
-##### [Deploy your Windows Information Protection (WIP) policy](windows-information-protection\deploy-wip-policy-using-intune.md)
-##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
+#### [Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
+##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
+##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
+#### [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
+##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)
+##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md)
diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md
index 07f61a5d85..ed82259478 100644
--- a/windows/threat-protection/change-history-for-threat-protection.md
+++ b/windows/threat-protection/change-history-for-threat-protection.md
@@ -11,10 +11,19 @@ author: brianlic-msft
# Change history for threat protection
This topic lists new and updated topics in the [Threat protection](index.md) documentation.
+## June 2017
+|New or changed topic |Description |
+|---------------------|------------|
+[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
+[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
+[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
+|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.|
+
+
## March 2017
|New or changed topic |Description |
|---------------------|------------|
-|[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
+||[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
|[Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.|
|[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New |
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index 1078120934..2989cbeaa7 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "justinha",
+ "ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index 9b7c69fbe1..1c76376a0b 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -33,7 +33,7 @@ You'll also see additional links for:
- Reporting on Windows Defender Antivirus protection
> [!IMPORTANT]
-> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
+> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-party antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 7fa6451710..6bef064955 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -31,11 +31,11 @@ See the [Windows Defender Advanced Threat Protection](../windows-defender-atp/wi
If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product.
-In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender will not provide real-time protection from malware.
+In passive mode, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.
-You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
## Related topics
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index b350ed550f..b3305b6b1c 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -36,12 +36,12 @@ author: iaanw
Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
-See [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
+See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
-- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md).
+- In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
## Related topics
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 0a4d40cb54..2a053cc803 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -35,12 +35,16 @@ In Windows 10, version 1703 (also known as the Creators Update), the Windows Def
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
-The app also includes the settings and status of:
+> [!IMPORTANT]
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
-- The PC (as "device health")
-- Windows Firewall
-- Windows Defender SmartScreen Filter
-- Parental and Family Controls
+> [!WARNING]
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed.
+>This will significantly lower the protection of your device and could lead to malware infection.
+
+
+See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
>[!NOTE]
>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index f0976431f1..78add1c8f2 100644
--- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -25,52 +25,262 @@ Understand what data fields are exposed as part of the alerts API and how they m
## Alert API fields and portal mapping
+The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
+
+
+The ArcSight field column contains the default mapping between the Windows Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
+
Field numbers match the numbers in the images below.
-Portal label | SIEM field name | Description
-:---|:---|:---
-1 | LinkToWDATP | Link back to the alert page in Windows Defender ATP
-2 | Alert ID | Alert ID visible in the link: `https://securitycenter.windows.com/alert/
ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title.
**Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
-11 | UserName | The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated.
-12 | FileName | File name
-13 | FileHash | Sha1 of file observed
-14 | FilePath | File path
-15 | IpAddress | IP of the IOC (when relevant)
-16 | URL | URL of the IOC (when relevant)
-17 | FullId | (Internal only)
Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
-18 | AlertPart | (Internal only)
Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
-19 | LastProccesedTimeUtc | (Internal only)
Time the alert was last processed in Windows Defender ATP.
-20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard)
-21 | ThreatCategory| Windows Defender AV threat category
-22 | ThreatFamily | Windows Defender AV family name
-23 | RemediationAction | Windows Defender AV threat category |
-24 | WasExecutingWhileDetected | Indicates if a file was running while being detected.
-25| RemediationIsSuccess | Indicates if an alert was successfully remediated.
-26 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available)
-27 | Md5 | Md5 of file observed (when available)
-28 | Sha256 | Sha256 of file observed (when available)
-29 | ThreatName | Windows Defender AV threat name
+
+
->[!NOTE]
-> Fields #21-29 are related to Windows Defender Antivirus alerts.
-
+
-
+
-
+
-
+
-
+
+
+
+
+
## Related topics
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index cb875edc71..1976fb8703 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -24,14 +24,14 @@ localizationpriority: high
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
-System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
+System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
>[!NOTE]
> If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
## Configure endpoints using System Center Configuration Manager earlier versions
-You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
+You can use existing System Center Configuration Manager functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
diff --git a/windows/threat-protection/windows-defender-atp/images/1.png b/windows/threat-protection/windows-defender-atp/images/1.png
new file mode 100644
index 0000000000..70ce314c00
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/1.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actor-alert.png b/windows/threat-protection/windows-defender-atp/images/atp-actor-alert.png
new file mode 100644
index 0000000000..a23b78fd2f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actor-alert.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png
new file mode 100644
index 0000000000..238b7e880b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png
new file mode 100644
index 0000000000..33cb7862f6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png
new file mode 100644
index 0000000000..2f834e986c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png
index 06daaa6ea7..4dfdc73f8c 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
index 467c7a321e..f162f21b1b 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG b/windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG
new file mode 100644
index 0000000000..af1915fb0b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-detailed-actor.png b/windows/threat-protection/windows-defender-atp/images/atp-detailed-actor.png
new file mode 100644
index 0000000000..3df0eccc18
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-detailed-actor.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png b/windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png
index 2968bc4cbb..1dd7f28817 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png and b/windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
index e91eb539fa..3d9b39c0f9 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
index fbb2de4176..c9063c8fa9 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
index a1e3309e81..da80abb64f 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png
index b58b0f29b0..eccd6e9aec 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png and b/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png
new file mode 100644
index 0000000000..e2a484f610
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping1.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping1.png
new file mode 100644
index 0000000000..b34e915132
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping1.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping2.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping2.png
new file mode 100644
index 0000000000..7a735cb861
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping2.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping3.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping3.png
new file mode 100644
index 0000000000..7033649791
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping3.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping4.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping4.png
new file mode 100644
index 0000000000..baeae0dd38
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping4.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png
new file mode 100644
index 0000000000..405fbaf384
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png
new file mode 100644
index 0000000000..2681a11815
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png
new file mode 100644
index 0000000000..e46a8edac4
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png
new file mode 100644
index 0000000000..c59c3c04c0
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png
new file mode 100644
index 0000000000..7aa79c89b8
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png
new file mode 100644
index 0000000000..b1521c7567
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png
new file mode 100644
index 0000000000..8dcfa06ea0
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png
new file mode 100644
index 0000000000..ebc702179f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
index 200437ab22..1d852999b9 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png and b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png differ
diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
index e456a18096..c621085545 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Investigate Windows Defender Advanced Threat Protection alerts
-description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them.
+description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them.
keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -15,30 +15,35 @@ localizationpriority: high
**Applies to:**
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-You can click an alert in any of the [alert queues](alerts-queue-windows-defender-advanced-threat-protection.md) to begin an investigation. Selecting an alert brings up the **Alert management pane**, while clicking an alert brings you the alert details view where general information about the alert, some recommended actions, an alert process tree, an incident graph, and an alert timeline is shown.
+Investigate alerts that are affecting your network, what they mean, and how to resolve them. Use the alert details view to see various tiles that provide information about alerts. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.
+
+
+
+
+The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
+
+For more information about managing alerts, see [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md).
+
+The alert details page also shows the alert process tree, an incident graph, and an alert timeline.
You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**.
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
-
+
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
-
+
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
## Alert process tree
-The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence and other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
+The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence, together with other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
@@ -46,11 +51,15 @@ The **Alert process tree** expands to display the execution path of the alert, i
The alert and related events or evidence have circles with thunderbolt icons inside them.
+
>[!NOTE]
>The alert process tree might not be available in some alerts.
-Clicking in the circle immediately to the left of the indicator displays the **Alert details** pane where you can take a deeper look at the details about the alert. It displays rich information about the selected process, file, IP address, and other details taken from the entity's page – while remaining on the alert page, so you never leave the current context of your investigation.
+Clicking in the circle immediately to the left of the indicator displays its details.
+
+
+The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page – while remaining on the alert page, so you never leave the current context of your investigation.
## Incident graph
@@ -58,9 +67,7 @@ The **Incident Graph** provides a visual representation of the organizational f
-The **Incident Graph** previously supported expansion by File and Process, and now supports expansion by additional criteria: known processes and Destination IP Address.
-
-The Windows Defender ATP service keeps track of "known processes". Alerts related to known processes mostly include specific command lines, that combined are the basis for the alert. The **Incident Graph** supports expanding known processes with their command line to display other machines where the known process and the same command line were observed.
+The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate.
The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index 1fc73cb046..435dc1a3c2 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -15,10 +15,6 @@ localizationpriority: high
**Applies to:**
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
## Investigate machines
@@ -55,7 +51,9 @@ You'll also see details such as logon types for each user account, the user grou
For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
-The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
+The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
+
+This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You'll also see a list of displayed alerts and you'll be able to quickly know the total number of alerts on the machine.
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-home.png b/windows/threat-protection/windows-defender-security-center/images/security-center-home.png
new file mode 100644
index 0000000000..601b2a32b8
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-home.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png b/windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png
new file mode 100644
index 0000000000..e3d744df4c
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png b/windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png
new file mode 100644
index 0000000000..a35daeb1f4
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png b/windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png
new file mode 100644
index 0000000000..eec35c6dcf
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
new file mode 100644
index 0000000000..f8376c934c
--- /dev/null
+++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -0,0 +1,119 @@
+---
+title: Windows Defender Security Center
+description: The Windows Defender Security Center brings together common Windows security features into one place
+keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+
+
+# The Windows Defender Security Center
+
+**Applies to**
+
+- Windows 10, version 1703
+
+
+
+
+In Windows 10, version 1703 we introduced the new Windows Defender Security Center, which brings together common Windows security features into one, easy-to-use app.
+
+
+
+
+
+
+
+
+
+Many settings that were previously part of the individual features and main Windows Settings have been combined and moved to the new app, which is installed out-of-the-box as part of Windows 10, version 1703.
+
+The app includes the settings and status for the following security features:
+
+- Virus & threat protection, including settings for Windows Defender Antivirus
+- Device performance & health, which includes information about drivers, storage space, and general Windows Update issues
+- Firewall & network protection, including Windows Firewall
+- App & browser control, covering Windows Defender SmartScreen settings
+- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
+
+
+
+The Windows Defender Security Center uses the [Windows Security Center service](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA) to provide the status and information on 3rd party antivirus and firewall products that are installed on the device.
+
+> [!IMPORTANT]
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
+
+> [!WARNING]
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed.
+>This will significantly lower the protection of your device and could lead to malware infection.
+
+
+## Open the Windows Defender Security Center
+- Right-click the icon in the notification area on the taskbar and click **Open**.
+
+ 
+- Search the Start menu for **Windows Defender Security Center**.
+
+ 
+
+
+> [!NOTE]
+> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Defender Security Center. Review the settings for each feature in its appropriate library. Links for both home user and enterprise or commercial audiences are listed below.
+
+## How the Windows Defender Security Center works with Windows security features
+
+
+
+
+The Windows Defender Security Center operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
+
+It acts as a collector or single place to see the status and perform some configuration for each of the features.
+
+Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Defender Security Center. The Windows Defender Security Center itself will still run and show status for the other security features.
+
+> [!IMPORTANT]
+> Individually disabling any of the services will not disable the other services or the Windows Defender Security Center itself.
+
+For example, [using a 3rd party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus). However, the Windows Defender Security Center will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Firewall.
+
+The presence of the 3rd party antivirus will be indicated under the **Virus & threat protection** section in the Windows Defender Security Center.
+
+
+
+## More information
+
+See the following links for more information on the features in the Windows Defender Security Center:
+- Windows Defender Antivirus
+ - IT administrators and IT pros can get configuration guidance from the [Windows Defender Antivirus in the Windows Defender Security Center topic](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) and the [Windows Defender Antivirus documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
+ - Home users can learn more at the [Virus & threat protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-defender-security-center)
+- Device performance & health
+ - It administrators and IT pros can [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/load-and-unload-device-drivers), and learn how to [deploy drivers during Windows 10 deployment using System Center Configuration Manager](https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager)
+ - Home users can learn more at the [Track your device and performance health in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012986/windows-defender-track-your-device-performance-health)
+- Windows Firewall
+ - IT administrators and IT pros can get configuration guidance from the [Windows Firewall with Advanced Security documentation library](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security)
+ - Home users can learn more at the [Firewall & network protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012988/windows-10-firewall-network-protection-windows-defender-security-center)
+- Windows Defender SmartScreen
+ - IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
+ - Home users can learn more at the [App & browser control in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013218/windows-10-app-browser-control-in-windows-defender)
+- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
+ - Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
+
+
+
+>[!NOTE]
+>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+
+
+
+
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
new file mode 100644
index 0000000000..15e17ff463
--- /dev/null
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -0,0 +1,72 @@
+---
+title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10)
+description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
+keywords: WIP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
+**Applies to:**
+
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
+
+After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
+
+## Associate your WIP policy to your VPN policy by using Microsoft Intune
+Follow these steps to associate your WIP policy with your organization's existing VPN policy.
+
+**To associate your policies**
+
+1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
+
+2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
+
+ 
+
+3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
+
+ 
+
+4. In the **Custom OMA-URI Settings** blade, click **Add**.
+
+5. In the **Add Row** blade, type:
+
+ - **Name.** Type a name for your setting, such as *EDPModeID*.
+
+ - **Description.** Type an optional description for your setting.
+
+ - **OMA-URI.** Type _./Vendor/MSFT/VPNv2/<VPNProfileName>/EDPModeId_ into the box.
+
+ - **Data type.** Select **String** from the dropdown box
+
+ - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
+
+ 
+
+6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
+
+7. Click **Create** to create the policy, including your OMA_URI info.
+
+## Deploy your VPN policy using Microsoft Intune
+After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
+
+**To deploy your Custom VPN policy**
+
+1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.
+
+ A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** blade.
+
+2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
+
+ The policy is deployed to the selected users' devices.
+
+ 
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
index 64602d97ae..043f638474 100644
--- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
@@ -1,5 +1,5 @@
---
-title: Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune (Windows 10)
+title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune (Windows 10)
description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
keywords: WIP, Enterprise Data Protection
@@ -11,11 +11,11 @@ author: eross-msft
localizationpriority: high
---
-# Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune
+# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune
**Applies to:**
-- Windows 10, version 1607
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
new file mode 100644
index 0000000000..5726426cf1
--- /dev/null
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -0,0 +1,532 @@
+---
+title: Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune (Windows 10)
+description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune
+
+**Applies to:**
+
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
+
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
+
+>[!Important]
+>This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune) topic.
+
+## Add a WIP policy
+After you’ve set up Intune for your organization, you must create a WIP-specific policy.
+
+**To add a WIP policy**
+1. Open the Microsoft Intune mobile application management console, click **All settings**, and then click **App policy**.
+
+ 
+
+2. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
+ - **Name.** Type a name (required) for your new policy.
+
+ - **Description.** Type an optional description.
+
+ - **Platform.** Choose **Windows 10** as the supported platform for your policy.
+
+ - **Enrollment state.** Choose **With enrollment** as the enrollment state for your policy.
+
+ 
+
+ >[!Important]
+ >Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM, you must use these instructions, [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune), instead.
+
+3. Click **Create**.
+
+ The policy is created and appears in the table on the **App Policy** screen.
+
+ >[!NOTE]
+ >Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available.
+
+### Add apps to your Allowed apps list
+During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+
+The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app.
+
+>[!Important]
+>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
+
+ Portal label
+ SIEM field name
+ ArcSight field
+ Example value
+ Description
+
+
+
+ 1
+ AlertTitle
+ name
+ A dll was unexpectedly loaded into a high integrity process without a UAC prompt
+ Value available for every alert.
+
+
+
+ 2
+ Severity
+ deviceSeverity
+ Medium
+ Value available for every alert.
+
+
+
+ 3
+ Category
+ deviceEventCategory
+ Privilege Escalation
+ Value available for every alert.
+
+
+
+ 4
+ Source
+ sourceServiceName
+ WindowsDefenderATP
+ Windows Defender Antivirus or Windows Defender ATP. Value available for every alert.
+
+
+
+ 5
+ MachineName
+ sourceHostName
+ liz-bean
+ Value available for every alert.
+
+
+
+ 6
+ FileName
+ fileName
+ Robocopy.exe
+ Available for alerts associated with a file or process.
+
+
+
+ 7
+ FilePath
+ filePath
+ C:\Windows\System32\Robocopy.exe
+ Available for alerts associated with a file or process. \
+
+
+
+ 8
+ UserDomain
+ sourceNtDomain
+ contoso
+ The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.
+
+
+
+ 9
+ UserName
+ sourceUserName
+ liz-bean
+ The user context running the activity, available for Windows Defender ATP behavioral based alerts.
+
+
+
+ 10
+ Sha1
+ fileHash
+ 5b4b3985339529be3151d331395f667e1d5b7f35
+ Available for alerts associated with a file or process.
+
+
+
+ 11
+ Md5
+ deviceCustomString5
+ 55394b85cb5edddff551f6f3faa9d8eb
+ Available for Windows Defender AV alerts.
+
+
+
+ 12
+ Sha256
+ deviceCustomString6
+ 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5
+ Available for Windows Defender AV alerts.
+
+
+
+ 13
+ ThreatName
+ eviceCustomString1
+ Trojan:Win32/Skeeyah.A!bit
+ Available for Windows Defender AV alerts.
+
+
+
+ 14
+ IpAddress
+ sourceAddress
+ 218.90.204.141
+ Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.
+
+
+
+ 15
+ Url
+ requestUrl
+ down.esales360.cn
+ Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.
+
+
+
+ 16
+ RemediationIsSuccess
+ deviceCustomNumber2
+ TRUE
+ Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
+
+
+
+ 17
+ WasExecutingWhileDetected
+ deviceCustomNumber1
+ FALSE
+ Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
+
+
+
+ 18
+ AlertId
+ externalId
+ 636210704265059241_673569822
+ Value available for every alert.
+
+
+
+ 19
+ LinkToWDATP
+ flexString1
+ `https://securitycenter.windows.com/alert/636210704265059241_673569822`
+ Value available for every alert.
+
+
+
+ 20
+ AlertTime
+ deviceReceiptTime
+ 2017-05-07T01:56:59.3191352Z
+ The time the activity relevant to the alert occurred. Value available for every alert.
+
+
+
+ 21
+ MachineDomain
+ sourceDnsDomain
+ contoso.com
+ Domain name not relevant for AAD joined machines. Value available for every alert.
+
+
+
+ 22
+ Actor
+ deviceCustomString4
+
+ Available for alerts related to a known actor group.
+
+
+
+ 21+5
+ ComputerDnsName
+ No mapping
+ liz-bean.contoso.com
+ The machine fully qualified domain name. Value available for every alert.
+
+
+
+
+ LogOnUsers
+ sourceUserId
+ contoso\liz-bean; contoso\jay-hardee
+ The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.
+
+
+
+ Internal field
+ LastProcessedTimeUtc
+ No mapping
+ 2017-05-07T01:56:58.9936648Z
+ Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.
+
+
+
+
+ Not part of the schema
+ deviceVendor
+
+ Static value in the ArcSight mapping - 'Microsoft'.
+
+
+
+
+ Not part of the schema
+ deviceProduct
+
+ Static value in the ArcSight mapping - 'Windows Defender ATP'.
+
+
+
+
+ Not part of the schema
+ deviceVersion
+
+ Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
+
+
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+
+#### Add a Recommended app to your Allowed apps list
+For this example, we’re going to add Microsoft Edge, a recommended app, to the **Allowed apps** list.
+
+**To add a recommended app**
+1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
+
+ The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
+
+ 
+
+2. From the **Allowed apps** blade, click **Add apps**.
+
+ The **Add apps** blade appears, showing you all **Recommended apps**.
+
+ 
+
+3. Select each app you want to access your enterprise data, and then click **OK**.
+
+ The **Allowed apps** blade updates to show you your selected apps.
+
+ 
+
+#### Add a Store app to your Allowed apps list
+For this example, we’re going to add Microsoft Power BI, a store app, to the **Allowed apps** list.
+
+**To add a Store app**
+1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
+
+ The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
+
+2. From the **Allowed apps** blade, click **Add apps**.
+
+3. On the **Add apps** blade, click **Store apps** from the dropdown list.
+
+ The blade changes to show boxes for you to add a publisher and app name.
+
+4. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the Product **name** is `Microsoft.MicrosoftPowerBIForWindows`.
+
+5. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
+
+ >[!NOTE]
+ >To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**.
+
+ 
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the publisher and product name values for Store apps without installing them**
+1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*.
+
+2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
+
+3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value.
+
+ The API runs and opens a text editor with the app details.
+
+ ```json
+ {
+ "packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows",
+ "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+ }
+ ```
+
+4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
+
+ >[!Important]
+ >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
+ {
+
+**To find the publisher and product name values for apps installed on Windows 10 mobile phones**
+1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
+
+ >**Note**
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
Your PC and phone must be on the same wireless network.
+
+2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7. Start the app for which you're looking for the publisher and product name values.
+
+8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >[!Important]
+ >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
+ {
+
+#### Add a Desktop app to your Allowed apps list
+For this example, we’re going to add WordPad, a desktop app, to the **Allowed apps** list.
+
+**To add a Desktop app**
+1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
+
+ The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
+
+2. From the **Allowed apps** blade, click **Add apps**.
+
+3. On the **Add apps** blade, click **Desktop apps** from the dropdown list.
+
+ The blade changes to show boxes for you to add the following, based on what results you want returned:
+
+
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
+
+
+4. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
+
+ >[!Note]
+ >To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**.
+
+ 
+
+ **To find the Publisher values for Desktop apps**
+ If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+
+ ```ps1
+ Get-AppLockerFileInformation -Path "
+
+ Field
+ Manages
+
+
+ All fields marked as “*”
+ All files signed by any publisher. (Not recommended)
+
+
+ Publisher only
+ If you only fill out this field, you’ll get all files signed by the named publisher.
+
This might be useful if your company is the publisher and signer of internal line-of-business apps.
+
+ Publisher and Name only
+ If you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.
+
+
+ Publisher, Name, and File only
+ If you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Name, File, and Min version only
+ If you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.
+
This option is recommended for enlightened apps that weren't previously enlightened.
+
+ Publisher, Name, File, and Max version only
+ If you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.
+
+
+ All fields completed
+ If you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.
+
+ This is the XML file that AppLocker creates for Microsoft Dynamics 365.
+
+ ```xml
+
+
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
+
+2. Click **Save**.
+
+### Define your enterprise-managed corporate identity
+Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+
+Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+
+**To change your corporate identity**
+
+1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
+
+ The **Required settings** blade appears.
+
+2. If the identity isn’t correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`.
+
+ 
+
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
+
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+
+>[!Important]
+>Every WIP policy should include policy that defines your enterprise network locations.
Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+
+**To define where your allowed apps can find and send enterprise data on you network**
+
+1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
+
+ The **Advanced settings** blade appears.
+
+2. Click **Add network boundary** from the Network perimeter area.
+
+ The **Add network boundary** blade appears.
+
+ 
+
+3. Select the type of network boundary to add from the **Boundary type** box.
+
+4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**.
+
+
+
+
+5. Repeat steps 1-4 to add any additional network boundaries.
+
+6. Decide if you want to Windows to look for additional network settings:
+
+ 
+
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+### Upload your Data Recovery Agent (DRA) certificate
+After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
+
+>[!Important]
+>Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.
+
+**To upload your DRA certificate**
+1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
+
+ The **Advanced settings** blade appears.
+
+2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+ 
+
+### Choose your optional WIP-related settings
+After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
+
+**To set your optional settings**
+
+1. Choose to set any or all optional settings:
+
+ 
+
+ - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
+
+ - **On (recommended).** Turns on the feature and provides the additional protection.
+
+ - **Off, or not configured.** Doesn't enable this feature.
+
+ - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+ - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
+
+ - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions.
+
+ - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
+
+ - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
+
+ - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option.
+
+ - **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection.
+
+ - **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic.
+
+ - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP.
+
+### Choose to set up Azure Rights Management with WIP
+WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
+
+To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
+
+Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option.
+
+>[!NOTE]
+>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
+
+## Related topics
+- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
+
+- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+
+- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
+
+- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
+
+- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
+
+- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
+
+- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
index 2b277e056a..cbdd0a70de 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -1,5 +1,5 @@
---
-title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
+title: Create a Windows Information Protection (WIP) with enrollment policy using the classic console for Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
ms.prod: w10
@@ -10,12 +10,12 @@ author: eross-msft
localizationpriority: high
---
-# Create a Windows Information Protection (WIP) policy using Microsoft Intune
+# Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune
**Applies to:**
-- Windows 10, version 1703
-- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop)
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
@@ -39,7 +39,7 @@ During the policy-creation process in Intune, you can choose the apps you want t
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>[!Important]
->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
+
+ Boundary type
+ Value format
+ Description
+
+
+ Cloud Resources
+ With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
+
contoso.visualstudio.com,contoso.internalproxy2.com
Without proxy: contoso.sharepoint.com|contoso.visualstudio.comSpecify the cloud resources to be treated as corporate and protected by WIP.
+
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.
Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
+
+ Network domain names
+ corp.contoso.com,region.contoso.com
+ Starting with Windows 10, version 1703, this field is optional.
+
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
If you have multiple resources, you must separate them using the "," delimiter.
+
+ Proxy servers
+ proxy.contoso.com:80;proxy2.contoso.com:443
+ Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
+
This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
+
+ Internal proxy servers
+ contoso.internalproxy1.com;contoso.internalproxy2.com
+ Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
+
This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
+
+ IPv4 ranges
+ **Starting IPv4 Address:** 3.4.0.1
+
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254Starting with Windows 10, version 1703, this field is optional.
+
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
+
+ IPv6 ranges
+ **Starting IPv6 Address:** 2a01:110::
+
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffffStarting with Windows 10, version 1703, this field is optional.
+
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
+
+ Neutral resources
+ sts.contoso.com,sts.contoso2.com
+ Specify your authentication redirection endpoints for your company.
+
These locations are considered enterprise or personal, based on the context of the connection before the redirection.
If you have multiple resources, you must separate them using the "," delimiter.
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+ >[!NOTE]
+
+ >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
@@ -111,7 +113,8 @@ If you don't know the publisher or product name, you can find them for both desk
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
- >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
Your PC and phone must be on the same wireless network.
+ >[!NOTE]
+ >Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
@@ -137,7 +141,8 @@ If you don't know the publisher or product name, you can find them for both desk
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
- >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+ >[!IMPORTANT]
+ >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
>For example:
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app |
|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app |
|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
+|Office 365 ProPlus|Office 365 ProPlus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](http://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
We don't recommend setting up Office by using individual paths or publisher rules.|
|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** iexplore.exe
**App Type:** Desktop app |
-|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** onedrive.exe
**App Type:** Desktop app|
+|OneDrive Sync Client|**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** onedrive.exe
**App Type:** Desktop app|
+|OneDrive app|**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Microsoftskydrive
**Product Version:**Product version: 17.21.0.0 (and later)
**App Type:** Universal app |
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** notepad.exe
**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app |
diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
index d8d0fb1910..dfd5630dc2 100644
--- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.|
-|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Override**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
+|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
diff --git a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
index eb659e55c3..caf17860ce 100644
--- a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
@@ -21,7 +21,8 @@ Microsoft Intune and System Center Configuration Manager helps you create and de
## In this section
|Topic |Description |
|------|------------|
-|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](create-wip-policy-using-intune.md) |Details about how to use the classic console for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index fe8a354526..19071542aa 100644
--- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -76,13 +76,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+ - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
- - **Deciding your level of data access.** WIP lets you block overrides, allow overrides, or audit employees' data sharing actions. Blocking overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+ - **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
- **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
@@ -131,8 +131,8 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
-|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
+|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off |WIP is turned off and doesn't help to protect or audit your data.
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
diff --git a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index 0d5eb4ca6f..f07d6ab555 100644
--- a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -24,7 +24,7 @@ We recommend that you add the following URLs to the Enterprise Cloud Resources a
## Recommended Enterprise Cloud Resources
This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.
-|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
(Replace "contoso" with your domain name(s) |
+|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
(Replace "contoso" with your domain name(s)|
|-----------------------------|---------------------------------------------------------------------|
|Office 365 for Business |
|
|Yammer |
|
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index 6b8301ccab..c963eb975e 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -1,6 +1,6 @@
---
title: Edit an existing topic using the Edit link
-description: Instructions about how to edit an existing topic by using the Contribute link on TechNet.
+description: Instructions about how to edit an existing topic by using the Edit link on TechNet.
keywords: contribute, edit a topic
ms.prod: w10
ms.mktglfcycl: explore
@@ -10,13 +10,13 @@ ms.sitesec: library
# Editing existing Windows IT professional documentation
You can now make suggestions and update existing, public content with a GitHub account and a simple click of a link.
->**Note**
+>[!NOTE]
>At this time, only the English (en-us) content is available for editing.
**To edit a topic**
-1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before contributing to any Microsoft repositories.
-If you've already contributed to Microsoft repositories in the past, congratulations! You've already completed this step.
+1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before updating or adding to any Microsoft repositories.
+If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step.
2. Go to the page on TechNet that you want to update, and then click **Edit**.
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index 3c9739ce2e..590b6d84d5 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "trudyha",
+ "ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index b64a85a590..e0bd472d86 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10 (Windows 10)
-description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Windows Hello, Device Guard, and more.
+description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more.
ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"]
ms.prod: w10
@@ -20,7 +20,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec
- [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
-- [Edit an existing topic using the Contribute link](contribute-to-a-topic.md)
+- [Edit an existing topic using the Edit link](contribute-to-a-topic.md)
## Learn more