+ +**InternetExplorer/AllowSaveTargetAsInIEMode** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting allows the administrator to enable "Save Target As" context menu in Internet Explorer mode. + +- If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer. +- If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu. + +For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115) + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow "Save Target As" in Internet Explorer mode* +- GP name: *AllowSaveTargetAsInIEMode* +- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP ADMX file name: *inetres.admx* + + + +```xml +
+--Policy--> +**InternetExplorer/ConfigureEdgeRedirectChannel** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy, if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed. + +If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur: + +- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: + 1 = Microsoft Edge Stable + 2 = Microsoft Edge Beta version 77 or later + 3 = Microsoft Edge Dev version 77 or later + 4 = Microsoft Edge Canary version 77 or later + +- If you disable or do not configure this policy, Microsoft Edge Stable channel is used. This is the default behavior. + +If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur: + +- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: + 0 = Microsoft Edge version 45 or earlier + 1 = Microsoft Edge Stable + 2 = Microsoft Edge Beta version 77 or later + 3 = Microsoft Edge Dev version 77 or later + 4 = Microsoft Edge Canary version 77 or later + +- If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior. + +> [!NOTE] +> For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115). This update applies only to Windows 10 version 1709 and higher. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure which channel of Microsoft Edge to use for opening redirected sites* +- GP name: *ConfigureEdgeRedirectChannel* +- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP ADMX file name: *inetres.admx* + + + +```xml +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy lets you restrict launching of Internet Explorer as a standalone browser. + +If you enable this policy, it: +- Prevents Internet Explorer 11 from launching as a standalone browser. +- Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'. +- Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser. +- Overrides any other policies that redirect to Internet Explorer 11. + +If you disable, or do not configure this policy, all sites are opened using the current active browser settings. + +> [!NOTE] +> Microsoft Edge Stable Channel must be installed for this policy to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable Internet Explorer 11 as a standalone browser* +- GP name: *DisableInternetExplorerApp* +- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP ADMX file name: *inetres.admx* + + + +```xml +
+ +**InternetExplorer/KeepIntranetSitesInInternetExplorer** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting prevents intranet sites from being opened in any browser except Internet Explorer. + +> [!NOTE] +> If the ‘Send all sites not included in the Enterprise Mode Site List to Microsoft Edge’ (‘RestrictIE’) policy is not enabled, then this policy has no effect. + +If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List. +If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge. + +We strongly recommend keeping this policy in sync with the ‘Send all intranet sites to Internet Explorer’ (‘SendIntranetToInternetExplorer’) policy. Additionally, it is best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. + +Related policies: +- Send all intranet sites to Internet Explorer (‘SendIntranetToInternetExplorer’) +- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge (‘RestrictIE’) + +For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](https://go.microsoft.com/fwlink/?linkid=2094210) + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Keep all Intranet Sites in Internet Explorer* +- GP name: *KeepIntranetSitesInInternetExplorer* +- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP ADMX file name: *inetres.admx* + + + +```xml +
+ +**InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode Site List. + +If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge. + +If you disable, or not configure this setting, then it opens all sites based on the currently active browser. + +> [!NOTE] +> If you have also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge* +- GP name: *SendSitesNotInEnterpriseSiteListToEdge* +- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP ADMX file name: *inetres.admx* + + + +```xml +
@@ -4710,7 +4711,7 @@ If you disable, or do not configure this policy, all sites are opened using the ADMX Info: - GP English name: *Disable Internet Explorer 11 as a standalone browser* - GP name: *DisableInternetExplorerApp* -- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -9563,8 +9564,8 @@ For more information on how to use this policy together with other related polic ADMX Info: - GP English name: *Keep all Intranet Sites in Internet Explorer* -- GP name: *KeepIntranetSitesInInternetExplorer* -- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP name: *MDM policy is Browser/SendIntranetTraffictoInternetExplorer* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -19076,8 +19077,8 @@ If you disable, or not configure this setting, then it opens all sites based on ADMX Info: - GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge* -- GP name: *SendSitesNotInEnterpriseSiteListToEdge* -- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP name: *RestrictInternetExplorer* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* From f8b5cdbaa1ecd38d806c8fab769c514e21d87002 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 2 Feb 2021 16:20:16 +0530 Subject: [PATCH 08/54] updated --- ...olicy-csp-admx-microsoftdefenderantivirus.md | 17 +++++++++++++---- .../mdm/policy-csp-internetexplorer.md | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 5862dadff7..1e2341c8cf 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3223,9 +3223,11 @@ ADMX Info:
- + + **ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts** +
7777777777777777---Policy--> **InternetExplorer/ConfigureEdgeRedirectChannel** @@ -19077,7 +19076,7 @@ If you disable, or not configure this setting, then it opens all sites based on ADMX Info: - GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge* -- GP name: *SendSitesNotInEnterpriseSiteListToEdge* +- GP name: *RestrictInternetExplorer* - GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* From 71dc7e54f3eea2a462d040add904f8241733e23c Mon Sep 17 00:00:00 2001 From: Karl Wester-Ebbinghaus <45657752+Karl-WE@users.noreply.github.com> Date: Fri, 19 Feb 2021 17:13:06 +0100 Subject: [PATCH 12/54] Update install-vamt.md missed to align the information in requirements section with merged PR #9009 --- windows/deployment/volume-activation/install-vamt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 38d957f492..12284d8025 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -33,7 +33,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for ### Requirements - [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied -- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) +- the latest version of [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install - Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended - Alternatively, any supported **full** SQL instance From 0282a5fd0c3f2f727a344dec9fcd286f46054ae0 Mon Sep 17 00:00:00 2001 From: Karl Wester-Ebbinghaus <45657752+Karl-WE@users.noreply.github.com> Date: Sun, 21 Feb 2021 13:35:26 +0100 Subject: [PATCH 13/54] Update windows/deployment/volume-activation/install-vamt.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/volume-activation/install-vamt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 12284d8025..5d49cc632f 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -33,7 +33,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for ### Requirements - [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied -- the latest version of [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install +- Latest version of the [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) - Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended - Alternatively, any supported **full** SQL instance From 82c41e31d2cb337bb35200752d571ebb5ffa9b38 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 1 Mar 2021 16:26:39 +0530 Subject: [PATCH 14/54] Updated --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 4 + .../policy-configuration-service-provider.md | 17 + .../policy-csp-admx-windowsfileprotection.md | 357 ++++++++++++++++++ 4 files changed, 379 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 3675333e76..0b6429d817 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -266,6 +266,7 @@ #### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md) #### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) #### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md) +#### [ADMX_WindowsFileProtection](policy-csp-admx-windowsfileprotection.md)S #### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) #### [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index a93f4e23d3..406699a136 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1295,6 +1295,10 @@ ms.date: 10/08/2020 - [ADMX_WindowsExplorer/ShowSleepOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption) - [ADMX_WindowsExplorer/TryHarderPinnedLibrary](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary) - [ADMX_WindowsExplorer/TryHarderPinnedOpenSearch](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch) +- [ADMX_WindowsFileProtection/WFPShowProgress](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpshowprogress) +- [ADMX_WindowsFileProtection/WFPQuota](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpquota) +- [ADMX_WindowsFileProtection/WFPScan](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpscan) +- [ADMX_WindowsFileProtection/WFPDllCacheDir](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpdllcachedir) - [ADMX_WindowsMediaDRM/DisableOnline](./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline) - [ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings) - [ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 5056143d53..e79253e46b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -8450,6 +8450,23 @@ The following diagram shows the Policy configuration service provider in tree fo
-
+
- + ADMX_WindowsFileProtection/WFPShowProgress + +
- + ADMX_WindowsFileProtection/WFPQuota + +
- + ADMX_WindowsFileProtection/WFPScan + +
- + ADMX_WindowsFileProtection/WFPDllCacheDir + +
-
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md b/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md
new file mode 100644
index 0000000000..610f1840b9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md
@@ -0,0 +1,357 @@
+---
+title: Policy CSP - ADMX_WindowsFileProtection
+description: Policy CSP - ADMX_WindowsFileProtection
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 01/03/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WindowsFileProtection
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
- + ADMX_WindowsFileProtection/WFPShowProgress + +
- + ADMX_WindowsFileProtection/WFPQuota + +
- + ADMX_WindowsFileProtection/WFPScan + +
- + ADMX_WindowsFileProtection/WFPDllCacheDir + +
+ + +## ADMX_WindowsFileProtection policies + +
-
+
+ + +**ADMX_WindowsFileProtection/WFPShowProgress** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the file scan progress window. This window provides status information to sophisticated users, but it might confuse the users. + +- If you enable this policy setting, the file scan window does not appear during file scanning. +- If you disable or do not configure this policy setting, the file scan progress window appears. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the file scan progress window* +- GP name: *WFPShowProgress* +- GP path: *Windows File Protection!SfcShowProgress* +- GP ADMX file name: *WindowsFileProtection.admx* + + + +
+ + +**ADMX_WindowsFileProtection/WFPQuota** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum amount of disk space that can be used for the Windows File Protection file cache. +Windows File Protection adds protected files to the cache until the cache content reaches the quota. +If the quota is greater than 50 MB, Windows File Protection adds other important Windows XP files to the cache until the cache size reaches the quota. + +- If you enable this policy setting, enter the maximum amount of disk space to be used (in MB). +To indicate that the cache size is unlimited, select "4294967295" as the maximum amount of disk space. + +- If you disable this policy setting or do not configure it, the default value is set to 50 MB on Windows XP Professional and is unlimited (4294967295 MB) on Windows Server 2003. +> [!NOTE] +> Icon size is dependent upon what the user has set it to in the previous session. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit Windows File Protection cache size* +- GP name: *WFPQuota* +- GP path: *System\Windows File Protection* +- GP ADMX file name: *WindowsFileProtection.admx* + + + +
+ + +**ADMX_WindowsFileProtection/WFPScan** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set when Windows File Protection scans protected files. +This policy setting directs Windows File Protection to enumerate and scan all system files for changes. + +- If you enable this policy setting, select a rate from the "Scanning Frequency" box. +You can use this setting to direct Windows File Protection to scan files more often. +-- "Do not scan during startup," the default, scans files only during setup. +-- "Scan during startup" also scans files each time you start Windows XP. +This setting delays each startup. + +- If you disable or do not configure this policy setting, by default, files are scanned only during setup. + +> [!NOTE] +> This policy setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection provides. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Windows File Protection scanning* +- GP name: *WFPScan* +- GP path: *System\Windows File Protection* +- GP ADMX file name: *WindowsFileProtection.admx* + + + +
+ + +**ADMX_WindowsFileProtection/WFPDllCacheDir** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies an alternate location for the Windows File Protection cache. + +- If you enable this policy setting, enter the fully qualified local path to the new location in the "Cache file path" box. +- If you disable this setting or do not configure it, the Windows File Protection cache is located in the "%Systemroot%\System32\Dllcache directory". + +> [!NOTE] +> Do not add the cache on a network shared directory. + + +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". + +If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. + +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. +> +> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify Windows File Protection cache location* +- GP name: *WFPDllCacheDir* +- GP path: *System\Windows File Protection* +- GP ADMX file name: *WindowsFileProtection.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file From 6ea410dc2648a612ab610315387fbe39ed1b53bc Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 2 Mar 2021 01:17:59 +0530 Subject: [PATCH 15/54] Updated --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 1 + .../policy-configuration-service-provider.md | 7 + .../mdm/policy-csp-admx-filerecovery.md | 125 ++++++++++++++++++ 4 files changed, 134 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-filerecovery.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 3675333e76..5d1426ba5e 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -203,6 +203,7 @@ #### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md) #### [ADMX_EventLog](policy-csp-admx-eventlog.md) #### [ADMX_Explorer](policy-csp-admx-explorer.md) +#### [ADMX_FileRecovery](policy-csp-admx-filerecovery.md) #### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md) #### [ADMX_FileSys](policy-csp-admx-filesys.md) #### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index a93f4e23d3..25617b27ab 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -266,6 +266,7 @@ ms.date: 10/08/2020 - [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit) - [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder) - [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations) +- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) - [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 5056143d53..c8b2f862cc 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1053,6 +1053,13 @@ The following diagram shows the Policy configuration service provider in tree fo
-
diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
new file mode 100644
index 0000000000..8a327a33a4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
@@ -0,0 +1,125 @@
+---
+title: Policy CSP - ADMX_FileRecovery
+description: Policy CSP - ADMX_FileRecovery
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 03/02/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_FileRecovery
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+ + +## ADMX_FileRecovery policies + + + + +
+ + +**ADMX_FileRecovery/WdiScenarioExecutionPolicy** + + ++
+ + ++ +Windows Edition +Supported? ++ +Home ++ +Pro ++ +Business ++ +Enterprise ++ +Education +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. + +If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. + +If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. + +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. + +This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + +> [!NOTE] +> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + +> [!NOTE] +> This policy setting applies to all sites in Trusted zones. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disk Diagnostic: Configure execution level* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* +- GP ADMX file name: *FileRecovery.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + From ab1404fdb8c99d73f21c9fe56e05de63f7e32e17 Mon Sep 17 00:00:00 2001 From: Nimisha SatapathyDefines the root node.
**IsActiveZeroExhaust** -Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:
+Boolean value that indicates whether network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:
- There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected.
- There should be no traffic during installation of Windows and first logon when local ID is used. -
- Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic. -
- Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, etc.) to Microsoft. +
- Launching and using a local app (Notepad, Paint, and so on.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, and so on.) should not send any traffic. +
- Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, and so on.) to Microsoft.
The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
-The following list of transactions are performed in one DHA-Session:
+The following list of transactions is performed in one DHA-Session:
- DHA-CSP and DHA-Service communication:
- DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service @@ -75,7 +75,7 @@ The following is a list of functions performed by the Device HealthAttestation C DHA-Enabled MDM (Device HealthAttestation enabled device management solution)
- Enables the DHA feature on a DHA-Enabled device
- Issues device health attestation requests to enrolled/managed devices @@ -85,7 +85,7 @@ The following is a list of functions performed by the Device HealthAttestation C DHA-CSP (Device HealthAttestation Configuration Service Provider)
- Collects device boot data (DHA-BootData) from a managed device
- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) @@ -97,7 +97,7 @@ The following is a list of functions performed by the Device HealthAttestation C
Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
-The following list of operations are performed by DHA-Enabled-MDM:
+The following list of operations is performed by DHA-Enabled-MDM
The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
-The following list of operations are performed by DHA-CSP:
+The following list of operations is performed by DHA-CSP:
Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
-The following list of operations are performed by DHA-Service:
+The following list of operations is performed by DHA-Service:
- Receives device boot data (DHA-BootData) from a DHA-Enabled device
- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
@@ -126,7 +126,7 @@ The following is a list of functions performed by the Device HealthAttestation C
- Available in Windows for free
- Running on a high-availability and geo-balanced cloud infrastructure
- Supported by most DHA-Enabled device management solutions as the default device attestation service provider -
- Accessible to all enterprise managed devices via following: +
- Accessible to all enterprise-managed devices via following:
- FQDN = has.spserv.microsoft.com) port
- Port = 443 @@ -144,7 +144,7 @@ The following is a list of functions performed by the Device HealthAttestation C
- Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
- Hosted on an enterprise owned and managed server device/hardware
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios -
Accessible to all enterprise managed devices via following:
+Accessible to all enterprise-managed devices via following:
- FQDN = (enterprise assigned)
- Port = (enterprise assigned) @@ -155,12 +155,12 @@ The following is a list of functions performed by the Device HealthAttestation C
- Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios -
Accessible to all enterprise managed devices via following:
+Accessible to all enterprise-managed devices via following:
- FQDN = (enterprise assigned)
- Port = (enterprise assigned) @@ -318,13 +318,13 @@ SSL-Session: There are three types of DHA-Service: - Device Health Attestation – Cloud (owned and operated by Microsoft) - Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises) -- Device Health Attestation - Enterprise Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise managed cloud) +- Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud) DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider. For DHA-OnPrem & DHA-EMC scenarios, send a SyncML command to the HASEndpoint node to instruct a managed device to communicate with the enterprise trusted DHA-Service. -The following example shows a sample call that instructs a managed device to communicate with an enterprise managed DHA-Service. +The following example shows a sample call that instructs a managed device to communicate with an enterprise-managed DHA-Service. ```xml
From 9ef28f1dc68c77c1157c6a1190be17391f6c21e6 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Supported operation is Get.
***ContextID*** -Node created by the server to define a context. Maximum amount of characters allowed is 38.
+Node created by the server to define a context. Maximum number of characters allowed is 38.
Supported operations are Add, Get, and Delete.
**SignalDefinition** @@ -76,15 +76,15 @@ DynamicManagementValue type is string. Supported operations are Add, Get, Delete, and Replace.
**SettingsPackResponse** -Response from applying a Settings Pack that contains information on each individual action..
+Response from applying a Settings Pack that contains information on each individual action.
Value type is string. Supported operation is Get.
**ContextStatus** -Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed..
+Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.
Value type is integer. Supported operation is Get.
**Altitude** -A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities..
+A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
Value type is integer. Supported operations are Add, Get, Delete, and Replace.
**AlertsEnabled** @@ -93,7 +93,7 @@ DynamicManagement ## Examples -Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 meters radius of the specified latitude/longitude +Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100-meters radius of the specified latitude/longitude ```xmlFrom 14d8930359a52680ccdd83d13fb00c26a9a1a731 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Defines the root node for the DMSessionActions configuration service provider.
***ProviderID*** -Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means that there should be only one ProviderID node under NodeCache.
+Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
Scope is dynamic. Supported operations are Get, Add, and Delete.
@@ -92,12 +92,12 @@ DMSessionActionsValue type is string. Supported operation is Get.
**PowerSettings** -Node for power related configrations
+Node for power-related configrations
**PowerSettings/MaxSkippedSessionsInLowPowerState** -Maximum number of continuous skipped sync sessions when the device is in low power state.
+Maximum number of continuous skipped sync sessions when the device is in low-power state.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**PowerSettings/MaxTimeSessionsSkippedInLowPowerState** -Maximum time in minutes when the device can skip the check-in with the server if the device is in low power state.
+Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
From 65af9e34319aa788a3a5865571b3b81de2dbb092 Mon Sep 17 00:00:00 2001 From: Nourdin Boulassel
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | |EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | -|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|EDR |macOS:
- 11 (Big Sur)
- 10.15 (Catalina)
- 10.14 (Mojave)
|[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | |[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
| |Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | |Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) | From 4ad258732e2c7b318ed4b6a3d47cd70acbd24203 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 15 Mar 2021 18:48:47 +0200 Subject: [PATCH 31/54] Update gov.md MDE for DoD is now GA'd. --- .../threat-protection/microsoft-defender-atp/gov.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index e40a3ed5d3..e119763d43 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -47,9 +47,6 @@ GCC | GCC High | DoD Microsoft Defender for Endpoint Server GCC | Microsoft Defender for Endpoint Server for GCC High | Microsoft Defender for Endpoint Server for DOD Azure Defender for Servers | Azure Defender for Servers - Government | Azure Defender for Servers - Government -> [!NOTE] -> DoD licensing will only be available at DoD general availability. -
## Portal URLs @@ -59,7 +56,7 @@ Customer type | Portal URL :---|:--- GCC | https://gcc.securitycenter.microsoft.us GCC High | https://securitycenter.microsoft.us -DoD (PREVIEW) | https://securitycenter.microsoft.us +DoD | https://securitycenter.microsoft.us
@@ -68,7 +65,7 @@ DoD (PREVIEW) | https://securitycenter.microsoft.us ### Standalone OS versions The following OS versions are supported: -OS version | GCC | GCC High | DoD (PREVIEW) +OS version | GCC | GCC High | DoD :---|:---|:---|:--- Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) |  |  |  Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) |  |  |  @@ -100,7 +97,7 @@ iOS |  On engineering backlog | : -OS version | GCC | GCC High | DoD (PREVIEW) +OS version | GCC | GCC High | DoD :---|:---|:---|:--- Windows Server 2016 |  |  |  Windows Server 2012 R2 |  |  |  @@ -143,7 +140,7 @@ You can find the Azure IP ranges in [Azure IP Ranges and Service Tags – US Gov ## API Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs: -Endpoint type | GCC | GCC High & DoD (PREVIEW) +Endpoint type | GCC | GCC High & DoD :---|:---|:--- Login | `https://login.microsoftonline.com` | `https://login.microsoftonline.us` Defender for Endpoint API | `https://api-gcc.securitycenter.microsoft.us` | `https://api-gov.securitycenter.microsoft.us` @@ -156,7 +153,7 @@ Defender for Endpoint for US Government customers doesn't have complete parity w These are the known gaps as of March 2021: -Feature name | GCC | GCC High | DoD (PREVIEW) +Feature name | GCC | GCC High | DoD :---|:---|:---|:--- Automated investigation and remediation: Live response |  |  |  Automated investigation and remediation: Response to Office 365 alerts |  On engineering backlog |  On engineering backlog |  On engineering backlog From 27a8f137a529e0c4f55495f718b7045d45c18d34 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 15 Mar 2021 20:02:16 +0200 Subject: [PATCH 32/54] Update onboard-windows-10-multi-session-device.md Removing note. (https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9306) --- .../onboard-windows-10-multi-session-device.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md index f88cf154c1..7d8cdd81a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md @@ -26,9 +26,6 @@ Applies to: > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -> [!IMPORTANT] -> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. - Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity. ## Before you begin From ee95626a6e193bf31dc7c9b7db5ee0a8bc1a5174 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 15 Mar 2021 20:06:26 +0200 Subject: [PATCH 33/54] Update onboard-windows-10-multi-session-device.md Acrolinx. --- .../onboard-windows-10-multi-session-device.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md index 7d8cdd81a7..c119f2909f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md @@ -26,23 +26,23 @@ Applies to: > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity. +Microsoft Defender for Endpoint supports monitoring both VDI and Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity. ## Before you begin -See [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts. +See [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) doesn't provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts. > [!NOTE] > Depending on your choice of onboarding method, devices can appear in Microsoft Defender Security Center as either: > - Single entry for each virtual desktop > - Multiple entries for each virtual desktop -Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Security Center is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender Security Center. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. +Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Security Center is in the context of one device based on the machine name. Organizations that frequently delete and redeploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender Security Center. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. -Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. +Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It's executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you're using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. > [!NOTE] -> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is _not_ recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. +> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It's _not_ recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. ## Scenarios There are several ways to onboard a WVD host machine: @@ -101,7 +101,7 @@ This scenario uses a centrally located script and runs it using a domain-based g If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager. For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) > [!WARNING] -> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), the rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. +> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), the rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it's incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. ## Tagging your machines when building your image @@ -112,7 +112,7 @@ As part of your onboarding, you may want to consider setting a machine tag to be When building your image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings). -In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection: +Also, if you're using FSlogix user profiles, we recommend you exclude the following files from always-on protection: ### Exclude Files From 18af9bf8cc8033097abddfea198c5f16422e9620 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 15 Mar 2021 20:07:48 +0200 Subject: [PATCH 34/54] Update onboard-windows-10-multi-session-device.md --- .../onboard-windows-10-multi-session-device.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md index c119f2909f..64b1f56c3b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md @@ -105,7 +105,7 @@ If you plan to manage your machines using a management tool, you can onboard dev ## Tagging your machines when building your image -As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see +As part of your onboarding, you may want to consider setting a machine tag to can differentiate WVD machines more easily in the Microsoft Security Center. For more information, see [Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value). ## Other recommended configuration settings From ae7e0f66caee67e148f35ec1263bf5314f8e619a Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy
Microsoft Store | Assign
roles | Edit
account | Sign
agreements | View
account | -| ------------------------| ------ | -------- | ------ | -------| -------- | -| Billing account owner | X | X | X | X | X | -| Billing account contributor | | | X | X | X | -| Billing account reader | | | | | X | -| Signatory | | | | X | X | +| | Admin | Purchaser | Device Guard signer | +| ------------------------------ | ------ | -------- | ------------------- | +| Assign roles | X | | | +| Manage Microsoft Store for Business and Education settings | X | | | +| Acquire apps | X | X | | +| Distribute apps | X | X | | +| Sign policies and catalogs | X | | | +| Sign Device Guard changes | X | | X | - -## Purchasing roles and permissions -There are also a set of roles for purchasing and managing items bought. -This table lists the roles and their permissions. - -| Role | Buy from
Microsoft Store | Manage all items | Manage items
I buy | -| ------------| ------ | -------- | ------ | -| Purchaser | X | X | | -| Basic purchaser | X | | X | - -## Assign roles **To assign roles to people** -1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com). +1. Sign in to Microsoft Store for Business or Microsoft Store for Education. >[!Note] - >You need to be a Global Administrator, or have the Billing account owner role to access **Permissions**. - -2. Select **Manage**, and then select **Permissions**. -3. On **Roles**, or **Purchasing roles**, select **Assign roles**. -4. Enter a name, choose the role you want to assign, and select **Save**. - If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md). + >You need to be a Global Administrator, or have the Microsoft Store Admin role to access the **Permissions** page. + + To assign roles, you need to be a Global Administrator or a Store Administrator. + +2. Click **Settings**, and then choose **Permissions**. + + OR + + Click **Manage**, and then click **Permissions** on the left-hand menu. + + + +3. Click **Add people**, type a name, choose the role you want to assign, and click **Save**. + + + +4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md). \ No newline at end of file From 3b57acf8a0abe078effcc8b5a3e681b4585cef48 Mon Sep 17 00:00:00 2001 From: Cern McAtee
The operation cost of running one or more instances of Server 2016 on-premises. - - + > [!NOTE] > There is no device ID claim in the access token because the device may not yet be enrolled at this time. From 047a401245d5d81807f15a4559dea23b6e2205d0 Mon Sep 17 00:00:00 2001 From: Gary MooreDevice Health Attestation - Enterprise Managed Cloud -(DHA-EMC)
DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure.
+Device Health Attestation - Enterprise-Managed Cloud +(DHA-EMC)
DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
> [!NOTE] > There is no device ID claim in the access token because the device may not yet be enrolled at this time. @@ -647,7 +648,7 @@ Alert sample: ## Determine when a user is logged in through polling -An alert is send to the MDM server in DM package\#1. +An alert is sent to the MDM server in DM package\#1. - Alert type - com.microsoft/MDM/LoginStatus - Alert format - chr From 735fdce8a3aa4efae15d512a411b3a52e486425c Mon Sep 17 00:00:00 2001 From: Gary Moore