diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e115963c4d..ef3741bb12 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -227,7 +227,12 @@ }, { "source_path": "windows/manage/set-up-a-device-for-anyone-to-use.md", -"redirect_url": "/windows/configuration/set-up-a-device-for-anyone-to-use", +"redirect_url": "/windows/configuration/kiosk-shared-pc", +"redirect_document_id": false +}, +{ +"source_path": "windows/configuration/set-up-a-device-for-anyone-to-use.md", +"redirect_url": "/windows/configuration/kiosk-shared-pc", "redirect_document_id": true }, { @@ -7647,7 +7652,7 @@ }, { "source_path": "windows/manage/manage-corporate-devices.md", -"redirect_url": "/windows/client-management/manage-corporate-devices", +"redirect_url": "/windows/client-management/index", "redirect_document_id": true }, { diff --git a/bcs/index.md b/bcs/index.md index d877efe94f..01f7f2e27b 100644 --- a/bcs/index.md +++ b/bcs/index.md @@ -4,6 +4,7 @@ hide_bc: true author: CelesteDG ms.author: celested ms.topic: hub-page +ms.localizationpriority: high audience: microsoft-business  title: Microsoft 365 Business documentation and resources description: Learn about the product documentation and resources available for Microsoft 365 Business partners, IT admins, information workers, and business owners. @@ -12,7 +13,7 @@ description: Learn about the product documentation and resources available for M
@@ -56,7 +57,7 @@ description: Learn about the product documentation and resources available for M Partner/IT admin +

If not specified, the default is All.

Value type is string. Supported operations are Add, Get, Replace, and Delete.

**FirewallRules/_FirewallRuleName_/RemoteAddressRanges** @@ -209,6 +253,7 @@ The following diagram shows the Firewall configuration service provider in tree
  • An IPv4 address range in the format of "start address - end address" with no spaces included.
  • An IPv6 address range in the format of "start address - end address" with no spaces included.
    • +

    If not specified, the default is All.

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    **FirewallRules/_FirewallRuleName_/Description** @@ -217,13 +262,13 @@ The following diagram shows the Firewall configuration service provider in tree **FirewallRules/_FirewallRuleName_/Enabled**

    Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -If not specified - a new rule is disabled by default.

    -

    Boolean value. Supported operations are Add, Get, Replace, and Delete.

    +

    If not specified - a new rule is disabled by default.

    +

    Boolean value. Supported operations are Get and Replace.

    **FirewallRules_FirewallRuleName_/Profiles** -

    Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.

    - -

    Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +

    Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.

    +

    If not specified, the default is All.

    +

    Value type is integer. Supported operations are Get and Replace.

    **FirewallRules/_FirewallRuleName_/Action**

    Specifies the action for the rule.

    @@ -235,7 +280,8 @@ If not specified - a new rule is disabled by default.

  • 0 - Block
  • 1 - Allow
    • -

    Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +

    If not specified, the default is allow.

    +

    Value type is integer. Supported operations are Get and Replace.

    **FirewallRules/_FirewallRuleName_/Direction**

    Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:

    @@ -244,27 +290,24 @@ If not specified - a new rule is disabled by default.

  • OUT - the rule applies to outbound traffic.
  • If not specified, the default is IN.
    • -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +

    Value type is string. Supported operations are Get and Replace.

    **FirewallRules/FirewallRuleName/InterfaceTypes**

    Comma separated list of interface types. Valid values:

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    - -**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes** -

    List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +

    If not specified, the default is All.

    +

    Value type is string. Supported operations are Get and Replace.

    **FirewallRules/_FirewallRuleName_/EdgeTraversal**

    Indicates whether edge traversal is enabled or disabled for this rule.

    The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.

    New rules have the EdgeTraversal property disabled by default.

    -

    Boolean value. Supported operations are Add, Get, Replace, and Delete.

    +

    Value type is bool. Supported operations are Add, Get, Replace, and Delete.

    **FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**

    Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.

    @@ -274,10 +317,6 @@ If not specified - a new rule is disabled by default.

    Provides information about the specific verrsion of the rule in deployment for monitoring purposes.

    Value type is string. Supported operation is Get.

    -**FirewallRules/_FirewallRuleName_/FriendlyName** -

    Specifies the friendly name of the rule. The string must not contain the "|" character.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    - **FirewallRules/_FirewallRuleName_/Name**

    Name of the rule.

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 9456acd05e..7a8de5174f 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 08/18/2017 --- # Firewall CSP @@ -30,6 +30,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + Root node for the Firewall configuration service provider. @@ -67,7 +68,6 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal - @@ -88,7 +88,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal - This value is a DWORD containing the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build. + Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build. @@ -109,7 +109,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal - This value is a DWORD and contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law. + Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law. @@ -130,8 +130,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + + - This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win. + FALSE + This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win. @@ -152,8 +155,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + + - This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + 300 + This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. @@ -174,8 +180,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + + - This configuration value specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + 1 + Specifies the preshared key encoding that is used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. @@ -196,8 +205,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + + - This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + 0 + This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. @@ -218,8 +230,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + + - This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. @@ -282,8 +296,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + + - This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they do not support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. @@ -304,8 +320,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + + - This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding. + 0 + This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding. @@ -346,10 +365,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 1 + This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -368,10 +389,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -391,9 +414,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal - This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + 0 + This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. - + @@ -412,10 +436,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -434,10 +460,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -456,10 +484,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 1 + This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -478,10 +508,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 1 + This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -500,10 +532,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + 1 + This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. - + @@ -522,10 +556,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + 1 + This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. - + @@ -544,8 +580,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. @@ -566,8 +604,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + 1 + This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. @@ -588,10 +628,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + 1 + This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. - + @@ -630,10 +672,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 1 + This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -652,10 +696,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -675,9 +721,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal - This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + 0 + This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. - + @@ -696,10 +743,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -718,10 +767,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -740,10 +791,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 1 + This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -762,10 +815,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 1 + This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -784,10 +839,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + 1 + This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. - + @@ -806,10 +863,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + 1 + This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. - + @@ -828,8 +887,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. @@ -850,8 +911,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + 1 + This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. @@ -872,10 +935,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + 1 + This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. - + @@ -914,10 +979,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 1 + This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -936,10 +1003,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -959,9 +1028,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal - This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + 0 + This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. - + @@ -980,10 +1050,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -1002,10 +1074,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -1024,10 +1098,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 1 + This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -1046,10 +1122,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 1 + This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - + @@ -1068,10 +1146,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + 1 + This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. - + @@ -1090,10 +1170,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + 1 + This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. - + @@ -1112,8 +1194,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + 0 + This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. @@ -1134,8 +1218,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + 1 + This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. @@ -1156,10 +1242,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + - This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + 1 + This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. - + @@ -1200,6 +1288,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal + Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). @@ -1349,7 +1438,7 @@ ServiceName - 0-255 number representing the ip protocol (TCP = 6, UDP = 17) + 0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. @@ -1373,7 +1462,7 @@ ServiceName - Comma Separated list of ranges for eg. 100-120,200,300-320 + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. @@ -1397,7 +1486,7 @@ ServiceName - Comma Separated list of ranges for eg. 100-120,200,300-320 + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. @@ -1428,7 +1517,7 @@ Valid tokens include: A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. A valid IPv6 address. An IPv4 address range in the format of "start address - end address" with no spaces included. -An IPv6 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. @@ -1466,7 +1555,7 @@ An IPv6 address range in the format of "start address - end address" with no spa A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. A valid IPv6 address. An IPv4 address range in the format of "start address - end address" with no spaces included. -An IPv6 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. @@ -1509,8 +1598,6 @@ An IPv6 address range in the format of "start address - end address" with no spa Enabled - - @@ -1534,12 +1621,10 @@ If not specified - a new rule is disabled by default. Profiles - - - Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. + Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All. @@ -1560,13 +1645,7 @@ If not specified - a new rule is disabled by default. - Specifies the action for the rule. - -BLOCK - block the connection. -ALLOW - allow the connection. - - -If not specified the default action is BLOCK. + Specifies the action for the rule. @@ -1584,11 +1663,10 @@ If not specified the default action is BLOCK. Type - - + 1 Specifies the action the rule enforces: 0 - Block 1 - Allow @@ -1611,11 +1689,10 @@ If not specified the default action is BLOCK. Direction - - + IN Comma separated list. The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. @@ -1640,11 +1717,10 @@ If not specified the detault is IN. InterfaceTypes - - + All String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MobileBroadband", and "All". If more than one interface type is specified, the strings must be separated by a comma. @@ -1661,30 +1737,6 @@ If not specified the detault is IN. - - IcmpTypesAndCodes - - - - - - - - The icmpTypesAndCodes parameter is a list of ICMP types and codes separated by semicolon. "*" indicates all ICMP types and codes. - - - - - - - - - - - text/plain - - - EdgeTraversal @@ -1760,31 +1812,6 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - - FriendlyName - - - - - - - - Specifies the friendly name of the rule. -The string must not contain the "|" character. - - - - - - - - - - - text/plain - - - Name diff --git a/windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png b/windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png new file mode 100644 index 0000000000..36d0561150 Binary files /dev/null and b/windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png differ diff --git a/windows/client-management/mdm/images/admx-appv-enableapp-vclient.png b/windows/client-management/mdm/images/admx-appv-enableapp-vclient.png new file mode 100644 index 0000000000..6f22d4701e Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-enableapp-vclient.png differ diff --git a/windows/client-management/mdm/images/admx-appv-policy-description.png b/windows/client-management/mdm/images/admx-appv-policy-description.png new file mode 100644 index 0000000000..46e99fcb28 Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-policy-description.png differ diff --git a/windows/client-management/mdm/images/admx-appv-publishing.png b/windows/client-management/mdm/images/admx-appv-publishing.png new file mode 100644 index 0000000000..31d83e9329 Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-publishing.png differ diff --git a/windows/client-management/mdm/images/admx-appv-publishingserver2.png b/windows/client-management/mdm/images/admx-appv-publishingserver2.png new file mode 100644 index 0000000000..01e516c407 Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-publishingserver2.png differ diff --git a/windows/client-management/mdm/images/admx-appv.png b/windows/client-management/mdm/images/admx-appv.png new file mode 100644 index 0000000000..9b4c9d2f39 Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv.png differ diff --git a/windows/client-management/mdm/images/admx-gpedit-search.png b/windows/client-management/mdm/images/admx-gpedit-search.png new file mode 100644 index 0000000000..97ffa6ffd9 Binary files /dev/null and b/windows/client-management/mdm/images/admx-gpedit-search.png differ diff --git a/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png b/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png new file mode 100644 index 0000000000..0f9dc0d872 Binary files /dev/null and b/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png b/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png index e8364c9bd7..136c240862 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png and b/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-firewall.png b/windows/client-management/mdm/images/provisioning-csp-firewall.png index f31e4c749d..4720e51cd7 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-firewall.png and b/windows/client-management/mdm/images/provisioning-csp-firewall.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-office.png b/windows/client-management/mdm/images/provisioning-csp-office.png index caa243a136..c361494236 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-office.png and b/windows/client-management/mdm/images/provisioning-csp-office.png differ diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 4a733d2da7..1dbb44551e 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 08/11/2017 --- # Mobile device enrollment @@ -59,26 +59,30 @@ The following topics describe the end-to-end enrollment process using various au > - Any fixed URIs that are passed during enrollment > - Specific formatting of any value unless otherwise noted, such as the format of the device ID. + +## Enrollment support for domain-joined devices   +Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. -## Prevent MDM enrollments +## Disable MDM enrollments -Starting in Windows 10, version 1607, to prevent MDM enrollments for domain-joined PCs, you can set the following Group Policy: +Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. + +![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png) + +Here is the corresponding registry key: Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM Value: DisableRegistration -Using the GP editor, the path is Computer configuration > Administrative Templates > Windows Components > MDM > Disable MDM Enrollment. - ## Enrollment scenarios not supported - The following scenarios do not allow MDM enrollments: - Built-in administrator accounts on Windows desktop cannot enroll into MDM. -- Standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -> **System** -> **About**. +- Prior to Windows 10, version 1709, standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. Only admin users can enroll. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -> **System** -> **About**. Starting in Windows 10, version 1709, standard users can enroll in MDM. - Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed. ## Enrollment migration diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index ff7ed8e468..c3759e1aab 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,11 +10,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/28/2017 +ms.date: 08/31/2017 --- # What's new in MDM enrollment and management + > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -51,7 +52,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s ## What's new in Windows 10, version 1511 - +
    @@ -183,7 +184,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s ## What's new in Windows 10, version 1607 -
    +
    @@ -494,7 +495,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s ## What's new in Windows 10, version 1703 -
    +
    @@ -677,12 +678,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Update/ActiveHoursMaxRange
  • Update/AutoRestartDeadlinePeriodInDays
  • Update/AutoRestartNotificationSchedule
    • -
  • Update/AutoRestartNotificationStyle
  • Update/AutoRestartRequiredNotificationDismissal
  • Update/DetectionFrequency
  • Update/EngagedRestartDeadline
  • Update/EngagedRestartSnoozeSchedule
    • -
  • Update/EngagedRestartTransistionSchedule
    • +
  • Update/EngagedRestartTransitionSchedule
  • Update/IgnoreMOAppDownloadLimit
  • Update/IgnoreMOUpdateDownloadLimit
  • Update/PauseFeatureUpdatesStartTime
    • @@ -916,7 +916,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s ## What's new in Windows 10, version 1709 -
    +
    @@ -960,37 +960,94 @@ For details about Microsoft mobile device management protocols for Windows 10 s - + + + + + + + + + + + + - - + + - - + + @@ -48,6 +48,9 @@ ms.date: 07/14/2017

    Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. +> [!Note] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. +

    The following list shows the supported values: - 0 (default)– Not allowed. @@ -133,6 +136,42 @@ ms.date: 07/14/2017

    Most restricted value is 0. + + + +**Privacy/EnableActivityFeed** + + +

    [AssignedAccess CSP](assignedaccess-csp.md)

    Here are the changes in Windows 10, version 1709.

    +

    Added the following setting in Windows 10, version 1709.

      -
    • Added Configuration node
      • +
    • Configuration
    [DeviceManageability CSP](devicemanageability-csp.md)

    Added the following settings in Windows 10, version 1709:

    +
      +
    • Provider/_ProviderID_/ConfigInfo
      • +
    • Provider/_ProviderID_/EnrollmentInfo
      • +
    +
    [Office CSP](office-csp.md)

    Added the following setting in Windows 10, version 1709:

    +
      +
    • Installation/CurrentStatus
      • +
    +
    [Bitlocker CSP](bitlocker-csp.md)

    Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.

    +
    [ADMX-backed policies in Policy CSP](policy-configuration-service-provider.md#admx-backed-policies)

    Added new policies.

    +
    [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies for Windows 10, version 1709:

      -
    • CredentialProviders/EnableWindowsAutoPilotResetCredentials
      • +
    • Browser/LockdownFavorites
      • +
    • Browser/ProvisionFavorites
      • +
    • CredentialProviders/DisableAutomaticReDeploymentCredentials
    • DeviceGuard/EnableVirtualizationBasedSecurity
    • DeviceGuard/RequirePlatformSecurityFeatures
    • DeviceGuard/LsaCfgFlags
      • +
    • ExploitGuard/ExploitProtectionSettings
      • +
    • Games/AllowAdvancedGamingServices
      • +
    • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
      • +
    • LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
      • +
    • LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
      • +
    • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
      • +
    • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
      • +
    • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
      • +
    • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
      • +
    • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
      • +
    • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
      • +
    • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
      • +
    • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
      • +
    • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
      • +
    • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
      • +
    • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
      • +
    • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
      • +
    • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
    • Power/DisplayOffTimeoutOnBattery
    • Power/DisplayOffTimeoutPluggedIn
    • Power/HibernateTimeoutOnBattery
    • Power/HibernateTimeoutPluggedIn
    • Power/StandbyTimeoutOnBattery
    • Power/StandbyTimeoutPluggedIn
      • +
    • Privacy/EnableActivityFeed
      • +
    • Privacy/PublishUserActivities
    • Defender/AttackSurfaceReductionOnlyExclusions
    • Defender/AttackSurfaceReductionRules
    • Defender/CloudBlockLevel
    • Defender/CloudExtendedTimeout
      • -
    • Defender/EnableGuardMyFolders
      • +
    • Defender/ControlledFolderAccessAllowedApplications
      • +
    • Defender/ControlledFolderAccessProtectedFolders
      • +
    • Defender/EnableControlledFolderAccess
    • Defender/EnableNetworkProtection
      • -
    • Defender/GuardedFoldersAllowedApplications
      • -
    • Defender/GuardedFoldersList
    • Education/DefaultPrinterName
    • Education/PreventAddingNewPrinters
    • Education/PrinterNames
      • +
    • Search/AllowCloudSearch
    • Security/ClearTPMIfNotReady
      • +
    • System/LimitEnhancedDiagnosticDataWindowsAnalytics
      • +
    • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
      • +
    • Update/DisableDualScan
    • Update/ScheduledInstallEveryWeek
    • Update/ScheduledInstallFirstWeek
    • Update/ScheduledInstallFourthWeek
      • @@ -1280,6 +1337,166 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### September 2017 + + ++++ + + + + + + + + + + + +
      New or updated topicDescription
      [Policy CSP](policy-configuration-service-provider.md)

      Added the following new policies for Windows 10, version 1709:

      +
        +
      • Search/AllowCloudSearch
        • +
      • System/LimitEnhancedDiagnosticDataWindowsAnalytics
        • +
      +
      + +### August 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      New or updated topicDescription
      [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)

      Added new step-by-step guide to enable ADMX-backed policies.

      +
      [Mobile device enrollment](mobile-device-enrollment.md)

      Added the following statement:

      +
        +
      • Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
        • +
      +
      [CM\_CellularEntries CSP](cm-cellularentries-csp.md)

      Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

      +
      [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

      Updated the Settings/EDPEnforcementLevel values to the following:

      +
        +
      • 0 (default) – Off / No protection (decrypts previously protected data).
        • +
      • 1 – Silent mode (encrypt and audit only).
        • +
      • 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
        • +
      • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
        • +
      +
      [AppLocker CSP](applocker-csp.md)

      Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).

      +
      [DeviceManageability CSP](devicemanageability-csp.md)

      Added the following settings in Windows 10, version 1709:

      +
        +
      • Provider/_ProviderID_/ConfigInfo
        • +
      • Provider/_ProviderID_/EnrollmentInfo
        • +
      +
      [Office CSP](office-csp.md)

      Added the following setting in Windows 10, version 1709:

      +
        +
      • Installation/CurrentStatus
        • +
      +
      [BitLocker CSP](bitlocker-csp.md)Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. +
      [Firewall CSP](firewall-csp.md)Updated the CSP and DDF topics. Here are the changes: +
        +
      • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
        • +
      • Changed some data types from integer to bool.
        • +
      • Updated the list of supported operations for some settings.
        • +
      • Added default values.
        • +
      +
      [Policy DDF file](policy-ddf-file.md)Added another Policy DDF file [download](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies: +
        +
      • Browser/AllowMicrosoftCompatibilityList
        • +
      • Update/DisableDualScan
        • +
      • Update/FillEmptyContentUrls
        • +
      +
      [Policy CSP](policy-configuration-service-provider.md)

      Added the following new policies for Windows 10, version 1709:

      +
        +
      • Browser/ProvisionFavorites
        • +
      • Browser/LockdownFavorites
        • +
      • ExploitGuard/ExploitProtectionSettings
        • +
      • Games/AllowAdvancedGamingServices
        • +
      • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
        • +
      • LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
        • +
      • LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
        • +
      • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
        • +
      • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
        • +
      • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
        • +
      • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
        • +
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
        • +
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
        • +
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
        • +
      • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
        • +
      • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
        • +
      • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
        • +
      • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
        • +
      • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
        • +
      • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
        • +
      • Privacy/EnableActivityFeed
        • +
      • Privacy/PublishUserActivities
        • +
      • Update/DisableDualScan
        • +
      • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
        • +
      +

      Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.

      +

      Changed the names of the following policies:

      +
        +
      • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
        • +
      • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
        • +
      • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess
        • +
      +

      Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).

      +

      There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:

      +
        +
      • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
        • +
      • Start/HideAppList
        • +
      +
      + ### July 2017 @@ -1313,7 +1530,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
      • Education/DefaultPrinterName
      • Education/PreventAddingNewPrinters
        • -
      • Education/PrinterNames
        • +
      • Education/PrinterNames
      • Security/ClearTPMIfNotReady
      • WindowsDefenderSecurityCenter/CompanyName
      • WindowsDefenderSecurityCenter/DisableAppBrowserUI
        • @@ -1881,11 +2098,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).
      • TimeLanguageSettings/AllowSet24HourClock
      • Update/ActiveHoursMaxRange
      • Update/AutoRestartNotificationSchedule
        • -
      • Update/AutoRestartNotificationStyle
      • Update/AutoRestartRequiredNotificationDismissal
      • Update/EngagedRestartDeadline
      • Update/EngagedRestartSnoozeSchedule
        • -
      • Update/EngagedRestartTransistionSchedule
        • +
      • Update/EngagedRestartTransitionSchedule
      • Update/SetAutoRestartNotificationDisable
      • WindowsLogon/HideFastUserSwitching
      diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 8b62bdd0c7..96b82f9aa7 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -6,11 +6,14 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 08/22/2017 --- # Office CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx). This CSP was added in Windows 10, version 1703. @@ -38,7 +41,7 @@ The following diagram shows the Office configuration service provider in tree fo **Install** -

      Installs office by using the XML data specified in the configuration.xml file. +

      Installs Office by using the XML data specified in the configuration.xml file.

      The supported operations are Get and Execute. @@ -48,13 +51,18 @@ The following diagram shows the Office configuration service provider in tree fo

      The only supported operation is Get. +**CurrentStatus** + +

      Returns an XML of current Office 365 installation status on the device. + +

      The only supported operation is Get. ## Examples Sample SyncML to install Office 365 Business Retail from current channel. ```syntax - + 7 @@ -76,7 +84,7 @@ Sample SyncML to install Office 365 Business Retail from current channel. To uninstall the Office 365 from the system: ```syntax - + 7 @@ -95,6 +103,24 @@ To uninstall the Office 365 from the system: ``` +To get the current status of Office 365 on the device. + +``` syntax + +    +      7 +        +          +            ./Vendor/MSFT/Office/Installation/CurrentStatus +          +        +    +    + +``` + ## Status code

      diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 0fd89434b4..ebd7f2b843 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -7,11 +7,14 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 08/22/2017 --- # Office DDF +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML. You can download the DDF files from the links below: @@ -19,7 +22,7 @@ You can download the DDF files from the links below: - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -The XML below is the current version for this CSP. +The XML below is for Windows 10, version 1709. ``` syntax @@ -30,12 +33,12 @@ The XML below is the current version for this CSP. 1.2 Office - ./Vendor/MSFT + ./User/Vendor/MSFT - Root of the office CSP. + Root of the Office CSP. @@ -46,7 +49,7 @@ The XML below is the current version for this CSP. - com.microsoft/1.0/MDM/Office + com.microsoft/1.3/MDM/Office @@ -55,7 +58,7 @@ The XML below is the current version for this CSP. - Installation options for the office CSP. + Installation options for the Office CSP. @@ -100,7 +103,7 @@ The XML below is the current version for this CSP. - The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office. + The install action will install Office given the configuration in the data. The string data is the xml configuration to use in order to install Office. @@ -137,6 +140,27 @@ The XML below is the current version for this CSP. + + CurrentStatus + + + + + The current Office 365 installation status on the machine + + + + + + + + + + + text/plain + + + @@ -156,7 +180,7 @@ The XML below is the current version for this CSP. - + com.microsoft/1.3/MDM/Office @@ -243,6 +267,27 @@ The XML below is the current version for this CSP. + + CurrentStatus + + + + + The current Office 365 installation status on the machine + + + + + + + + + + + text/plain + + + diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 7659b059e9..c6e4757c28 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/27/2017 +ms.date: 08/25/2017 --- # Policy CSP @@ -338,6 +338,30 @@ The following diagram shows the Policy configuration service provider in tree fo
      Bitlocker/EncryptionMethod
      +
      + BitLocker/EncryptionMethodByDriveType in BitLocker CSP +
      +
      + BitLocker/FixedDrivesRecoveryOptions in BitLocker CSP +
      +
      + BitLocker/FixedDrivesRequireEncryption in BitLocker CSP +
      +
      + BitLocker/RemovableDrivesRequireEncryption in BitLocker CSP +
      +
      + BitLocker/SystemDrivesMinimumPINLength in BitLocker CSP +
      +
      + BitLocker/SystemDrivesRecoveryMessage in BitLocker CSP +
      +
      + BitLocker/SystemDrivesRecoveryOptions in BitLocker CSP +
      +
      + BitLocker/SystemDrivesRequireStartupAuthentication in BitLocker CSP +
      ### Bluetooth policies @@ -432,6 +456,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      Browser/HomePages
      +
      + Browser/LockdownFavorites +
      Browser/PreventAccessToAboutFlagsInMicrosoftEdge
      @@ -450,6 +477,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      Browser/PreventUsingLocalHostIPAddressForWebRTC
      +
      + Browser/ProvisionFavorites +
      Browser/SendIntranetTraffictoInternetExplorer
      @@ -534,7 +564,7 @@ The following diagram shows the Policy configuration service provider in tree fo CredentialProviders/BlockPicturePassword
      - CredentialProviders/EnableWindowsAutoPilotResetCredentials + CredentialProviders/DisableAutomaticReDeploymentCredentials
      @@ -643,7 +673,7 @@ The following diagram shows the Policy configuration service provider in tree fo Defender/DaysToRetainCleanedMalware
      - Defender/EnableGuardMyFolders + Defender/EnableControlledFolderAccess
      Defender/EnableNetworkProtection @@ -658,10 +688,10 @@ The following diagram shows the Policy configuration service provider in tree fo Defender/ExcludedProcesses
      - Defender/GuardedFoldersAllowedApplications + Defender/ControlledFolderAccessAllowedApplications
      - Defender/GuardedFoldersList + Defender/ControlledFolderAccessProtectedFolders
      Defender/PUAProtection @@ -978,6 +1008,14 @@ The following diagram shows the Policy configuration service provider in tree fo
      +### ExploitGuard policies + +
      +
      + ExploitGuard/ExploitProtectionSettings +
      +
      + ### Games policies
      @@ -1778,6 +1816,83 @@ The following diagram shows the Policy configuration service provider in tree fo
      +### LocalPoliciesSecurityOptions policies + +
      +
      + LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts +
      +
      + LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus +
      +
      + LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus +
      +
      + LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly +
      +
      + LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount +
      +
      + LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn +
      +
      + LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests +
      +
      + LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon +
      +
      + LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations +
      +
      + ### Location policies
      @@ -1914,6 +2029,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      Privacy/DisableAdvertisingId
      +
      + Privacy/EnableActivityFeed +
      Privacy/LetAppsAccessAccountInfo
      @@ -2130,6 +2248,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps
      +
      + Privacy/PublishUserActivities +
      ### RemoteAssistance policies @@ -2262,6 +2383,9 @@ The following diagram shows the Policy configuration service provider in tree fo ### Search policies
      +
      + Search/AllowCloudSearch +
      Search/AllowIndexingEncryptedStoresOrItems
      @@ -2525,6 +2649,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      System/DisableSystemRestore
      +
      + System/LimitEnhancedDiagnosticDataWindowsAnalytics +
      System/TelemetryProxy
      @@ -2597,6 +2724,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      Update/AllowAutoUpdate
      +
      + Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork +
      Update/AllowMUUpdateService
      @@ -2633,6 +2763,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      Update/DetectionFrequency
      +
      + Update/DisableDualScan +
      Update/EngagedRestartDeadline
      @@ -3395,6 +3528,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders) - [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard) +- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) - [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) - [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) - [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) @@ -3403,6 +3537,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) - [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) - [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) +- [Privacy/PublishUserActivities](#privacy-publishuseractivities) - [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) - [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) - [System/AllowFontProviders](#system-allowfontproviders) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 5b1b04014f..2268695665 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - AboveLock diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 321173c109..f2e678427b 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Accounts diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index ecf8c1bd88..755aeb5a2e 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - ActiveXControls @@ -64,8 +64,9 @@ Note: Wild card characters cannot be used when specifying the host URLs. ADMX Info: -- GP english name: *Approved Installation Sites for ActiveX Controls* +- GP English name: *Approved Installation Sites for ActiveX Controls* - GP name: *ApprovedActiveXInstallSites* +- GP path: *Windows Components/ActiveX Installer Service* - GP ADMX file name: *ActiveXInstallService.admx* diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 1611634651..838ad9fbc8 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - ApplicationDefaults diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 04487cf2a4..db13ecc123 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - ApplicationManagement diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index b0b817880f..e44fda0b34 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - AppVirtualization @@ -58,8 +58,9 @@ This policy setting allows you to enable or disable Microsoft Application Virtua ADMX Info: -- GP english name: *Enable App-V Client* +- GP English name: *Enable App-V Client* - GP name: *EnableAppV* +- GP path: *System/App-V* - GP ADMX file name: *appv.admx* @@ -103,8 +104,9 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj ADMX Info: -- GP english name: *Enable Dynamic Virtualization* +- GP English name: *Enable Dynamic Virtualization* - GP name: *Virtualization_JITVEnable* +- GP path: *System/App-V/Virtualization* - GP ADMX file name: *appv.admx* @@ -148,8 +150,9 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv ADMX Info: -- GP english name: *Enable automatic cleanup of unused appv packages* +- GP English name: *Enable automatic cleanup of unused appv packages* - GP name: *PackageManagement_AutoCleanupEnable* +- GP path: *System/App-V/PackageManagement* - GP ADMX file name: *appv.admx* @@ -193,8 +196,9 @@ Enables scripts defined in the package manifest of configuration files that shou ADMX Info: -- GP english name: *Enable Package Scripts* +- GP English name: *Enable Package Scripts* - GP name: *Scripting_Enable_Package_Scripts* +- GP path: *System/App-V/Scripting* - GP ADMX file name: *appv.admx* @@ -238,8 +242,9 @@ Enables a UX to display to the user when a publishing refresh is performed on th ADMX Info: -- GP english name: *Enable Publishing Refresh UX* +- GP English name: *Enable Publishing Refresh UX* - GP name: *Enable_Publishing_Refresh_UX* +- GP path: *System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -293,8 +298,9 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t ADMX Info: -- GP english name: *Reporting Server* +- GP English name: *Reporting Server* - GP name: *Reporting_Server_Policy* +- GP path: *System/App-V/Reporting* - GP ADMX file name: *appv.admx* @@ -338,8 +344,9 @@ Specifies the file paths relative to %userprofile% that do not roam with a user' ADMX Info: -- GP english name: *Roaming File Exclusions* +- GP English name: *Roaming File Exclusions* - GP name: *Integration_Roaming_File_Exclusions* +- GP path: *System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -383,8 +390,9 @@ Specifies the registry paths that do not roam with a user profile. Example usage ADMX Info: -- GP english name: *Roaming Registry Exclusions* +- GP English name: *Roaming Registry Exclusions* - GP name: *Integration_Roaming_Registry_Exclusions* +- GP path: *System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -428,8 +436,9 @@ Specifies how new packages should be loaded automatically by App-V on a specific ADMX Info: -- GP english name: *Specify what to load in background (aka AutoLoad)* +- GP English name: *Specify what to load in background (aka AutoLoad)* - GP name: *Steaming_Autoload* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -473,8 +482,9 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package ADMX Info: -- GP english name: *Enable Migration Mode* +- GP English name: *Enable Migration Mode* - GP name: *Client_Coexistence_Enable_Migration_mode* +- GP path: *System/App-V/Client Coexistence* - GP ADMX file name: *appv.admx* @@ -518,8 +528,9 @@ Specifies the location where symbolic links are created to the current version o ADMX Info: -- GP english name: *Integration Root User* +- GP English name: *Integration Root User* - GP name: *Integration_Root_User* +- GP path: *System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -563,8 +574,9 @@ Specifies the location where symbolic links are created to the current version o ADMX Info: -- GP english name: *Integration Root Global* +- GP English name: *Integration Root Global* - GP name: *Integration_Root_Global* +- GP path: *System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -626,8 +638,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: -- GP english name: *Publishing Server 1 Settings* +- GP English name: *Publishing Server 1 Settings* - GP name: *Publishing_Server1_Policy* +- GP path: *System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -689,8 +702,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: -- GP english name: *Publishing Server 2 Settings* +- GP English name: *Publishing Server 2 Settings* - GP name: *Publishing_Server2_Policy* +- GP path: *System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -752,8 +766,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: -- GP english name: *Publishing Server 3 Settings* +- GP English name: *Publishing Server 3 Settings* - GP name: *Publishing_Server3_Policy* +- GP path: *System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -815,8 +830,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: -- GP english name: *Publishing Server 4 Settings* +- GP English name: *Publishing Server 4 Settings* - GP name: *Publishing_Server4_Policy* +- GP path: *System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -878,8 +894,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: -- GP english name: *Publishing Server 5 Settings* +- GP English name: *Publishing Server 5 Settings* - GP name: *Publishing_Server5_Policy* +- GP path: *System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -923,8 +940,9 @@ Specifies the path to a valid certificate in the certificate store. ADMX Info: -- GP english name: *Certificate Filter For Client SSL* +- GP English name: *Certificate Filter For Client SSL* - GP name: *Streaming_Certificate_Filter_For_Client_SSL* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -968,8 +986,9 @@ This setting controls whether virtualized applications are launched on Windows 8 ADMX Info: -- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection* +- GP English name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection* - GP name: *Streaming_Allow_High_Cost_Launch* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1013,8 +1032,9 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP ADMX Info: -- GP english name: *Location Provider* +- GP English name: *Location Provider* - GP name: *Streaming_Location_Provider* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1058,8 +1078,9 @@ Specifies directory where all new applications and updates will be installed. ADMX Info: -- GP english name: *Package Installation Root* +- GP English name: *Package Installation Root* - GP name: *Streaming_Package_Installation_Root* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1103,8 +1124,9 @@ Overrides source location for downloading package content. ADMX Info: -- GP english name: *Package Source Root* +- GP English name: *Package Source Root* - GP name: *Streaming_Package_Source_Root* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1148,8 +1170,9 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio ADMX Info: -- GP english name: *Reestablishment Interval* +- GP English name: *Reestablishment Interval* - GP name: *Streaming_Reestablishment_Interval* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1193,8 +1216,9 @@ Specifies the number of times to retry a dropped session. ADMX Info: -- GP english name: *Reestablishment Retries* +- GP English name: *Reestablishment Retries* - GP name: *Streaming_Reestablishment_Retries* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1238,8 +1262,9 @@ Specifies that streamed package contents will be not be saved to the local hard ADMX Info: -- GP english name: *Shared Content Store (SCS) mode* +- GP English name: *Shared Content Store (SCS) mode* - GP name: *Streaming_Shared_Content_Store_Mode* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1283,8 +1308,9 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming ADMX Info: -- GP english name: *Enable Support for BranchCache* +- GP English name: *Enable Support for BranchCache* - GP name: *Streaming_Support_Branch_Cache* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1328,8 +1354,9 @@ Verifies Server certificate revocation status before streaming using HTTPS. ADMX Info: -- GP english name: *Verify certificate revocation list* +- GP English name: *Verify certificate revocation list* - GP name: *Streaming_Verify_Certificate_Revocation_List* +- GP path: *System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1373,8 +1400,9 @@ Specifies a list of process paths (may contain wildcards) which are candidates f ADMX Info: -- GP english name: *Virtual Component Process Allow List* +- GP English name: *Virtual Component Process Allow List* - GP name: *Virtualization_JITVAllowList* +- GP path: *System/App-V/Virtualization* - GP ADMX file name: *appv.admx* diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 5d23ee3459..202f7f324a 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - AttachmentManager @@ -64,8 +64,9 @@ If you do not configure this policy setting, Windows marks file attachments with ADMX Info: -- GP english name: *Do not preserve zone information in file attachments* +- GP English name: *Do not preserve zone information in file attachments* - GP name: *AM_MarkZoneOnSavedAtttachments* +- GP path: *Windows Components/Attachment Manager* - GP ADMX file name: *AttachmentManager.admx* @@ -115,8 +116,9 @@ If you do not configure this policy setting, Windows hides the check box and Unb ADMX Info: -- GP english name: *Hide mechanisms to remove zone information* +- GP English name: *Hide mechanisms to remove zone information* - GP name: *AM_RemoveZoneInfo* +- GP path: *Windows Components/Attachment Manager* - GP ADMX file name: *AttachmentManager.admx* @@ -166,8 +168,9 @@ If you do not configure this policy setting, Windows does not call the registere ADMX Info: -- GP english name: *Notify antivirus programs when opening attachments* +- GP English name: *Notify antivirus programs when opening attachments* - GP name: *AM_CallIOfficeAntiVirus* +- GP path: *Windows Components/Attachment Manager* - GP ADMX file name: *AttachmentManager.admx* diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index d6e687ff2b..fcc6506c15 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Authentication diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index 8d520d5bf1..daac26b55d 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Autoplay @@ -62,8 +62,9 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for ADMX Info: -- GP english name: *Disallow Autoplay for non-volume devices* +- GP English name: *Disallow Autoplay for non-volume devices* - GP name: *NoAutoplayfornonVolume* +- GP path: *Windows Components/AutoPlay Policies* - GP ADMX file name: *AutoPlay.admx* @@ -120,8 +121,9 @@ If you disable or not configure this policy setting, Windows Vista or later will ADMX Info: -- GP english name: *Set the default behavior for AutoRun* +- GP English name: *Set the default behavior for AutoRun* - GP name: *NoAutorun* +- GP path: *Windows Components/AutoPlay Policies* - GP ADMX file name: *AutoPlay.admx* @@ -179,8 +181,9 @@ Note: This policy setting appears in both the Computer Configuration and User Co ADMX Info: -- GP english name: *Turn off Autoplay* +- GP English name: *Turn off Autoplay* - GP name: *Autorun* +- GP path: *Windows Components/AutoPlay Policies* - GP ADMX file name: *AutoPlay.admx* diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index d400b459dc..1220f63607 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Bitlocker @@ -58,6 +58,34 @@ ms.date: 07/14/2017 - 6 - XTS-AES 128-bit (Desktop only) - 7 - XTS-AES 256-bit (Desktop only) +

      You can find the following policies in BitLocker CSP: +

      +
      + BitLocker/EncryptionMethodByDriveType +
      +
      + BitLocker/FixedDrivesRecoveryOptions +
      +
      + BitLocker/FixedDrivesRequireEncryption +
      +
      + BitLocker/RemovableDrivesRequireEncryption +
      +
      + BitLocker/SystemDrivesMinimumPINLength +
      +
      + BitLocker/SystemDrivesRecoveryMessage +
      +
      + BitLocker/SystemDrivesRecoveryOptions +
      +
      + BitLocker/SystemDrivesRequireStartupAuthentication +
      +
      +
      diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 36f22b68f0..7bd2ea4992 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Bluetooth diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 1f89d48fa9..82c992e8eb 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Browser @@ -679,6 +679,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. + + + +**Browser/AlwaysEnableBooksLibrary** + + +

      + +

      This is only a placeholder. + @@ -965,6 +975,51 @@ Employees cannot remove these search engines, but they can set any one as the de > [!NOTE] > Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. + + + +**Browser/LockdownFavorites** + + +

      + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
      + + + +

      Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. + +

      If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. + +> [!Important] +> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +

        +
      • 0 - Disabled. Do not lockdown Favorites.
        • +
      • 1 - Enabled. Lockdown Favorites.
        • +
      + +

      If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. + +

      Data type is integer. + @@ -1191,6 +1246,50 @@ Employees cannot remove these search engines, but they can set any one as the de - 0 (default) – The localhost IP address is shown. - 1 – The localhost IP address is hidden. + + + +**Browser/ProvisionFavorites** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
      + + + +

      Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines. +  +

      URL can be specified as: + +- HTTP location: "SiteList"="http://localhost:8080/URLs.html" +- Local network: "SiteList"="\\network\shares\URLs.html" +- Local file: "SiteList"="file:///c:\\Users\\\\Documents\\URLs.html" + +> [!Important] +> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +

      If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. + +

      Data type is string. + diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 827c761526..ca7b98ecc5 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Camera diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 099237a30b..b1c206e118 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Cellular @@ -56,8 +56,9 @@ ms.date: 07/14/2017 ADMX Info: -- GP english name: *Set Per-App Cellular Access UI Visibility* +- GP English name: *Set Per-App Cellular Access UI Visibility* - GP name: *ShowAppCellularAccessUI* +- GP path: *Network/WWAN Service/WWAN UI Settings* - GP ADMX file name: *wwansvc.admx* diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 4e608da6c7..5ffa503ab6 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Connectivity @@ -386,8 +386,9 @@ ms.date: 07/14/2017 ADMX Info: -- GP english name: *Turn off printing over HTTP* +- GP English name: *Turn off printing over HTTP* - GP name: *DisableHTTPPrinting_2* +- GP path: *Internet Communication settings* - GP ADMX file name: *ICM.admx* @@ -429,8 +430,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn off downloading of print drivers over HTTP* +- GP English name: *Turn off downloading of print drivers over HTTP* - GP name: *DisableWebPnPDownload_2* +- GP path: *Internet Communication settings* - GP ADMX file name: *ICM.admx* @@ -472,8 +474,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn off Internet download for Web publishing and online ordering wizards* +- GP English name: *Turn off Internet download for Web publishing and online ordering wizards* - GP name: *ShellPreventWPWDownload_2* +- GP path: *Internet Communication settings* - GP ADMX file name: *ICM.admx* @@ -519,8 +522,9 @@ If you enable this policy, Windows only allows access to the specified UNC paths ADMX Info: -- GP english name: *Hardened UNC Paths* +- GP English name: *Hardened UNC Paths* - GP name: *Pol_HardenedPaths* +- GP path: *Network/Network Provider* - GP ADMX file name: *networkprovider.admx* @@ -562,8 +566,9 @@ ADMX Info: ADMX Info: -- GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network* +- GP English name: *Prohibit installation and configuration of Network Bridge on your DNS domain network* - GP name: *NC_AllowNetBridge_NLA* +- GP path: *Network/Network Connections* - GP ADMX file name: *NetworkConnections.admx* diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index 66d1f6d390..e253febdf8 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - CredentialProviders @@ -66,8 +66,9 @@ To configure Windows Hello for Business, use the Administrative Template policie ADMX Info: -- GP english name: *Turn on convenience PIN sign-in* +- GP English name: *Turn on convenience PIN sign-in* - GP name: *AllowDomainPINLogon* +- GP path: *System/Logon* - GP ADMX file name: *credentialproviders.admx* @@ -117,14 +118,15 @@ Note that the user's domain password will be cached in the system vault when usi ADMX Info: -- GP english name: *Turn off picture password sign-in* +- GP English name: *Turn off picture password sign-in* - GP name: *BlockDomainPicturePassword* +- GP path: *System/Logon* - GP ADMX file name: *credentialproviders.admx* -**CredentialProviders/EnableWindowsAutoPilotResetCredentials** +**CredentialProviders/DisableAutomaticReDeploymentCredentials** @@ -150,11 +152,12 @@ ADMX Info: -Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device. +Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. -The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students. +The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. -Default value is 0. +- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment +- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index c99d68a5fe..15d68cf69e 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - CredentialsUI @@ -66,8 +66,9 @@ The policy applies to all Windows components and applications that use the Windo ADMX Info: -- GP english name: *Do not display the password reveal button* +- GP English name: *Do not display the password reveal button* - GP name: *DisablePasswordReveal* +- GP path: *Windows Components/Credential User Interface* - GP ADMX file name: *credui.admx* @@ -115,8 +116,9 @@ If you disable this policy setting, users will always be required to type a user ADMX Info: -- GP english name: *Enumerate administrator accounts on elevation* +- GP English name: *Enumerate administrator accounts on elevation* - GP name: *EnumerateAdministrators* +- GP path: *Windows Components/Credential User Interface* - GP ADMX file name: *credui.admx* diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 28837af17c..eef7cdeba4 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Cryptography diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index e520e4612f..edba750722 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - DataProtection diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index decc54ee81..a8724cc2f6 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - DataUsage @@ -68,8 +68,9 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti ADMX Info: -- GP english name: *Set 3G Cost* +- GP English name: *Set 3G Cost* - GP name: *SetCost3G* +- GP path: *Network/WWAN Service/WWAN Media Cost* - GP ADMX file name: *wwansvc.admx* @@ -123,8 +124,9 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti ADMX Info: -- GP english name: *Set 4G Cost* +- GP English name: *Set 4G Cost* - GP name: *SetCost4G* +- GP path: *Network/WWAN Service/WWAN Media Cost* - GP ADMX file name: *wwansvc.admx* diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 337cacc79f..3f35e2d4eb 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Defender @@ -572,7 +572,7 @@ ms.date: 07/14/2017

      Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".. -Value type is string. +

      Value type is string. @@ -609,7 +609,9 @@ Value type is string.

      Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. -Value type is string. +

      For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). + +

      Value type is string. @@ -740,6 +742,74 @@ Value type is string. > [!Note] > This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required". + + + +**Defender/ControlledFolderAccessAllowedApplications** + + +

      + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. + +

      Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode  as the substring separator. + + + + +**Defender/ControlledFolderAccessProtectedFolders** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. + +

      Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode  as the substring separator. + @@ -782,7 +852,7 @@ Value type is string. -**Defender/EnableGuardMyFolders** +**Defender/EnableControlledFolderAccess** @@ -809,13 +879,13 @@ Value type is string. > [!NOTE] -> This policy is only enforced in Windows 10 for desktop. +> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.

      Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. -- 0 (default) - Off -- 1 - Audit mode -- 2 - Enforcement mode +- 0 (default) - Disabled +- 1 - Enabled +- 2 - Audit Mode @@ -974,74 +1044,6 @@ Value type is string.  

      Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". - - - -**Defender/GuardedFoldersAllowedApplications** - - -

      - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -

      Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode  as the substring separator. - - - - -**Defender/GuardedFoldersList** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -

      Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode  as the substring separator. - diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 830147907b..e352718a5d 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - DeliveryOptimization diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 2a09f78ddf..8a3b89d0f5 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Desktop @@ -62,8 +62,9 @@ If you enable this setting, users are unable to type a new location in the Targe ADMX Info: -- GP english name: *Prohibit User from manually redirecting Profile Folders* +- GP English name: *Prohibit User from manually redirecting Profile Folders* - GP name: *DisablePersonalDirChange* +- GP path: *Desktop* - GP ADMX file name: *desktop.admx* diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index f104ff82b3..df77a218e7 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - DeviceGuard diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 4f4b4d25d5..4b04c4567d 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - DeviceInstallation @@ -62,8 +62,9 @@ If you disable or do not configure this policy setting, devices can be installed ADMX Info: -- GP english name: *Prevent installation of devices that match any of these device IDs* +- GP English name: *Prevent installation of devices that match any of these device IDs* - GP name: *DeviceInstall_IDs_Deny* +- GP path: *System/Device Installation/Device Installation Restrictions* - GP ADMX file name: *deviceinstallation.admx* @@ -111,8 +112,9 @@ If you disable or do not configure this policy setting, Windows can install and ADMX Info: -- GP english name: *Prevent installation of devices using drivers that match these device setup classes* +- GP English name: *Prevent installation of devices using drivers that match these device setup classes* - GP name: *DeviceInstall_Classes_Deny* +- GP path: *System/Device Installation/Device Installation Restrictions* - GP ADMX file name: *deviceinstallation.admx* diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 8ac0f11942..dcfc34f488 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - DeviceLock @@ -767,8 +767,9 @@ If you enable this setting, users will no longer be able to modify slide show se ADMX Info: -- GP english name: *Prevent enabling lock screen slide show* +- GP English name: *Prevent enabling lock screen slide show* - GP name: *CPL_Personalization_NoLockScreenSlideshow* +- GP path: *Control Panel/Personalization* - GP ADMX file name: *ControlPanelDisplay.admx* diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index c10d926963..7af8189ba0 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Display diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index a1912d6edc..6be666c341 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/27/2017 +ms.date: 08/30/2017 --- # Policy CSP - Education diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index 7b33c7e5b4..c11c6d066d 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - EnterpriseCloudPrint diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 800c8ac975..98c03c6579 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - ErrorReporting @@ -72,8 +72,9 @@ If you disable or do not configure this policy setting, then the default consent ADMX Info: -- GP english name: *Customize consent settings* +- GP English name: *Customize consent settings* - GP name: *WerConsentCustomize_2* +- GP path: *Windows Components/Windows Error Reporting/Consent* - GP ADMX file name: *ErrorReporting.admx* @@ -121,8 +122,9 @@ If you disable or do not configure this policy setting, the Turn off Windows Err ADMX Info: -- GP english name: *Disable Windows Error Reporting* +- GP English name: *Disable Windows Error Reporting* - GP name: *WerDisable_2* +- GP path: *Windows Components/Windows Error Reporting* - GP ADMX file name: *ErrorReporting.admx* @@ -174,8 +176,9 @@ See also the Configure Error Reporting policy setting. ADMX Info: -- GP english name: *Display Error Notification* +- GP English name: *Display Error Notification* - GP name: *PCH_ShowUI* +- GP path: *Windows Components/Windows Error Reporting* - GP ADMX file name: *ErrorReporting.admx* @@ -223,8 +226,9 @@ If you disable or do not configure this policy setting, then consent policy sett ADMX Info: -- GP english name: *Do not send additional data* +- GP English name: *Do not send additional data* - GP name: *WerNoSecondLevelData_2* +- GP path: *Windows Components/Windows Error Reporting* - GP ADMX file name: *ErrorReporting.admx* @@ -272,8 +276,9 @@ If you disable or do not configure this policy setting, Windows Error Reporting ADMX Info: -- GP english name: *Prevent display of the user interface for critical errors* +- GP English name: *Prevent display of the user interface for critical errors* - GP name: *WerDoNotShowUI* +- GP path: *Windows Components/Windows Error Reporting* - GP ADMX file name: *ErrorReporting.admx* diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index a1f5c9527e..a73f5c2b18 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - EventLogService @@ -64,8 +64,9 @@ Note: Old events may or may not be retained according to the "Backup log automat ADMX Info: -- GP english name: *Control Event Log behavior when the log file reaches its maximum size* +- GP English name: *Control Event Log behavior when the log file reaches its maximum size* - GP name: *Channel_Log_Retention_1* +- GP path: *Windows Components/Event Log Service/Application* - GP ADMX file name: *eventlog.admx* @@ -113,8 +114,9 @@ If you disable or do not configure this policy setting, the maximum size of the ADMX Info: -- GP english name: *Specify the maximum log file size (KB)* +- GP English name: *Specify the maximum log file size (KB)* - GP name: *Channel_LogMaxSize_1* +- GP path: *Windows Components/Event Log Service/Application* - GP ADMX file name: *eventlog.admx* @@ -162,8 +164,9 @@ If you disable or do not configure this policy setting, the maximum size of the ADMX Info: -- GP english name: *Specify the maximum log file size (KB)* +- GP English name: *Specify the maximum log file size (KB)* - GP name: *Channel_LogMaxSize_2* +- GP path: *Windows Components/Event Log Service/Security* - GP ADMX file name: *eventlog.admx* @@ -211,8 +214,9 @@ If you disable or do not configure this policy setting, the maximum size of the ADMX Info: -- GP english name: *Specify the maximum log file size (KB)* +- GP English name: *Specify the maximum log file size (KB)* - GP name: *Channel_LogMaxSize_4* +- GP path: *Windows Components/Event Log Service/System* - GP ADMX file name: *eventlog.admx* diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index c69b113a36..b5e7a8bfe2 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Experience diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md new file mode 100644 index 0000000000..292dfa31bc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -0,0 +1,89 @@ +--- +title: Policy CSP - ExploitGuard +description: Policy CSP - ExploitGuard +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 08/30/2017 +--- + +# Policy CSP - ExploitGuard + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +

      + +## ExploitGuard policies + + +**ExploitGuard/ExploitProtectionSettings** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3cross markcross mark
      + + + +

      Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). + +

      The system settings require a reboot; the application settings do not require a reboot. + +

      Here is an example: + +``` syntax + + + + + $CmdId$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings + + ]]> + + + + + + +``` + + + +

      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index 5cb47e7195..f6fc32cc9f 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/31/2017 --- # Policy CSP - Games @@ -23,11 +23,35 @@ ms.date: 07/14/2017 **Games/AllowAdvancedGamingServices** + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      -

      Placeholder only. Currently not supported. +

      Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer. +- 0 - Not Allowed +- 1 (default) - Allowed + +

      This policy can only be turned off in Windows 10 Education and Enterprise editions.

      diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index b5377f7a59..7be92bcfc1 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/16/2017 +ms.date: 08/30/2017 --- # Policy CSP - InternetExplorer @@ -62,8 +62,9 @@ If you disable or do not configure this policy setting, the user can configure t ADMX Info: -- GP english name: *Add a specific list of search providers to the user's list of search providers* +- GP English name: *Add a specific list of search providers to the user's list of search providers* - GP name: *AddSearchProvider* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -111,8 +112,9 @@ If you disable or do not configure this policy setting, ActiveX Filtering is not ADMX Info: -- GP english name: *Turn on ActiveX Filtering* +- GP English name: *Turn on ActiveX Filtering* - GP name: *TurnOnActiveXFiltering* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -166,8 +168,9 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u ADMX Info: -- GP english name: *Add-on List* +- GP English name: *Add-on List* - GP name: *AddonManagement_AddOnList* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* @@ -209,8 +212,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn on the auto-complete feature for user names and passwords on forms* +- GP English name: *Turn on the auto-complete feature for user names and passwords on forms* - GP name: *RestrictFormSuggestPW* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -252,8 +256,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn on certificate address mismatch warning* +- GP English name: *Turn on certificate address mismatch warning* - GP name: *IZ_PolicyWarnCertMismatch* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -295,8 +300,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow deleting browsing history on exit* +- GP English name: *Allow deleting browsing history on exit* - GP name: *DBHDisableDeleteOnExit* +- GP path: *Windows Components/Internet Explorer/Delete Browsing History* - GP ADMX file name: *inetres.admx* @@ -346,8 +352,9 @@ If you do not configure this policy, users will be able to turn on or turn off E ADMX Info: -- GP english name: *Turn on Enhanced Protected Mode* +- GP English name: *Turn on Enhanced Protected Mode* - GP name: *Advanced_EnableEnhancedProtectedMode* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* - GP ADMX file name: *inetres.admx* @@ -395,8 +402,9 @@ If you disable or don't configure this policy setting, the menu option won't app ADMX Info: -- GP english name: *Let users turn on and use Enterprise Mode from the Tools menu* +- GP English name: *Let users turn on and use Enterprise Mode from the Tools menu* - GP name: *EnterpriseModeEnable* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -444,8 +452,9 @@ If you disable or don't configure this policy setting, Internet Explorer opens a ADMX Info: -- GP english name: *Use the Enterprise Mode IE website list* +- GP English name: *Use the Enterprise Mode IE website list* - GP name: *EnterpriseModeSiteList* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -487,8 +496,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow fallback to SSL 3.0 (Internet Explorer)* +- GP English name: *Allow fallback to SSL 3.0 (Internet Explorer)* - GP name: *Advanced_EnableSSL3Fallback* +- GP path: *Windows Components/Internet Explorer/Security Features* - GP ADMX file name: *inetres.admx* @@ -536,8 +546,9 @@ If you disable or do not configure this policy setting, the user can add and rem ADMX Info: -- GP english name: *Use Policy List of Internet Explorer 7 sites* +- GP English name: *Use Policy List of Internet Explorer 7 sites* - GP name: *CompatView_UsePolicyList* +- GP path: *Windows Components/Internet Explorer/Compatibility View* - GP ADMX file name: *inetres.admx* @@ -587,8 +598,9 @@ If you do not configure this policy setting, Internet Explorer uses an Internet ADMX Info: -- GP english name: *Turn on Internet Explorer Standards Mode for local intranet* +- GP English name: *Turn on Internet Explorer Standards Mode for local intranet* - GP name: *CompatView_IntranetSites* +- GP path: *Windows Components/Internet Explorer/Compatibility View* - GP ADMX file name: *inetres.admx* @@ -642,8 +654,9 @@ Note. It is recommended to configure template policy settings in one Group Polic ADMX Info: -- GP english name: *Internet Zone Template* +- GP English name: *Internet Zone Template* - GP name: *IZ_PolicyInternetZoneTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -697,8 +710,9 @@ Note. It is recommended to configure template policy settings in one Group Polic ADMX Info: -- GP english name: *Intranet Zone Template* +- GP English name: *Intranet Zone Template* - GP name: *IZ_PolicyIntranetZoneTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -752,8 +766,9 @@ Note. It is recommended to configure template policy settings in one Group Polic ADMX Info: -- GP english name: *Local Machine Zone Template* +- GP English name: *Local Machine Zone Template* - GP name: *IZ_PolicyLocalMachineZoneTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -807,8 +822,9 @@ Note. It is recommended to configure template policy settings in one Group Polic ADMX Info: -- GP english name: *Locked-Down Internet Zone Template* +- GP English name: *Locked-Down Internet Zone Template* - GP name: *IZ_PolicyInternetZoneLockdownTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -862,8 +878,9 @@ Note. It is recommended to configure template policy settings in one Group Polic ADMX Info: -- GP english name: *Locked-Down Intranet Zone Template* +- GP English name: *Locked-Down Intranet Zone Template* - GP name: *IZ_PolicyIntranetZoneLockdownTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -917,8 +934,9 @@ Note. It is recommended to configure template policy settings in one Group Polic ADMX Info: -- GP english name: *Locked-Down Local Machine Zone Template* +- GP English name: *Locked-Down Local Machine Zone Template* - GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -972,8 +990,9 @@ Note. It is recommended to configure template policy settings in one Group Polic ADMX Info: -- GP english name: *Locked-Down Restricted Sites Zone Template* +- GP English name: *Locked-Down Restricted Sites Zone Template* - GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -1021,8 +1040,9 @@ If you disable or do not configure this policy setting, Internet Explorer does n ADMX Info: -- GP english name: *Go to an intranet site for a one-word entry in the Address bar* +- GP English name: *Go to an intranet site for a one-word entry in the Address bar* - GP name: *UseIntranetSiteForOneWordEntry* +- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing* - GP ADMX file name: *inetres.admx* @@ -1076,8 +1096,9 @@ If you disable or do not configure this policy, users may choose their own site- ADMX Info: -- GP english name: *Site to Zone Assignment List* +- GP English name: *Site to Zone Assignment List* - GP name: *IZ_Zonemaps* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -1119,8 +1140,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow software to run or install even if the signature is invalid* +- GP English name: *Allow software to run or install even if the signature is invalid* - GP name: *Advanced_InvalidSignatureBlock* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* - GP ADMX file name: *inetres.admx* @@ -1170,8 +1192,9 @@ If you do not configure this policy setting, the user can turn on and turn off t ADMX Info: -- GP english name: *Turn on Suggested Sites* +- GP English name: *Turn on Suggested Sites* - GP name: *EnableSuggestedSites* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -1225,8 +1248,9 @@ Note. It is recommended to configure template policy settings in one Group Polic ADMX Info: -- GP english name: *Trusted Sites Zone Template* +- GP English name: *Trusted Sites Zone Template* - GP name: *IZ_PolicyTrustedSitesZoneTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -1280,8 +1304,9 @@ Note. It is recommended to configure template policy settings in one Group Polic ADMX Info: -- GP english name: *Locked-Down Trusted Sites Zone Template* +- GP English name: *Locked-Down Trusted Sites Zone Template* - GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -1335,8 +1360,9 @@ Note. It is recommended to configure template policy settings in one Group Polic ADMX Info: -- GP english name: *Restricted Sites Zone Template* +- GP English name: *Restricted Sites Zone Template* - GP name: *IZ_PolicyRestrictedSitesZoneTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -1378,8 +1404,9 @@ ADMX Info: ADMX Info: -- GP english name: *Check for server certificate revocation* +- GP English name: *Check for server certificate revocation* - GP name: *Advanced_CertificateRevocation* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* - GP ADMX file name: *inetres.admx* @@ -1421,8 +1448,9 @@ ADMX Info: ADMX Info: -- GP english name: *Check for signatures on downloaded programs* +- GP English name: *Check for signatures on downloaded programs* - GP name: *Advanced_DownloadSignatures* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* - GP ADMX file name: *inetres.admx* @@ -1464,8 +1492,9 @@ ADMX Info: ADMX Info: -- GP english name: *Internet Explorer Processes* +- GP English name: *Internet Explorer Processes* - GP name: *IESF_PolicyExplorerProcesses_2* +- GP path: *Windows Components/Internet Explorer/Security Features/Binary Behavior Security Restriction* - GP ADMX file name: *inetres.admx* @@ -1515,8 +1544,9 @@ Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny ADMX Info: -- GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects* +- GP English name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects* - GP name: *DisableFlashInIE* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* @@ -1558,8 +1588,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* +- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* - GP name: *VerMgmtDisable* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* @@ -1607,8 +1638,9 @@ If you disable or do not configure this policy setting, the user can bypass Smar ADMX Info: -- GP english name: *Prevent bypassing SmartScreen Filter warnings* +- GP English name: *Prevent bypassing SmartScreen Filter warnings* - GP name: *DisableSafetyFilterOverride* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -1656,8 +1688,9 @@ If you disable or do not configure this policy setting, the user can bypass Smar ADMX Info: -- GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet* +- GP English name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet* - GP name: *DisableSafetyFilterOverrideForAppRepUnknown* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -1699,8 +1732,9 @@ ADMX Info: ADMX Info: -- GP english name: *Disable "Configuring History"* +- GP English name: *Disable "Configuring History"* - GP name: *RestrictHistory* +- GP path: *Windows Components/Internet Explorer/Delete Browsing History* - GP ADMX file name: *inetres.admx* @@ -1742,8 +1776,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn off Crash Detection* +- GP English name: *Turn off Crash Detection* - GP name: *AddonManagement_RestrictCrashDetection* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -1793,8 +1828,9 @@ If you do not configure this policy setting, the user can choose to participate ADMX Info: -- GP english name: *Prevent participation in the Customer Experience Improvement Program* +- GP English name: *Prevent participation in the Customer Experience Improvement Program* - GP name: *SQM_DisableCEIP* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -1836,8 +1872,9 @@ ADMX Info: ADMX Info: -- GP english name: *Prevent deleting websites that the user has visited* +- GP English name: *Prevent deleting websites that the user has visited* - GP name: *DBHDisableDeleteHistory* +- GP path: *Windows Components/Internet Explorer/Delete Browsing History* - GP ADMX file name: *inetres.admx* @@ -1885,8 +1922,9 @@ If you disable or do not configure this policy setting, the user can set the Fee ADMX Info: -- GP english name: *Prevent downloading of enclosures* +- GP English name: *Prevent downloading of enclosures* - GP name: *Disable_Downloading_of_Enclosures* +- GP path: *Windows Components/RSS Feeds* - GP ADMX file name: *inetres.admx* @@ -1936,8 +1974,9 @@ Note: SSL 2.0 is off by default and is no longer supported starting with Windows ADMX Info: -- GP english name: *Turn off encryption support* +- GP English name: *Turn off encryption support* - GP name: *Advanced_SetWinInetProtocols* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* - GP ADMX file name: *inetres.admx* @@ -1989,8 +2028,9 @@ If you disable or do not configure this policy setting, Internet Explorer may ru ADMX Info: -- GP english name: *Prevent running First Run wizard* +- GP English name: *Prevent running First Run wizard* - GP name: *NoFirstRunCustomise* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -2042,8 +2082,9 @@ If you don't configure this setting, users can turn this behavior on or off, usi ADMX Info: -- GP english name: *Turn off the flip ahead with page prediction feature* +- GP English name: *Turn off the flip ahead with page prediction feature* - GP name: *Advanced_DisableFlipAhead* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* - GP ADMX file name: *inetres.admx* @@ -2091,8 +2132,9 @@ If you disable or do not configure this policy setting, the Home page box is ena ADMX Info: -- GP english name: *Disable changing home page settings* +- GP English name: *Disable changing home page settings* - GP name: *RestrictHomePage* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -2134,8 +2176,9 @@ ADMX Info: ADMX Info: -- GP english name: *Prevent ignoring certificate errors* +- GP English name: *Prevent ignoring certificate errors* - GP name: *NoCertError* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel* - GP ADMX file name: *inetres.admx* @@ -2177,8 +2220,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn off InPrivate Browsing* +- GP English name: *Turn off InPrivate Browsing* - GP name: *DisableInPrivateBrowsing* +- GP path: *Windows Components/Internet Explorer/Privacy* - GP ADMX file name: *inetres.admx* @@ -2220,8 +2264,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows* +- GP English name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows* - GP name: *Advanced_EnableEnhancedProtectedMode64Bit* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* - GP ADMX file name: *inetres.admx* @@ -2269,8 +2314,9 @@ If you disable or do not configure this policy setting, the user can configure p ADMX Info: -- GP english name: *Prevent changing proxy settings* +- GP English name: *Prevent changing proxy settings* - GP name: *RestrictProxy* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -2318,8 +2364,9 @@ If you disable or do not configure this policy setting, the user can change the ADMX Info: -- GP english name: *Prevent changing the default search provider* +- GP English name: *Prevent changing the default search provider* - GP name: *NoSearchProvider* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -2369,8 +2416,9 @@ Note: If the Disable Changing Home Page Settings policy is enabled, the user can ADMX Info: -- GP english name: *Disable changing secondary home page settings* +- GP English name: *Disable changing secondary home page settings* - GP name: *SecondaryHomePages* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -2412,8 +2460,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn off the Security Settings Check feature* +- GP English name: *Turn off the Security Settings Check feature* - GP name: *Disable_Security_Settings_Check* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -2463,8 +2512,9 @@ This policy is intended to help the administrator maintain version control for I ADMX Info: -- GP english name: *Disable Periodic Check for Internet Explorer software updates* +- GP English name: *Disable Periodic Check for Internet Explorer software updates* - GP name: *NoUpdateCheck* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -2506,8 +2556,9 @@ ADMX Info: ADMX Info: -- GP english name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled* +- GP English name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled* - GP name: *Advanced_DisableEPMCompat* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* - GP ADMX file name: *inetres.admx* @@ -2561,8 +2612,9 @@ Also, see the "Security zones: Use only machine settings" policy. ADMX Info: -- GP english name: *Security Zones: Do not allow users to add/delete sites* +- GP English name: *Security Zones: Do not allow users to add/delete sites* - GP name: *Security_zones_map_edit* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -2616,8 +2668,9 @@ Also, see the "Security zones: Use only machine settings" policy. ADMX Info: -- GP english name: *Security Zones: Do not allow users to change policies* +- GP English name: *Security Zones: Do not allow users to change policies* - GP name: *Security_options_edit* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -2667,8 +2720,9 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T ADMX Info: -- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* +- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* - GP name: *VerMgmtDisable* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* @@ -2722,8 +2776,9 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T ADMX Info: -- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains* +- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains* - GP name: *VerMgmtDomainAllowlist* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* @@ -2773,8 +2828,9 @@ If you do not configure this policy setting, users choose whether to force local ADMX Info: -- GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones* +- GP English name: *Intranet Sites: Include all local (intranet) sites not listed in other zones* - GP name: *IZ_IncludeUnspecifiedLocalSites* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -2824,8 +2880,9 @@ If you do not configure this policy setting, users choose whether network paths ADMX Info: -- GP english name: *Intranet Sites: Include all network paths (UNCs)* +- GP English name: *Intranet Sites: Include all network paths (UNCs)* - GP name: *IZ_UNCAsIntranet* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* - GP ADMX file name: *inetres.admx* @@ -2875,8 +2932,9 @@ If you do not configure this policy setting, users cannot load a page in the zon ADMX Info: -- GP english name: *Access data sources across domains* +- GP English name: *Access data sources across domains* - GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -2926,8 +2984,9 @@ If you do not configure this policy setting, ActiveX control installations will ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* +- GP English name: *Automatic prompting for ActiveX controls* - GP name: *IZ_PolicyNotificationBarActiveXURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -2975,8 +3034,9 @@ If you disable or do not configure this setting, file downloads that are not use ADMX Info: -- GP english name: *Automatic prompting for file downloads* +- GP English name: *Automatic prompting for file downloads* - GP name: *IZ_PolicyNotificationBarDownloadURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3018,8 +3078,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow cut, copy or paste operations from the clipboard via script* +- GP English name: *Allow cut, copy or paste operations from the clipboard via script* - GP name: *IZ_PolicyAllowPasteViaScript_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3061,8 +3122,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow drag and drop or copy and paste files* +- GP English name: *Allow drag and drop or copy and paste files* - GP name: *IZ_PolicyDropOrPasteFiles_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3112,8 +3174,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa ADMX Info: -- GP english name: *Allow font downloads* +- GP English name: *Allow font downloads* - GP name: *IZ_PolicyFontDownload_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3163,8 +3226,9 @@ If you do not configure this policy setting, Web sites from less privileged zone ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3206,8 +3270,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow loading of XAML files* +- GP English name: *Allow loading of XAML files* - GP name: *IZ_Policy_XAML_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3257,8 +3322,9 @@ If you do not configure this policy setting, Internet Explorer will execute unsi ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3300,8 +3366,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow only approved domains to use ActiveX controls without prompt* +- GP English name: *Allow only approved domains to use ActiveX controls without prompt* - GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3343,8 +3410,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow only approved domains to use the TDC ActiveX control* +- GP English name: *Allow only approved domains to use the TDC ActiveX control* - GP name: *IZ_PolicyAllowTDCControl_Both_Internet* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3386,8 +3454,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow script-initiated windows without size or position constraints* +- GP English name: *Allow script-initiated windows without size or position constraints* - GP name: *IZ_PolicyWindowsRestrictionsURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3429,8 +3498,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow scripting of Internet Explorer WebBrowser controls* +- GP English name: *Allow scripting of Internet Explorer WebBrowser controls* - GP name: *IZ_Policy_WebBrowserControl_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3480,8 +3550,9 @@ If you do not configure this policy setting, the user can enable or disable scri ADMX Info: -- GP english name: *Allow scriptlets* +- GP English name: *Allow scriptlets* - GP name: *IZ_Policy_AllowScriptlets_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3533,8 +3604,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* +- GP English name: *Turn on SmartScreen Filter scan* - GP name: *IZ_Policy_Phishing_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3576,8 +3648,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow updates to status bar via script* +- GP English name: *Allow updates to status bar via script* - GP name: *IZ_Policy_ScriptStatusBar_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3627,8 +3700,9 @@ If you do not configure this policy setting, users can preserve information in t ADMX Info: -- GP english name: *Userdata persistence* +- GP English name: *Userdata persistence* - GP name: *IZ_PolicyUserdataPersistence_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3670,8 +3744,9 @@ ADMX Info: ADMX Info: -- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP English name: *Don't run antimalware programs against ActiveX controls* - GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3713,8 +3788,9 @@ ADMX Info: ADMX Info: -- GP english name: *Download signed ActiveX controls* +- GP English name: *Download signed ActiveX controls* - GP name: *IZ_PolicyDownloadSignedActiveX_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3756,8 +3832,9 @@ ADMX Info: ADMX Info: -- GP english name: *Download unsigned ActiveX controls* +- GP English name: *Download unsigned ActiveX controls* - GP name: *IZ_PolicyDownloadUnsignedActiveX_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3799,8 +3876,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn on Cross-Site Scripting Filter* +- GP English name: *Turn on Cross-Site Scripting Filter* - GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3842,8 +3920,9 @@ ADMX Info: ADMX Info: -- GP english name: *Enable dragging of content from different domains across windows* +- GP English name: *Enable dragging of content from different domains across windows* - GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3885,8 +3964,9 @@ ADMX Info: ADMX Info: -- GP english name: *Enable dragging of content from different domains within a window* +- GP English name: *Enable dragging of content from different domains within a window* - GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3928,8 +4008,9 @@ ADMX Info: ADMX Info: -- GP english name: *Enable MIME Sniffing* +- GP English name: *Enable MIME Sniffing* - GP name: *IZ_PolicyMimeSniffingURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -3971,8 +4052,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn on Protected Mode* +- GP English name: *Turn on Protected Mode* - GP name: *IZ_Policy_TurnOnProtectedMode_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4014,8 +4096,9 @@ ADMX Info: ADMX Info: -- GP english name: *Include local path when user is uploading files to a server* +- GP English name: *Include local path when user is uploading files to a server* - GP name: *IZ_Policy_LocalPathForUpload_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4067,8 +4150,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4139,8 +4223,9 @@ ADMX Info: ADMX Info: -- GP english name: *Java permissions* +- GP English name: *Java permissions* - GP name: *IZ_PolicyJavaPermissions_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4182,8 +4267,9 @@ ADMX Info: ADMX Info: -- GP english name: *Launching applications and files in an IFRAME* +- GP English name: *Launching applications and files in an IFRAME* - GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4225,8 +4311,9 @@ ADMX Info: ADMX Info: -- GP english name: *Logon options* +- GP English name: *Logon options* - GP name: *IZ_PolicyLogon_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4276,8 +4363,9 @@ If you do not configure this policy setting, users can open windows and frames f ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4319,8 +4407,9 @@ ADMX Info: ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4362,8 +4451,9 @@ ADMX Info: ADMX Info: -- GP english name: *Run .NET Framework-reliant components signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components signed with Authenticode* - GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4405,8 +4495,9 @@ ADMX Info: ADMX Info: -- GP english name: *Show security warning for potentially unsafe files* +- GP English name: *Show security warning for potentially unsafe files* - GP name: *IZ_Policy_UnsafeFiles_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4448,8 +4539,9 @@ ADMX Info: ADMX Info: -- GP english name: *Use Pop-up Blocker* +- GP English name: *Use Pop-up Blocker* - GP name: *IZ_PolicyBlockPopupWindows_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4491,8 +4583,9 @@ ADMX Info: ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* @@ -4542,8 +4635,9 @@ If you do not configure this policy setting, users are queried to choose whether ADMX Info: -- GP english name: *Access data sources across domains* +- GP English name: *Access data sources across domains* - GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -4593,8 +4687,9 @@ If you do not configure this policy setting, users will receive a prompt when a ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* +- GP English name: *Automatic prompting for ActiveX controls* - GP name: *IZ_PolicyNotificationBarActiveXURLaction_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -4642,8 +4737,9 @@ If you disable or do not configure this setting, users will receive a file downl ADMX Info: -- GP english name: *Automatic prompting for file downloads* +- GP English name: *Automatic prompting for file downloads* - GP name: *IZ_PolicyNotificationBarDownloadURLaction_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -4693,8 +4789,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa ADMX Info: -- GP english name: *Allow font downloads* +- GP English name: *Allow font downloads* - GP name: *IZ_PolicyFontDownload_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -4744,8 +4841,9 @@ If you do not configure this policy setting, Web sites from less privileged zone ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -4795,8 +4893,9 @@ If you do not configure this policy setting, Internet Explorer will execute unsi ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -4846,8 +4945,9 @@ If you do not configure this policy setting, the user can enable or disable scri ADMX Info: -- GP english name: *Allow scriptlets* +- GP English name: *Allow scriptlets* - GP name: *IZ_Policy_AllowScriptlets_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -4899,8 +4999,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* +- GP English name: *Turn on SmartScreen Filter scan* - GP name: *IZ_Policy_Phishing_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -4950,8 +5051,9 @@ If you do not configure this policy setting, users can preserve information in t ADMX Info: -- GP english name: *Userdata persistence* +- GP English name: *Userdata persistence* - GP name: *IZ_PolicyUserdataPersistence_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -4993,8 +5095,9 @@ ADMX Info: ADMX Info: -- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP English name: *Don't run antimalware programs against ActiveX controls* - GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -5046,8 +5149,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -5089,8 +5193,9 @@ ADMX Info: ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -5132,8 +5237,9 @@ ADMX Info: ADMX Info: -- GP english name: *Java permissions* +- GP English name: *Java permissions* - GP name: *IZ_PolicyJavaPermissions_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -5183,8 +5289,9 @@ If you do not configure this policy setting, users can open windows and frames f ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -5234,8 +5341,9 @@ If you do not configure this policy setting, users can load a page in the zone t ADMX Info: -- GP english name: *Access data sources across domains* +- GP English name: *Access data sources across domains* - GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5285,8 +5393,9 @@ If you do not configure this policy setting, users will receive a prompt when a ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* +- GP English name: *Automatic prompting for ActiveX controls* - GP name: *IZ_PolicyNotificationBarActiveXURLaction_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5334,8 +5443,9 @@ If you disable or do not configure this setting, users will receive a file downl ADMX Info: -- GP english name: *Automatic prompting for file downloads* +- GP English name: *Automatic prompting for file downloads* - GP name: *IZ_PolicyNotificationBarDownloadURLaction_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5385,8 +5495,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa ADMX Info: -- GP english name: *Allow font downloads* +- GP English name: *Allow font downloads* - GP name: *IZ_PolicyFontDownload_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5436,8 +5547,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5487,8 +5599,9 @@ If you do not configure this policy setting, Internet Explorer will not execute ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5538,8 +5651,9 @@ If you do not configure this policy setting, the user can enable or disable scri ADMX Info: -- GP english name: *Allow scriptlets* +- GP English name: *Allow scriptlets* - GP name: *IZ_Policy_AllowScriptlets_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5591,8 +5705,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* +- GP English name: *Turn on SmartScreen Filter scan* - GP name: *IZ_Policy_Phishing_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5642,8 +5757,9 @@ If you do not configure this policy setting, users can preserve information in t ADMX Info: -- GP english name: *Userdata persistence* +- GP English name: *Userdata persistence* - GP name: *IZ_PolicyUserdataPersistence_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5685,8 +5801,9 @@ ADMX Info: ADMX Info: -- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP English name: *Don't run antimalware programs against ActiveX controls* - GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5738,8 +5855,9 @@ If you do not configure this policy setting, users are queried whether to allow ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5781,8 +5899,9 @@ ADMX Info: ADMX Info: -- GP english name: *Java permissions* +- GP English name: *Java permissions* - GP name: *IZ_PolicyJavaPermissions_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5832,8 +5951,9 @@ If you do not configure this policy setting, users can open windows and frames f ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -5883,8 +6003,9 @@ If you do not configure this policy setting, users cannot load a page in the zon ADMX Info: -- GP english name: *Access data sources across domains* +- GP English name: *Access data sources across domains* - GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -5934,8 +6055,9 @@ If you do not configure this policy setting, ActiveX control installations will ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* +- GP English name: *Automatic prompting for ActiveX controls* - GP name: *IZ_PolicyNotificationBarActiveXURLaction_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -5983,8 +6105,9 @@ If you disable or do not configure this setting, file downloads that are not use ADMX Info: -- GP english name: *Automatic prompting for file downloads* +- GP English name: *Automatic prompting for file downloads* - GP name: *IZ_PolicyNotificationBarDownloadURLaction_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -6034,8 +6157,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa ADMX Info: -- GP english name: *Allow font downloads* +- GP English name: *Allow font downloads* - GP name: *IZ_PolicyFontDownload_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -6085,8 +6209,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -6136,8 +6261,9 @@ If you do not configure this policy setting, Internet Explorer will not execute ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -6187,8 +6313,9 @@ If you do not configure this policy setting, the user can enable or disable scri ADMX Info: -- GP english name: *Allow scriptlets* +- GP English name: *Allow scriptlets* - GP name: *IZ_Policy_AllowScriptlets_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -6240,8 +6367,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* +- GP English name: *Turn on SmartScreen Filter scan* - GP name: *IZ_Policy_Phishing_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -6291,8 +6419,9 @@ If you do not configure this policy setting, users can preserve information in t ADMX Info: -- GP english name: *Userdata persistence* +- GP English name: *Userdata persistence* - GP name: *IZ_PolicyUserdataPersistence_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -6344,8 +6473,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -6387,8 +6517,9 @@ ADMX Info: ADMX Info: -- GP english name: *Java permissions* +- GP English name: *Java permissions* - GP name: *IZ_PolicyJavaPermissions_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -6438,8 +6569,9 @@ If you do not configure this policy setting, users can open windows and frames f ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* - GP ADMX file name: *inetres.admx* @@ -6489,8 +6621,9 @@ If you do not configure this policy setting, users are queried to choose whether ADMX Info: -- GP english name: *Access data sources across domains* +- GP English name: *Access data sources across domains* - GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -6540,8 +6673,9 @@ If you do not configure this policy setting, ActiveX control installations will ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* +- GP English name: *Automatic prompting for ActiveX controls* - GP name: *IZ_PolicyNotificationBarActiveXURLaction_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -6589,8 +6723,9 @@ If you disable or do not configure this setting, file downloads that are not use ADMX Info: -- GP english name: *Automatic prompting for file downloads* +- GP English name: *Automatic prompting for file downloads* - GP name: *IZ_PolicyNotificationBarDownloadURLaction_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -6640,8 +6775,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa ADMX Info: -- GP english name: *Allow font downloads* +- GP English name: *Allow font downloads* - GP name: *IZ_PolicyFontDownload_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -6691,8 +6827,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -6742,8 +6879,9 @@ If you do not configure this policy setting, Internet Explorer will not execute ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -6793,8 +6931,9 @@ If you do not configure this policy setting, the user can enable or disable scri ADMX Info: -- GP english name: *Allow scriptlets* +- GP English name: *Allow scriptlets* - GP name: *IZ_Policy_AllowScriptlets_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -6846,8 +6985,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* +- GP English name: *Turn on SmartScreen Filter scan* - GP name: *IZ_Policy_Phishing_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -6897,8 +7037,9 @@ If you do not configure this policy setting, users can preserve information in t ADMX Info: -- GP english name: *Userdata persistence* +- GP English name: *Userdata persistence* - GP name: *IZ_PolicyUserdataPersistence_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -6950,8 +7091,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -7001,8 +7143,9 @@ If you do not configure this policy setting, users can open windows and frames f ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* - GP ADMX file name: *inetres.admx* @@ -7052,8 +7195,9 @@ If you do not configure this policy setting, users can load a page in the zone t ADMX Info: -- GP english name: *Access data sources across domains* +- GP English name: *Access data sources across domains* - GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7103,8 +7247,9 @@ If you do not configure this policy setting, ActiveX control installations will ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* +- GP English name: *Automatic prompting for ActiveX controls* - GP name: *IZ_PolicyNotificationBarActiveXURLaction_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7152,8 +7297,9 @@ If you disable or do not configure this setting, file downloads that are not use ADMX Info: -- GP english name: *Automatic prompting for file downloads* +- GP English name: *Automatic prompting for file downloads* - GP name: *IZ_PolicyNotificationBarDownloadURLaction_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7203,8 +7349,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa ADMX Info: -- GP english name: *Allow font downloads* +- GP English name: *Allow font downloads* - GP name: *IZ_PolicyFontDownload_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7254,8 +7401,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7305,8 +7453,9 @@ If you do not configure this policy setting, Internet Explorer will not execute ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7356,8 +7505,9 @@ If you do not configure this policy setting, the user can enable or disable scri ADMX Info: -- GP english name: *Allow scriptlets* +- GP English name: *Allow scriptlets* - GP name: *IZ_Policy_AllowScriptlets_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7409,8 +7559,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* +- GP English name: *Turn on SmartScreen Filter scan* - GP name: *IZ_Policy_Phishing_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7460,8 +7611,9 @@ If you do not configure this policy setting, users can preserve information in t ADMX Info: -- GP english name: *Userdata persistence* +- GP English name: *Userdata persistence* - GP name: *IZ_PolicyUserdataPersistence_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7513,8 +7665,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7556,8 +7709,9 @@ ADMX Info: ADMX Info: -- GP english name: *Java permissions* +- GP English name: *Java permissions* - GP name: *IZ_PolicyJavaPermissions_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7607,8 +7761,9 @@ If you do not configure this policy setting, users can open windows and frames f ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* - GP ADMX file name: *inetres.admx* @@ -7658,8 +7813,9 @@ If you do not configure this policy setting, users cannot load a page in the zon ADMX Info: -- GP english name: *Access data sources across domains* +- GP English name: *Access data sources across domains* - GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -7709,8 +7865,9 @@ If you do not configure this policy setting, ActiveX control installations will ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* +- GP English name: *Automatic prompting for ActiveX controls* - GP name: *IZ_PolicyNotificationBarActiveXURLaction_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -7758,8 +7915,9 @@ If you disable or do not configure this setting, file downloads that are not use ADMX Info: -- GP english name: *Automatic prompting for file downloads* +- GP English name: *Automatic prompting for file downloads* - GP name: *IZ_PolicyNotificationBarDownloadURLaction_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -7809,8 +7967,9 @@ If you do not configure this policy setting, users are queried whether to allow ADMX Info: -- GP english name: *Allow font downloads* +- GP English name: *Allow font downloads* - GP name: *IZ_PolicyFontDownload_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -7860,8 +8019,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -7911,8 +8071,9 @@ If you do not configure this policy setting, Internet Explorer will not execute ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -7962,8 +8123,9 @@ If you do not configure this policy setting, the user can enable or disable scri ADMX Info: -- GP english name: *Allow scriptlets* +- GP English name: *Allow scriptlets* - GP name: *IZ_Policy_AllowScriptlets_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8015,8 +8177,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* +- GP English name: *Turn on SmartScreen Filter scan* - GP name: *IZ_Policy_Phishing_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8066,8 +8229,9 @@ If you do not configure this policy setting, users cannot preserve information i ADMX Info: -- GP english name: *Userdata persistence* +- GP English name: *Userdata persistence* - GP name: *IZ_PolicyUserdataPersistence_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8119,8 +8283,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8162,8 +8327,9 @@ ADMX Info: ADMX Info: -- GP english name: *Java permissions* +- GP English name: *Java permissions* - GP name: *IZ_PolicyJavaPermissions_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8213,8 +8379,9 @@ If you do not configure this policy setting, users cannot open other windows and ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8264,8 +8431,9 @@ If you do not configure this policy setting, users can load a page in the zone t ADMX Info: -- GP english name: *Access data sources across domains* +- GP English name: *Access data sources across domains* - GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8315,8 +8483,9 @@ If you do not configure this policy setting, ActiveX control installations will ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* +- GP English name: *Automatic prompting for ActiveX controls* - GP name: *IZ_PolicyNotificationBarActiveXURLaction_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8364,8 +8533,9 @@ If you disable or do not configure this setting, file downloads that are not use ADMX Info: -- GP english name: *Automatic prompting for file downloads* +- GP English name: *Automatic prompting for file downloads* - GP name: *IZ_PolicyNotificationBarDownloadURLaction_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8415,8 +8585,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa ADMX Info: -- GP english name: *Allow font downloads* +- GP English name: *Allow font downloads* - GP name: *IZ_PolicyFontDownload_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8466,8 +8637,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8517,8 +8689,9 @@ If you do not configure this policy setting, Internet Explorer will not execute ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8568,8 +8741,9 @@ If you do not configure this policy setting, the user can enable or disable scri ADMX Info: -- GP english name: *Allow scriptlets* +- GP English name: *Allow scriptlets* - GP name: *IZ_Policy_AllowScriptlets_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8621,8 +8795,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* +- GP English name: *Turn on SmartScreen Filter scan* - GP name: *IZ_Policy_Phishing_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8672,8 +8847,9 @@ If you do not configure this policy setting, users can preserve information in t ADMX Info: -- GP english name: *Userdata persistence* +- GP English name: *Userdata persistence* - GP name: *IZ_PolicyUserdataPersistence_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8725,8 +8901,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8768,8 +8945,9 @@ ADMX Info: ADMX Info: -- GP english name: *Java permissions* +- GP English name: *Java permissions* - GP name: *IZ_PolicyJavaPermissions_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8819,8 +8997,9 @@ If you do not configure this policy setting, users can open windows and frames f ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -8862,8 +9041,9 @@ ADMX Info: ADMX Info: -- GP english name: *Internet Explorer Processes* +- GP English name: *Internet Explorer Processes* - GP name: *IESF_PolicyExplorerProcesses_3* +- GP path: *Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction* - GP ADMX file name: *inetres.admx* @@ -8905,8 +9085,9 @@ ADMX Info: ADMX Info: -- GP english name: *Internet Explorer Processes* +- GP English name: *Internet Explorer Processes* - GP name: *IESF_PolicyExplorerProcesses_6* +- GP path: *Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature* - GP ADMX file name: *inetres.admx* @@ -8948,8 +9129,9 @@ ADMX Info: ADMX Info: -- GP english name: *Internet Explorer Processes* +- GP English name: *Internet Explorer Processes* - GP name: *IESF_PolicyExplorerProcesses_10* +- GP path: *Windows Components/Internet Explorer/Security Features/Notification bar* - GP ADMX file name: *inetres.admx* @@ -8991,8 +9173,9 @@ ADMX Info: ADMX Info: -- GP english name: *Prevent managing SmartScreen Filter* +- GP English name: *Prevent managing SmartScreen Filter* - GP name: *Disable_Managing_Safety_Filter_IE9* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -9034,8 +9217,9 @@ ADMX Info: ADMX Info: -- GP english name: *Prevent per-user installation of ActiveX controls* +- GP English name: *Prevent per-user installation of ActiveX controls* - GP name: *DisablePerUserActiveXInstall* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -9077,8 +9261,9 @@ ADMX Info: ADMX Info: -- GP english name: *All Processes* +- GP English name: *All Processes* - GP name: *IESF_PolicyAllProcesses_9* +- GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation* - GP ADMX file name: *inetres.admx* @@ -9120,8 +9305,9 @@ ADMX Info: ADMX Info: -- GP english name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer * +- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer * - GP name: *VerMgmtDisableRunThisTime* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* @@ -9163,8 +9349,9 @@ ADMX Info: ADMX Info: -- GP english name: *All Processes* +- GP English name: *All Processes* - GP name: *IESF_PolicyAllProcesses_11* +- GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install* - GP ADMX file name: *inetres.admx* @@ -9206,8 +9393,9 @@ ADMX Info: ADMX Info: -- GP english name: *All Processes* +- GP English name: *All Processes* - GP name: *IESF_PolicyAllProcesses_12* +- GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download* - GP ADMX file name: *inetres.admx* @@ -9257,8 +9445,9 @@ If you do not configure this policy setting, users cannot load a page in the zon ADMX Info: -- GP english name: *Access data sources across domains* +- GP English name: *Access data sources across domains* - GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9300,8 +9489,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow active scripting* +- GP English name: *Allow active scripting* - GP name: *IZ_PolicyActiveScripting_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9351,8 +9541,9 @@ If you do not configure this policy setting, ActiveX control installations will ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* +- GP English name: *Automatic prompting for ActiveX controls* - GP name: *IZ_PolicyNotificationBarActiveXURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9400,8 +9591,9 @@ If you disable or do not configure this setting, file downloads that are not use ADMX Info: -- GP english name: *Automatic prompting for file downloads* +- GP English name: *Automatic prompting for file downloads* - GP name: *IZ_PolicyNotificationBarDownloadURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9443,8 +9635,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow binary and script behaviors* +- GP English name: *Allow binary and script behaviors* - GP name: *IZ_PolicyBinaryBehaviors_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9486,8 +9679,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow cut, copy or paste operations from the clipboard via script* +- GP English name: *Allow cut, copy or paste operations from the clipboard via script* - GP name: *IZ_PolicyAllowPasteViaScript_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9529,8 +9723,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow drag and drop or copy and paste files* +- GP English name: *Allow drag and drop or copy and paste files* - GP name: *IZ_PolicyDropOrPasteFiles_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9572,8 +9767,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow file downloads* +- GP English name: *Allow file downloads* - GP name: *IZ_PolicyFileDownload_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9623,8 +9819,9 @@ If you do not configure this policy setting, users are queried whether to allow ADMX Info: -- GP english name: *Allow font downloads* +- GP English name: *Allow font downloads* - GP name: *IZ_PolicyFontDownload_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9674,8 +9871,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9717,8 +9915,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow loading of XAML files* +- GP English name: *Allow loading of XAML files* - GP name: *IZ_Policy_XAML_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9760,8 +9959,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow META REFRESH* +- GP English name: *Allow META REFRESH* - GP name: *IZ_PolicyAllowMETAREFRESH_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9811,8 +10011,9 @@ If you do not configure this policy setting, Internet Explorer will not execute ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9854,8 +10055,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow only approved domains to use ActiveX controls without prompt* +- GP English name: *Allow only approved domains to use ActiveX controls without prompt* - GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9897,8 +10099,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow only approved domains to use the TDC ActiveX control* +- GP English name: *Allow only approved domains to use the TDC ActiveX control* - GP name: *IZ_PolicyAllowTDCControl_Both_Restricted* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9940,8 +10143,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow script-initiated windows without size or position constraints* +- GP English name: *Allow script-initiated windows without size or position constraints* - GP name: *IZ_PolicyWindowsRestrictionsURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -9983,8 +10187,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow scripting of Internet Explorer WebBrowser controls* +- GP English name: *Allow scripting of Internet Explorer WebBrowser controls* - GP name: *IZ_Policy_WebBrowserControl_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10034,8 +10239,9 @@ If you do not configure this policy setting, the user can enable or disable scri ADMX Info: -- GP english name: *Allow scriptlets* +- GP English name: *Allow scriptlets* - GP name: *IZ_Policy_AllowScriptlets_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10087,8 +10293,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* +- GP English name: *Turn on SmartScreen Filter scan* - GP name: *IZ_Policy_Phishing_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10130,8 +10337,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow updates to status bar via script* +- GP English name: *Allow updates to status bar via script* - GP name: *IZ_Policy_ScriptStatusBar_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10181,8 +10389,9 @@ If you do not configure this policy setting, users cannot preserve information i ADMX Info: -- GP english name: *Userdata persistence* +- GP English name: *Userdata persistence* - GP name: *IZ_PolicyUserdataPersistence_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10224,8 +10433,9 @@ ADMX Info: ADMX Info: -- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP English name: *Don't run antimalware programs against ActiveX controls* - GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10267,8 +10477,9 @@ ADMX Info: ADMX Info: -- GP english name: *Download signed ActiveX controls* +- GP English name: *Download signed ActiveX controls* - GP name: *IZ_PolicyDownloadSignedActiveX_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10310,8 +10521,9 @@ ADMX Info: ADMX Info: -- GP english name: *Download unsigned ActiveX controls* +- GP English name: *Download unsigned ActiveX controls* - GP name: *IZ_PolicyDownloadUnsignedActiveX_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10353,8 +10565,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn on Cross-Site Scripting Filter* +- GP English name: *Turn on Cross-Site Scripting Filter* - GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10396,8 +10609,9 @@ ADMX Info: ADMX Info: -- GP english name: *Enable dragging of content from different domains across windows* +- GP English name: *Enable dragging of content from different domains across windows* - GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10439,8 +10653,9 @@ ADMX Info: ADMX Info: -- GP english name: *Enable dragging of content from different domains within a window* +- GP English name: *Enable dragging of content from different domains within a window* - GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10482,8 +10697,9 @@ ADMX Info: ADMX Info: -- GP english name: *Enable MIME Sniffing* +- GP English name: *Enable MIME Sniffing* - GP name: *IZ_PolicyMimeSniffingURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10525,8 +10741,9 @@ ADMX Info: ADMX Info: -- GP english name: *Include local path when user is uploading files to a server* +- GP English name: *Include local path when user is uploading files to a server* - GP name: *IZ_Policy_LocalPathForUpload_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10578,8 +10795,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10621,8 +10839,9 @@ ADMX Info: ADMX Info: -- GP english name: *Java permissions* +- GP English name: *Java permissions* - GP name: *IZ_PolicyJavaPermissions_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10664,8 +10883,9 @@ ADMX Info: ADMX Info: -- GP english name: *Launching applications and files in an IFRAME* +- GP English name: *Launching applications and files in an IFRAME* - GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10707,8 +10927,9 @@ ADMX Info: ADMX Info: -- GP english name: *Logon options* +- GP English name: *Logon options* - GP name: *IZ_PolicyLogon_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10758,8 +10979,9 @@ If you do not configure this policy setting, users cannot open other windows and ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10801,8 +11023,9 @@ ADMX Info: ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10844,8 +11067,9 @@ ADMX Info: ADMX Info: -- GP english name: *Run ActiveX controls and plugins* +- GP English name: *Run ActiveX controls and plugins* - GP name: *IZ_PolicyRunActiveXControls_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10887,8 +11111,9 @@ ADMX Info: ADMX Info: -- GP english name: *Run .NET Framework-reliant components signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components signed with Authenticode* - GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10930,8 +11155,9 @@ ADMX Info: ADMX Info: -- GP english name: *Script ActiveX controls marked safe for scripting* +- GP English name: *Script ActiveX controls marked safe for scripting* - GP name: *IZ_PolicyScriptActiveXMarkedSafe_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -10973,8 +11199,9 @@ ADMX Info: ADMX Info: -- GP english name: *Scripting of Java applets* +- GP English name: *Scripting of Java applets* - GP name: *IZ_PolicyScriptingOfJavaApplets_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11016,8 +11243,9 @@ ADMX Info: ADMX Info: -- GP english name: *Show security warning for potentially unsafe files* +- GP English name: *Show security warning for potentially unsafe files* - GP name: *IZ_Policy_UnsafeFiles_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11059,8 +11287,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn on Cross-Site Scripting Filter* +- GP English name: *Turn on Cross-Site Scripting Filter* - GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11102,8 +11331,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn on Protected Mode* +- GP English name: *Turn on Protected Mode* - GP name: *IZ_Policy_TurnOnProtectedMode_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11145,8 +11375,9 @@ ADMX Info: ADMX Info: -- GP english name: *Use Pop-up Blocker* +- GP English name: *Use Pop-up Blocker* - GP name: *IZ_PolicyBlockPopupWindows_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11188,8 +11419,9 @@ ADMX Info: ADMX Info: -- GP english name: *All Processes* +- GP English name: *All Processes* - GP name: *IESF_PolicyAllProcesses_8* +- GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions* - GP ADMX file name: *inetres.admx* @@ -11237,8 +11469,9 @@ If you disable or do not configure this policy setting, the user can configure h ADMX Info: -- GP english name: *Restrict search providers to a specific list* +- GP English name: *Restrict search providers to a specific list* - GP name: *SpecificSearchProvider* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -11280,8 +11513,9 @@ ADMX Info: ADMX Info: -- GP english name: *Security Zones: Use only machine settings * +- GP English name: *Security Zones: Use only machine settings * - GP name: *Security_HKLM_only* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -11323,8 +11557,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify use of ActiveX Installer Service for installation of ActiveX controls* +- GP English name: *Specify use of ActiveX Installer Service for installation of ActiveX controls* - GP name: *OnlyUseAXISForActiveXInstall* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -11374,8 +11609,9 @@ If you do not configure this policy setting, users can load a page in the zone t ADMX Info: -- GP english name: *Access data sources across domains* +- GP English name: *Access data sources across domains* - GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11425,8 +11661,9 @@ If you do not configure this policy setting, users will receive a prompt when a ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* +- GP English name: *Automatic prompting for ActiveX controls* - GP name: *IZ_PolicyNotificationBarActiveXURLaction_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11474,8 +11711,9 @@ If you disable or do not configure this setting, users will receive a file downl ADMX Info: -- GP english name: *Automatic prompting for file downloads* +- GP English name: *Automatic prompting for file downloads* - GP name: *IZ_PolicyNotificationBarDownloadURLaction_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11525,8 +11763,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa ADMX Info: -- GP english name: *Allow font downloads* +- GP English name: *Allow font downloads* - GP name: *IZ_PolicyFontDownload_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11576,8 +11815,9 @@ If you do not configure this policy setting, a warning is issued to the user tha ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* - GP name: *IZ_PolicyZoneElevationURLaction_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11627,8 +11867,9 @@ If you do not configure this policy setting, Internet Explorer will execute unsi ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* - GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11678,8 +11919,9 @@ If you do not configure this policy setting, the user can enable or disable scri ADMX Info: -- GP english name: *Allow scriptlets* +- GP English name: *Allow scriptlets* - GP name: *IZ_Policy_AllowScriptlets_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11731,8 +11973,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* +- GP English name: *Turn on SmartScreen Filter scan* - GP name: *IZ_Policy_Phishing_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11782,8 +12025,9 @@ If you do not configure this policy setting, users can preserve information in t ADMX Info: -- GP english name: *Userdata persistence* +- GP English name: *Userdata persistence* - GP name: *IZ_PolicyUserdataPersistence_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11825,8 +12069,9 @@ ADMX Info: ADMX Info: -- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP English name: *Don't run antimalware programs against ActiveX controls* - GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11868,8 +12113,9 @@ ADMX Info: ADMX Info: -- GP english name: *Don't run antimalware programs against ActiveX controls* +- GP English name: *Don't run antimalware programs against ActiveX controls* - GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11921,8 +12167,9 @@ If you do not configure this policy setting, users are queried whether to allow ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -11964,8 +12211,9 @@ ADMX Info: ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -12007,8 +12255,9 @@ ADMX Info: ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP English name: *Initialize and script ActiveX controls not marked as safe* - GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -12050,8 +12299,9 @@ ADMX Info: ADMX Info: -- GP english name: *Java permissions* +- GP English name: *Java permissions* - GP name: *IZ_PolicyJavaPermissions_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* @@ -12101,8 +12351,9 @@ If you do not configure this policy setting, users can open windows and frames f ADMX Info: -- GP english name: *Navigate windows and frames across different domains* +- GP English name: *Navigate windows and frames across different domains* - GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 801ebc1f70..d4683f4ded 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Kerberos @@ -62,8 +62,9 @@ If you disable or do not configure this policy setting, the Kerberos client does ADMX Info: -- GP english name: *Use forest search order* +- GP English name: *Use forest search order* - GP name: *ForestSearch* +- GP path: *System/Kerberos* - GP ADMX file name: *Kerberos.admx* @@ -110,8 +111,9 @@ If you disable or do not configure this policy setting, the client devices will ADMX Info: -- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring* +- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring* - GP name: *EnableCbacAndArmor* +- GP path: *System/Kerberos* - GP ADMX file name: *Kerberos.admx* @@ -163,8 +165,9 @@ If you disable or do not configure this policy setting, the client computers in ADMX Info: -- GP english name: *Fail authentication requests when Kerberos armoring is not available* +- GP English name: *Fail authentication requests when Kerberos armoring is not available* - GP name: *ClientRequireFast* +- GP path: *System/Kerberos* - GP ADMX file name: *Kerberos.admx* @@ -212,8 +215,9 @@ If you disable or do not configure this policy setting, the Kerberos client requ ADMX Info: -- GP english name: *Require strict KDC validation* +- GP English name: *Require strict KDC validation* - GP name: *ValidateKDC* +- GP path: *System/Kerberos* - GP ADMX file name: *Kerberos.admx* @@ -265,8 +269,9 @@ Note: This policy setting configures the existing MaxTokenSize registry value in ADMX Info: -- GP english name: *Set maximum Kerberos SSPI context token buffer size* +- GP English name: *Set maximum Kerberos SSPI context token buffer size* - GP name: *MaxTokenSize* +- GP path: *System/Kerberos* - GP ADMX file name: *Kerberos.admx* diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 192795ada2..a8f855bc5e 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Licensing diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md new file mode 100644 index 0000000000..5eb02ceae2 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -0,0 +1,1025 @@ +--- +title: Policy CSP - LocalPoliciesSecurityOptions +description: Policy CSP - LocalPoliciesSecurityOptions +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 08/30/2017 +--- + +# Policy CSP - LocalPoliciesSecurityOptions + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
      + +## LocalPoliciesSecurityOptions policies + + +**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +This policy setting prevents users from adding new Microsoft accounts on this computer. + +If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. + +If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. + +If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. + +Valid values: +- 0 - disabled (users will be able to use Microsoft accounts with Windows) +- 1 - enabled (users cannot add Microsoft accounts) +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +This security setting determines whether the local Administrator account is enabled or disabled. + +If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. +Disabling the Administrator account can become a maintenance issue under certain circumstances. + +Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. + +Default: Disabled. +Valid values: +- 0 - local Administrator account is disabled +- 1 - local Administrator account is enabled + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +This security setting determines if the Guest account is enabled or disabled. + +Default: Disabled. +Valid values: +- 0 - local Guest account is disabled +- 1 - local Guest account is enabled + +Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Accounts: Limit local account use of blank passwords to console logon only + +This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. + +Default: Enabled. +Valid values: +- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console +- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard + +Warning: + +Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. +If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. + +This setting does not affect logons that use domain accounts. +It is possible for applications that use remote interactive logons to bypass this setting. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Accounts: Rename administrator account + +This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. + +Default: Administrator. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Accounts: Rename guest account + +This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. + +Default: Guest. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive Logon:Display user information when the session is locked + +Valid values: +- 1 - User display name, domain and user names +- 2 - User display name only +- 3 - Do not display user information + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Don't display last signed-in + +This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. +If this policy is enabled, the username will not be shown. + +If this policy is disabled, the username will be shown. + +Default: Disabled. +Valid values: +- 0 - disabled (username will be shown) +- 1 - enabled (username will not be shown) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Don't display username at sign-in + +This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. + +If this policy is enabled, the username will not be shown. + +If this policy is disabled, the username will be shown. + +Default: Disabled. +Valid values: +- 0 - disabled (username will be shown) +- 1 - enabled (username will not be shown) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Do not require CTRL+ALT+DEL + +This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. + +If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. + +If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. + +Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. +Default on stand-alone computers: Enabled. +Valid values: +- 0 - disabled +- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Machine inactivity limit. + +Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. + +Default: not enforced. +Valid values: +- 0 - disabled +- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Message text for users attempting to log on + +This security setting specifies a text message that is displayed to users when they log on. + +This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. + +Default: No message. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Message title for users attempting to log on + +This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. + +Default: No message. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Network security: Allow PKU2U authentication requests to this computer to use online identities. + +This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. + +Valid values: +- 0 - disabled +- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Recovery console: Allow automatic administrative logon + +This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. + +Default: This policy is not defined and automatic administrative logon is not allowed. +Valid values: +- 0 - disabled +- 1 - enabled (allow automatic administrative logon) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Shutdown: Allow system to be shut down without having to log on + +This security setting determines whether a computer can be shut down without having to log on to Windows. + +When this policy is enabled, the Shut Down command is available on the Windows logon screen. + +When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. + +Default on workstations: Enabled. +Default on servers: Disabled. +Valid values: +- 0 - disabled +- 1 - enabled (allow system to be shut down without having to log on) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. + +This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. + +Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. + +Disabled: (Default) +Valid values: +- 0 - disabled +- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop) + +The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode + +This policy setting controls the behavior of the elevation prompt for administrators. + +The options are: + +• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. + +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. + +• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + +• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + +• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + +• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +User Account Control: Behavior of the elevation prompt for standard users +This policy setting controls the behavior of the elevation prompt for standard users. + +The options are: + +• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + +• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. + +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +User Account Control: Only elevate executable files that are signed and validated + +This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. + +The options are: +- 0 - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. +- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +User Account Control: Only elevate UIAccess applications that are installed in secure locations + +This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: + +- …\Program Files\, including subfolders +- …\Windows\system32\ +- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows + +Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. + +The options are: +- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. +- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +User Account Control: Turn on Admin Approval Mode + +This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. + +The options are: +- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. +- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. + + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +User Account Control: Switch to the secure desktop when prompting for elevation + +This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. + +The options are: +- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. +- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + + +**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +User Account Control: Virtualize file and registry write failures to per-user locations + +This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. + +The options are: +- 0 - Disabled: Applications that write data to protected locations fail. +- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md index ba133e1921..130111a793 100644 --- a/windows/client-management/mdm/policy-csp-location.md +++ b/windows/client-management/mdm/policy-csp-location.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Location diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index a98d78e52b..ff2b494dee 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - LockDown diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index 27d44175e4..40abac41bc 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Maps diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index e0c705d31b..edaff6765e 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Messaging diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 0d59b01e1b..3196840a3b 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - NetworkIsolation diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index fa41ee2efb..2a291f8ba6 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Notifications diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index f3bb408651..17298b3cdf 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Power @@ -62,8 +62,9 @@ If you disable this policy setting, standby states (S1-S3) are not allowed. ADMX Info: -- GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)* +- GP English name: *Allow standby states (S1-S3) when sleeping (plugged in)* - GP name: *AllowStandbyStatesAC_2* +- GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* @@ -113,8 +114,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn off the display (on battery)* +- GP English name: *Turn off the display (on battery)* - GP name: *VideoPowerDownTimeOutDC_2* +- GP path: *System/Power Management/Video and Display Settings* - GP ADMX file name: *power.admx* @@ -164,8 +166,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn off the display (plugged in)* +- GP English name: *Turn off the display (plugged in)* - GP name: *VideoPowerDownTimeOutAC_2* +- GP path: *System/Power Management/Video and Display Settings* - GP ADMX file name: *power.admx* @@ -216,8 +219,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify the system hibernate timeout (on battery)* +- GP English name: *Specify the system hibernate timeout (on battery)* - GP name: *DCHibernateTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* @@ -267,8 +271,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify the system hibernate timeout (plugged in)* +- GP English name: *Specify the system hibernate timeout (plugged in)* - GP name: *ACHibernateTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* @@ -316,8 +321,9 @@ If you disable this policy setting, the user is not prompted for a password when ADMX Info: -- GP english name: *Require a password when a computer wakes (on battery)* +- GP English name: *Require a password when a computer wakes (on battery)* - GP name: *DCPromptForPasswordOnResume_2* +- GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* @@ -365,8 +371,9 @@ If you disable this policy setting, the user is not prompted for a password when ADMX Info: -- GP english name: *Require a password when a computer wakes (plugged in)* +- GP English name: *Require a password when a computer wakes (plugged in)* - GP name: *ACPromptForPasswordOnResume_2* +- GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* @@ -416,8 +423,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify the system sleep timeout (on battery)* +- GP English name: *Specify the system sleep timeout (on battery)* - GP name: *DCStandbyTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* @@ -467,8 +475,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify the system sleep timeout (plugged in)* +- GP English name: *Specify the system sleep timeout (plugged in)* - GP name: *ACStandbyTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 2fd40ada12..ffd1d93c3c 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Printers @@ -75,8 +75,9 @@ If you disable this policy setting: ADMX Info: -- GP english name: *Point and Print Restrictions* +- GP English name: *Point and Print Restrictions* - GP name: *PointAndPrint_Restrictions_Win7* +- GP path: *Printers* - GP ADMX file name: *Printing.admx* @@ -137,8 +138,9 @@ If you disable this policy setting: ADMX Info: -- GP english name: *Point and Print Restrictions* +- GP English name: *Point and Print Restrictions* - GP name: *PointAndPrint_Restrictions* +- GP path: *Control Panel/Printers* - GP ADMX file name: *Printing.admx* @@ -188,8 +190,9 @@ Note: This settings takes priority over the setting "Automatically publish new p ADMX Info: -- GP english name: *Allow printers to be published* +- GP English name: *Allow printers to be published* - GP name: *PublishPrinters* +- GP path: *Printers* - GP ADMX file name: *Printing2.admx* diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 64b43c3fd9..fae39d1341 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Privacy @@ -34,11 +34,11 @@ ms.date: 07/14/2017
    		Mobile Enterprise
    check mark1check mark1check mark3check mark3 check mark1check mark1check mark3check mark3 check mark check mark
    + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3check mark3check mark3
    + + + +Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. + +The following list shows the supported values: + +- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). +- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. + @@ -2503,6 +2542,42 @@ ms.date: 07/14/2017

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +**Privacy/PublishUserActivities** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3check mark3check mark3
    + + + +Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. + +The following list shows the supported values: + +- 0 – Disabled. Apps/OS can't publish the *user activities*. +- 1 – (default) Enabled. Apps/OS can publish the *user activities*. +

    @@ -2545,6 +2620,7 @@ Footnote: ## Privacy policies supported by Microsoft Surface Hub +- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) - [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) - [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) - [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) @@ -2553,5 +2629,6 @@ Footnote: - [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) - [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) - [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) +- [Privacy/PublishUserActivities](#privacy-publishuseractivities) diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 0f082798fe..61751bca3b 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - RemoteAssistance @@ -68,8 +68,9 @@ If you do not configure this policy setting, the user sees the default warning m ADMX Info: -- GP english name: *Customize warning messages* +- GP English name: *Customize warning messages* - GP name: *RA_Options* +- GP path: *System/Remote Assistance* - GP ADMX file name: *remoteassistance.admx* @@ -119,8 +120,9 @@ If you do not configure this setting, application-based settings are used. ADMX Info: -- GP english name: *Turn on session logging* +- GP English name: *Turn on session logging* - GP name: *RA_Logging* +- GP path: *System/Remote Assistance* - GP ADMX file name: *remoteassistance.admx* @@ -178,8 +180,9 @@ If you enable this policy setting you should also enable appropriate firewall ex ADMX Info: -- GP english name: *Configure Solicited Remote Assistance* +- GP English name: *Configure Solicited Remote Assistance* - GP name: *RA_Solicit* +- GP path: *System/Remote Assistance* - GP ADMX file name: *remoteassistance.admx* @@ -260,8 +263,9 @@ Allow Remote Desktop Exception ADMX Info: -- GP english name: *Configure Offer Remote Assistance* +- GP English name: *Configure Offer Remote Assistance* - GP name: *RA_Unsolicit* +- GP path: *System/Remote Assistance* - GP ADMX file name: *remoteassistance.admx* diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 57e8b93015..411214069f 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - RemoteDesktopServices @@ -68,8 +68,9 @@ You can limit the number of users who can connect simultaneously by configuring ADMX Info: -- GP english name: *Allow users to connect remotely by using Remote Desktop Services* +- GP English name: *Allow users to connect remotely by using Remote Desktop Services* - GP name: *TS_DISABLE_CONNECTIONS* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections* - GP ADMX file name: *terminalserver.admx* @@ -127,8 +128,9 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp ADMX Info: -- GP english name: *Set client connection encryption level* +- GP English name: *Set client connection encryption level* - GP name: *TS_ENCRYPTION_POLICY* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* - GP ADMX file name: *terminalserver.admx* @@ -180,8 +182,9 @@ If you do not configure this policy setting, client drive redirection and Clipbo ADMX Info: -- GP english name: *Do not allow drive redirection* +- GP English name: *Do not allow drive redirection* - GP name: *TS_CLIENT_DRIVE_M* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* - GP ADMX file name: *terminalserver.admx* @@ -229,8 +232,9 @@ If you disable this setting or leave it not configured, the user will be able to ADMX Info: -- GP english name: *Do not allow passwords to be saved* +- GP English name: *Do not allow passwords to be saved* - GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client* - GP ADMX file name: *terminalserver.admx* @@ -284,8 +288,9 @@ If you do not configure this policy setting, automatic logon is not specified at ADMX Info: -- GP english name: *Always prompt for password upon connection* +- GP English name: *Always prompt for password upon connection* - GP name: *TS_PASSWORD* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* - GP ADMX file name: *terminalserver.admx* @@ -339,8 +344,9 @@ Note: The RPC interface is used for administering and configuring Remote Desktop ADMX Info: -- GP english name: *Require secure RPC communication* +- GP English name: *Require secure RPC communication* - GP name: *TS_RPC_ENCRYPTION* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* - GP ADMX file name: *terminalserver.admx* diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 2bb1892add..d084b5d609 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - RemoteManagement @@ -56,8 +56,9 @@ ms.date: 07/14/2017 ADMX Info: -- GP english name: *Allow Basic authentication* +- GP English name: *Allow Basic authentication* - GP name: *AllowBasic_2* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -99,8 +100,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow Basic authentication* +- GP English name: *Allow Basic authentication* - GP name: *AllowBasic_1* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -142,8 +144,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow CredSSP authentication* +- GP English name: *Allow CredSSP authentication* - GP name: *AllowCredSSP_2* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -185,8 +188,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow CredSSP authentication* +- GP English name: *Allow CredSSP authentication* - GP name: *AllowCredSSP_1* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -228,8 +232,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow remote server management through WinRM* +- GP English name: *Allow remote server management through WinRM* - GP name: *AllowAutoConfig* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -271,8 +276,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow unencrypted traffic* +- GP English name: *Allow unencrypted traffic* - GP name: *AllowUnencrypted_2* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -314,8 +320,9 @@ ADMX Info: ADMX Info: -- GP english name: *Allow unencrypted traffic* +- GP English name: *Allow unencrypted traffic* - GP name: *AllowUnencrypted_1* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -357,8 +364,9 @@ ADMX Info: ADMX Info: -- GP english name: *Disallow Digest authentication* +- GP English name: *Disallow Digest authentication* - GP name: *DisallowDigest* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -400,8 +408,9 @@ ADMX Info: ADMX Info: -- GP english name: *Disallow Negotiate authentication* +- GP English name: *Disallow Negotiate authentication* - GP name: *DisallowNegotiate_2* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -443,8 +452,9 @@ ADMX Info: ADMX Info: -- GP english name: *Disallow Negotiate authentication* +- GP English name: *Disallow Negotiate authentication* - GP name: *DisallowNegotiate_1* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -486,8 +496,9 @@ ADMX Info: ADMX Info: -- GP english name: *Disallow WinRM from storing RunAs credentials* +- GP English name: *Disallow WinRM from storing RunAs credentials* - GP name: *DisableRunAs* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -529,8 +540,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify channel binding token hardening level* +- GP English name: *Specify channel binding token hardening level* - GP name: *CBTHardeningLevel_1* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -572,8 +584,9 @@ ADMX Info: ADMX Info: -- GP english name: *Trusted Hosts* +- GP English name: *Trusted Hosts* - GP name: *TrustedHosts* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -615,8 +628,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn On Compatibility HTTP Listener* +- GP English name: *Turn On Compatibility HTTP Listener* - GP name: *HttpCompatibilityListener* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP ADMX file name: *WindowsRemoteManagement.admx* @@ -658,8 +672,9 @@ ADMX Info: ADMX Info: -- GP english name: *Turn On Compatibility HTTPS Listener* +- GP English name: *Turn On Compatibility HTTPS Listener* - GP name: *HttpsCompatibilityListener* +- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* - GP ADMX file name: *WindowsRemoteManagement.admx* diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 79559fed08..dc1dab2c86 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - RemoteProcedureCall @@ -66,8 +66,9 @@ Note: This policy will not be applied until the system is rebooted. ADMX Info: -- GP english name: *Enable RPC Endpoint Mapper Client Authentication* +- GP English name: *Enable RPC Endpoint Mapper Client Authentication* - GP name: *RpcEnableAuthEpResolution* +- GP path: *System/Remote Procedure Call* - GP ADMX file name: *rpc.admx* @@ -127,8 +128,9 @@ Note: This policy setting will not be applied until the system is rebooted. ADMX Info: -- GP english name: *Restrict Unauthenticated RPC clients* +- GP English name: *Restrict Unauthenticated RPC clients* - GP name: *RpcRestrictRemoteClients* +- GP path: *System/Remote Procedure Call* - GP ADMX file name: *rpc.admx* diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index becd1b6df2..32309bdf9d 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - RemoteShell @@ -56,8 +56,9 @@ ms.date: 07/14/2017 ADMX Info: -- GP english name: *Allow Remote Shell Access* +- GP English name: *Allow Remote Shell Access* - GP name: *AllowRemoteShellAccess* +- GP path: *Windows Components/Windows Remote Shell* - GP ADMX file name: *WindowsRemoteShell.admx* @@ -99,8 +100,9 @@ ADMX Info: ADMX Info: -- GP english name: *MaxConcurrentUsers* +- GP English name: *MaxConcurrentUsers* - GP name: *MaxConcurrentUsers* +- GP path: *Windows Components/Windows Remote Shell* - GP ADMX file name: *WindowsRemoteShell.admx* @@ -142,8 +144,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify idle Timeout* +- GP English name: *Specify idle Timeout* - GP name: *IdleTimeout* +- GP path: *Windows Components/Windows Remote Shell* - GP ADMX file name: *WindowsRemoteShell.admx* @@ -185,8 +188,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify maximum amount of memory in MB per Shell* +- GP English name: *Specify maximum amount of memory in MB per Shell* - GP name: *MaxMemoryPerShellMB* +- GP path: *Windows Components/Windows Remote Shell* - GP ADMX file name: *WindowsRemoteShell.admx* @@ -228,8 +232,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify maximum number of processes per Shell* +- GP English name: *Specify maximum number of processes per Shell* - GP name: *MaxProcessesPerShell* +- GP path: *Windows Components/Windows Remote Shell* - GP ADMX file name: *WindowsRemoteShell.admx* @@ -271,8 +276,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify maximum number of remote shells per user* +- GP English name: *Specify maximum number of remote shells per user* - GP name: *MaxShellsPerUser* +- GP path: *Windows Components/Windows Remote Shell* - GP ADMX file name: *WindowsRemoteShell.admx* @@ -314,8 +320,9 @@ ADMX Info: ADMX Info: -- GP english name: *Specify Shell Timeout* +- GP English name: *Specify Shell Timeout* - GP name: *ShellTimeOut* +- GP path: *Windows Components/Windows Remote Shell* - GP ADMX file name: *WindowsRemoteShell.admx* diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index b4338ee741..783aac1e8d 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Search @@ -19,6 +19,42 @@ ms.date: 07/14/2017 ## Search policies + +**Search/AllowCloudSearch** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
    + + + +

    Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. + +

    The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + **Search/AllowIndexingEncryptedStoresOrItems** diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 5b0f36a599..229903014f 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/26/2017 +ms.date: 08/30/2017 --- # Policy CSP - Security @@ -216,6 +216,45 @@ ms.date: 07/26/2017 - 0 – Don't allow Anti Theft Mode. - 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent). + + + +**Security/ClearTPMIfNotReady** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3cross markcross mark
    + + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + +Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. + +The following list shows the supported values: + +- 0 (default) – Will not force recovery from a non-ready TPM state. +- 1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear. + @@ -258,45 +297,6 @@ ms.date: 07/26/2017 - 0 (default) – Encryption enabled. - 1 – Encryption disabled. - - - -**Security/ClearTPMIfNotReady** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3cross markcross mark
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. - -The following list shows the supported values: - -- 0 (default) – Will not force recovery from a non-ready TPM state. -- 1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear. - diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 1f0609cf32..50a3295347 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Settings diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index f051f86853..adc515f986 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - SmartScreen diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index e19e02b135..833057f11a 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Speech diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 63e49d9fa5..75e90f86a0 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Start @@ -448,10 +448,10 @@ ms.date: 07/14/2017 cross mark - check mark2 + check mark3 - check mark2 - check mark2 + check mark3 + check mark3 cross mark cross mark @@ -462,7 +462,10 @@ ms.date: 07/14/2017 > [!NOTE] > This policy requires reboot to take effect. -

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list. +

    Allows IT Admins to configure Start by collapsing or removing the all apps list. + +> [!Note] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.

    The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 6e7bf5238a..e73be79d8b 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Storage @@ -62,8 +62,9 @@ If you disable or do not configure this policy setting, Windows will activate un ADMX Info: -- GP english name: *Do not allow Windows to activate Enhanced Storage devices* +- GP English name: *Do not allow Windows to activate Enhanced Storage devices* - GP name: *TCGSecurityActivationDisabled* +- GP path: *System/Enhanced Storage Access* - GP ADMX file name: *enhancedstorage.admx* diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index ac2270f86c..d077ea3454 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - System @@ -546,13 +546,59 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu ADMX Info: -- GP english name: *Turn off System Restore* +- GP English name: *Turn off System Restore* - GP name: *SR_DisableSR* +- GP path: *System/System Restore* - GP ADMX file name: *systemrestore.admx* +**System/LimitEnhancedDiagnosticDataWindowsAnalytics** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
    + + + +

    This policy setting, in combination with the System/AllowTelemetry + policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. + +

    To enable this behavior you must complete two steps: +

      +
    • Enable this policy setting
      • +
    • Set Allow Telemetry to level 2 (Enhanced)
      • +
    + +

    When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). + +

    Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. + +

    If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. + + + + + **System/TelemetryProxy** diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index a301e620e4..08041394b9 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - TextInput @@ -363,29 +363,6 @@ ms.date: 07/14/2017 **TextInput/AllowKoreanExtendedHanja** - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    - -

    This policy has been deprecated. diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 5aa7ed1720..5eba1aac1c 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - TimeLanguageSettings diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 3681d55d6f..e3a796b41d 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Update @@ -46,10 +46,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. > [!NOTE] @@ -88,10 +84,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.

    Supported values are 8-18. @@ -127,10 +119,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. > [!NOTE] @@ -169,10 +157,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Enables the IT admin to manage automatic update behavior to scan, download, and install updates.

    Supported operations are Get and Replace. @@ -192,6 +176,43 @@ ms.date: 07/14/2017

    If the policy is not configured, end-users get the default behavior (Auto install and restart). + + + +**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + +

    Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer. + +- 0 (default) - Not allowed +- 1 - Allowed + +A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. + +This policy is accessible through the Update setting in the user interface or Group Policy. @@ -221,10 +242,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - -

    Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.

    The following list shows the supported values: @@ -261,10 +278,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.

    Supported operations are Get and Replace. @@ -305,10 +318,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.

    Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store @@ -387,10 +396,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.

    Supported values are 15, 30, 60, 120, and 240 (minutes). @@ -426,10 +431,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.

    The following list shows the supported values: @@ -466,10 +467,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.

    The following list shows the supported values: @@ -506,8 +503,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.

    Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.

    Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. @@ -546,10 +541,6 @@ ms.date: 07/14/2017 -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.

    Supported values are 0-30. @@ -584,8 +575,6 @@ ms.date: 07/14/2017 > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise -> > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. @@ -683,8 +672,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -> > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. > > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. @@ -729,6 +716,46 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

    Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. + + + +**Update/DisableDualScan** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + +

    Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. + +

    For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/). + +- 0 - allow scan against Windows Update +- 1 - do not allow update deferral policies to cause scans against Windows Update + +

    This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update." + +

    Value type is integer. Supported operations are Add, Get, Replace, and Delete. + @@ -758,10 +785,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).

    Supported values are 2-30 days. @@ -797,10 +820,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.

    Supported values are 1-3 days. @@ -836,10 +855,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.

    Supported values are 2-30 days. @@ -876,7 +891,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.

    Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. @@ -1051,8 +1065,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise -> > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. @@ -1096,8 +1108,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.

    Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -1170,9 +1180,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise -

    Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.

    The following list shows the supported values: @@ -1243,8 +1250,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise -> > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. @@ -1284,11 +1289,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -
    - > [!NOTE] > If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. @@ -1331,10 +1331,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.

    Supported values are 15, 30, or 60 (minutes). @@ -1409,10 +1405,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Enables the IT admin to schedule the day of the update installation.

    The data type is a integer. @@ -1677,10 +1669,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - -

    Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.

    The following list shows the supported values: @@ -1753,9 +1741,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - > [!Important] > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. @@ -1815,8 +1800,6 @@ Example -> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. -

    Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.

    This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 14181da459..7d019f9c35 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - Wifi @@ -22,29 +22,6 @@ ms.date: 07/14/2017 **WiFi/AllowWiFiHotSpotReporting** - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    - -

    This policy has been deprecated. diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 1562806a3e..ba85960f84 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - WindowsDefenderSecurityCenter diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index aea0a2de88..32d34d88ec 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - WindowsInkWorkspace diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index c0d3fb1bdc..22b96181e5 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - WindowsLogon @@ -62,8 +62,9 @@ If you disable or do not configure this policy setting, users can choose which a ADMX Info: -- GP english name: *Turn off app notifications on the lock screen* +- GP English name: *Turn off app notifications on the lock screen* - GP name: *DisableLockScreenAppNotifications* +- GP path: *System/Logon* - GP ADMX file name: *logon.admx* @@ -111,8 +112,9 @@ If you disable or don't configure this policy setting, any user can disconnect t ADMX Info: -- GP english name: *Do not display network selection UI* +- GP English name: *Do not display network selection UI* - GP name: *DontDisplayNetworkSelectionUI* +- GP path: *System/Logon* - GP ADMX file name: *logon.admx* diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 535bc242b7..ea09c4b3c7 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/14/2017 +ms.date: 08/30/2017 --- # Policy CSP - WirelessDisplay @@ -162,29 +162,6 @@ ms.date: 07/14/2017 **WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    - -

    Added in Windows 10, version 1703. diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index ec16e08ca7..3e242783d4 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/30/2017 +ms.date: 08/23/2017 --- # Policy DDF file @@ -21,6 +21,7 @@ You can download the DDF files from the links below: - [Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1607](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) +- [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) The XML below is the DDF for Windows 10, version 1709. @@ -353,6 +354,941 @@ The XML below is the DDF for Windows 10, version 1709. + + Browser + + + + + + + + + + + + + + + + + + + + + AllowAddressBarDropdown + + + + + + + + This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. + + + + + + + + + + + text/plain + + + + + AllowAutofill + + + + + + + + This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. + + + + + + + + + + + text/plain + + + + + AllowBrowser + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCookies + + + + + + + + This setting lets you configure how your company deals with cookies. + + + + + + + + + + + text/plain + + + + + AllowDeveloperTools + + + + + + + + This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. + + + + + + + + + + + text/plain + + + + + AllowDoNotTrack + + + + + + + + This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. + + + + + + + + + + + text/plain + + + + + AllowExtensions + + + + + + + + This setting lets you decide whether employees can load extensions in Microsoft Edge. + + + + + + + + + + + text/plain + + + + + AllowFlash + + + + + + + + This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. + + + + + + + + + + + text/plain + + + + + AllowFlashClickToRun + + + + + + + + Configure the Adobe Flash Click-to-Run setting. + + + + + + + + + + + text/plain + + + + + AllowInPrivate + + + + + + + + This setting lets you decide whether employees can browse using InPrivate website browsing. + + + + + + + + + + + text/plain + + + + + AllowMicrosoftCompatibilityList + + + + + + + + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + +If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. + +If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. + + + + + + + + + + + text/plain + + + + + AllowPasswordManager + + + + + + + + This setting lets you decide whether employees can save their passwords locally, using Password Manager. + + + + + + + + + + + text/plain + + + + + AllowPopups + + + + + + + + This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. + + + + + + + + + + + text/plain + + + + + AllowSearchEngineCustomization + + + + + + + + Allow search engine customization for MDM enrolled devices. Users can change their default search engine. + +If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. +If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. + +This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). + + + + + + + + + + + text/plain + + + + + AllowSearchSuggestionsinAddressBar + + + + + + + + This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. + + + + + + + + + + + text/plain + + + + + AllowSmartScreen + + + + + + + + This setting lets you decide whether to turn on Windows Defender SmartScreen. + + + + + + + + + + + text/plain + + + + + AlwaysEnableBooksLibrary + + + + + + + + Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. + + + + + + + + + + + text/plain + + + + + ClearBrowsingDataOnExit + + + + + + + + Specifies whether to always clear browsing history on exiting Microsoft Edge. + + + + + + + + + + + text/plain + + + + + ConfigureAdditionalSearchEngines + + + + + + + + Allows you to add up to 5 additional search engines for MDM-enrolled devices. + +If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. + +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + text/plain + + + + + DisableLockdownOfStartPages + + + + + + + + Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + +Note: This policy has no effect when Browser/HomePages is not configured. + +Important +This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + + + + + + + + + + + text/plain + + + + + EnterpriseModeSiteList + + + + + + + + This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. + + + + + + + + + + + text/plain + + + + + EnterpriseSiteListServiceUrl + + + + + + + + + + + + + + + + + + + text/plain + + + + + FirstRunURL + + + + + + + + Configure first run URL. + + + + + + + + + + + text/plain + + + + + HomePages + + + + + + + + Configure the Start page URLs for your employees. +Example: +If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. +Encapsulate each string with greater than and less than characters like any other XML tag. + +Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. + + + + + + + + + + + text/plain + + + + + LockdownFavorites + + + + + + + + This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. + +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. + +Important +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. + + + + + + + + + + + text/plain + + + + + PreventAccessToAboutFlagsInMicrosoftEdge + + + + + + + + Prevent access to the about:flags page in Microsoft Edge. + + + + + + + + + + + text/plain + + + + + PreventFirstRunPage + + + + + + + + Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + text/plain + + + + + PreventLiveTileDataCollection + + + + + + + + This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + text/plain + + + + + PreventSmartScreenPromptOverride + + + + + + + + Don't allow Windows Defender SmartScreen warning overrides + + + + + + + + + + + text/plain + + + + + PreventSmartScreenPromptOverrideForFiles + + + + + + + + Don't allow Windows Defender SmartScreen warning overrides for unverified files. + + + + + + + + + + + text/plain + + + + + PreventUsingLocalHostIPAddressForWebRTC + + + + + + + + Prevent using localhost IP address for WebRTC + + + + + + + + + + + text/plain + + + + + ProvisionFavorites + + + + + + + + This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. + +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. + +Important +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. + + + + + + + + + + + text/plain + + + + + SendIntranetTraffictoInternetExplorer + + + + + + + + Sends all intranet traffic over to Internet Explorer. + + + + + + + + + + + text/plain + + + + + SetDefaultSearchEngine + + + + + + + + Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. + +If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. + +If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + text/plain + + + + + ShowMessageWhenOpeningSitesInInternetExplorer + + + + + + + + Show message when opening sites in Internet Explorer + + + + + + + + + + + text/plain + + + + + SyncFavoritesBetweenIEAndMicrosoftEdge + + + + + + + + Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. + + + + + + + + + + + text/plain + + + + CredentialsUI @@ -467,7 +1403,7 @@ The XML below is the DDF for Windows 10, version 1709. - AllowUserPrinterInstallation + DefaultPrinterName @@ -475,9 +1411,9 @@ The XML below is the DDF for Windows 10, version 1709. - Boolean that specifies whether or not to allow user to install new printers + This policy sets user's default printer - + @@ -491,7 +1427,7 @@ The XML below is the DDF for Windows 10, version 1709. - DefaultPrinterName + PreventAddingNewPrinters @@ -499,9 +1435,9 @@ The XML below is the DDF for Windows 10, version 1709. - This policy sets user's default printer + Boolean that specifies whether or not to prevent user to install new printers - + @@ -1133,7 +2069,7 @@ The XML below is the DDF for Windows 10, version 1709. - AllowInternetExplorer7PolicyList + AllowInternetExplorer7PolicyList @@ -1757,7 +2693,7 @@ The XML below is the DDF for Windows 10, version 1709. - DisableDeletingUserVisitedWebsites + DisableDeletingUserVisitedWebsites @@ -2357,7 +3293,7 @@ The XML below is the DDF for Windows 10, version 1709. - InternetZoneAllowLoadingOfXAMLFilesWRONG + InternetZoneAllowLoadingOfXAMLFiles @@ -2597,31 +3533,7 @@ The XML below is the DDF for Windows 10, version 1709. - InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2 + InternetZoneDoNotRunAntimalwareAgainstActiveXControls @@ -2861,55 +3773,7 @@ The XML below is the DDF for Windows 10, version 1709. - InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneJavaPermissionsWRONG1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneJavaPermissionsWRONG2 + InternetZoneJavaPermissions @@ -3340,6 +4204,30 @@ The XML below is the DDF for Windows 10, version 1709. + + IntranetZoneDoNotRunAntimalwareAgainstActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + IntranetZoneInitializeAndScriptActiveXControls @@ -3364,6 +4252,54 @@ The XML below is the DDF for Windows 10, version 1709. + + IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneJavaPermissions + + + + + + + + + + + + + + + + + + + text/plain + + + IntranetZoneNavigateWindowsAndFrames @@ -5501,31 +6437,7 @@ The XML below is the DDF for Windows 10, version 1709. - RestrictedSitesZoneAllowFontDownloadsWRONG1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFontDownloadsWRONG2 + RestrictedSitesZoneAllowFontDownloads @@ -5908,6 +6820,30 @@ The XML below is the DDF for Windows 10, version 1709. + + RestrictedSitesZoneEnableCrossSiteScriptingFilter + + + + + + + + + + + + + + + + + + + text/plain + + + RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows @@ -6221,7 +7157,7 @@ The XML below is the DDF for Windows 10, version 1709. - RestrictedSitesZoneWRONG + RestrictedSitesZoneScriptingOfJavaApplets @@ -6245,7 +7181,7 @@ The XML below is the DDF for Windows 10, version 1709. - RestrictedSitesZoneWRONG2 + RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles @@ -6269,7 +7205,7 @@ The XML below is the DDF for Windows 10, version 1709. - RestrictedSitesZoneWRONG3 + RestrictedSitesZoneTurnOnCrossSiteScriptingFilter @@ -6293,7 +7229,7 @@ The XML below is the DDF for Windows 10, version 1709. - RestrictedSitesZoneWRONG4 + RestrictedSitesZoneTurnOnProtectedMode @@ -6317,7 +7253,7 @@ The XML below is the DDF for Windows 10, version 1709. - RestrictedSitesZoneWRONG5 + RestrictedSitesZoneUsePopupBlocker @@ -6652,6 +7588,54 @@ The XML below is the DDF for Windows 10, version 1709. + + TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + TrustedSitesZoneInitializeAndScriptActiveXControls @@ -6676,6 +7660,54 @@ The XML below is the DDF for Windows 10, version 1709. + + TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe + + + + + + + + + + + + + + + + + + + text/plain + + + TrustedSitesZoneJavaPermissions @@ -6724,54 +7756,6 @@ The XML below is the DDF for Windows 10, version 1709. - - TrustedSitesZoneWRONG1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneWRONG2 - - - - - - - - - - - - - - - - - - - text/plain - - - Notifications @@ -7062,6 +8046,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + HighestValueMostSecure @@ -7108,6 +8093,7 @@ The XML below is the DDF for Windows 10, version 1709. AttachmentManager.admx AttachmentManager~AT~WindowsComponents~AM_AM AM_MarkZoneOnSavedAtttachments + LastWrite @@ -7134,6 +8120,7 @@ The XML below is the DDF for Windows 10, version 1709. AttachmentManager.admx AttachmentManager~AT~WindowsComponents~AM_AM AM_RemoveZoneInfo + LastWrite @@ -7160,6 +8147,7 @@ The XML below is the DDF for Windows 10, version 1709. AttachmentManager.admx AttachmentManager~AT~WindowsComponents~AM_AM AM_CallIOfficeAntiVirus + LastWrite @@ -7202,6 +8190,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LowestValueMostSecure @@ -7248,6 +8237,7 @@ The XML below is the DDF for Windows 10, version 1709. AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay NoAutoplayfornonVolume + LastWrite @@ -7274,6 +8264,7 @@ The XML below is the DDF for Windows 10, version 1709. AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay NoAutorun + LastWrite @@ -7300,6 +8291,921 @@ The XML below is the DDF for Windows 10, version 1709. AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay Autorun + LastWrite + + + + + Browser + + + + + + + + + + + + + + + + + + + AllowAddressBarDropdown + + + + + This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. + 1 + + + + + + + + + + + text/plain + + phone + LowestValueMostSecure + + + + AllowAutofill + + + + + This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. + 0 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + AllowBrowser + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + LowestValueMostSecure + + + + AllowCookies + + + + + This setting lets you configure how your company deals with cookies. + 2 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + AllowDeveloperTools + + + + + This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. + 1 + + + + + + + + + + + text/plain + + phone + LowestValueMostSecure + + + + AllowDoNotTrack + + + + + This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. + 0 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + AllowExtensions + + + + + This setting lets you decide whether employees can load extensions in Microsoft Edge. + 1 + + + + + + + + + + + text/plain + + phone + LowestValueMostSecure + + + + AllowFlash + + + + + This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. + 1 + + + + + + + + + + + text/plain + + phone + HighestValueMostSecure + + + + AllowFlashClickToRun + + + + + Configure the Adobe Flash Click-to-Run setting. + 1 + + + + + + + + + + + text/plain + + phone + HighestValueMostSecure + + + + AllowInPrivate + + + + + This setting lets you decide whether employees can browse using InPrivate website browsing. + 1 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + AllowMicrosoftCompatibilityList + + + + + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + +If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. + +If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. + 1 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + AllowPasswordManager + + + + + This setting lets you decide whether employees can save their passwords locally, using Password Manager. + 1 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + AllowPopups + + + + + This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. + 0 + + + + + + + + + + + text/plain + + phone + LowestValueMostSecure + + + + AllowSearchEngineCustomization + + + + + Allow search engine customization for MDM enrolled devices. Users can change their default search engine. + +If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. +If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. + +This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). + 1 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + AllowSearchSuggestionsinAddressBar + + + + + This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. + 1 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + AllowSmartScreen + + + + + This setting lets you decide whether to turn on Windows Defender SmartScreen. + 1 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + AlwaysEnableBooksLibrary + + + + + Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. + 0 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + ClearBrowsingDataOnExit + + + + + Specifies whether to always clear browsing history on exiting Microsoft Edge. + 0 + + + + + + + + + + + text/plain + + phone + LowestValueMostSecure + + + + ConfigureAdditionalSearchEngines + + + + + Allows you to add up to 5 additional search engines for MDM-enrolled devices. + +If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. + +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + + text/plain + + LastWrite + + + + DisableLockdownOfStartPages + + + + + Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + +Note: This policy has no effect when Browser/HomePages is not configured. + +Important +This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + 0 + + + + + + + + + + + text/plain + + phone + LowestValueMostSecure + + + + EnterpriseModeSiteList + + + + + This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. + + + + + + + + + + + + text/plain + + phone + LastWrite + + + + EnterpriseSiteListServiceUrl + + + + + + + + + + + + + + + + + text/plain + + phone + LastWrite + + + + FirstRunURL + + + + + Configure first run URL. + + + + + + + + + + + + text/plain + + desktop + LastWrite + + + + HomePages + + + + + Configure the Start page URLs for your employees. +Example: +If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. +Encapsulate each string with greater than and less than characters like any other XML tag. + +Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. + + + + + + + + + + + + text/plain + + phone + LastWrite + + + + LockdownFavorites + + + + + This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. + +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. + +Important +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. + 0 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + + + PreventAccessToAboutFlagsInMicrosoftEdge + + + + + Prevent access to the about:flags page in Microsoft Edge. + 0 + + + + + + + + + + + text/plain + + HighestValueMostSecure + + + + PreventFirstRunPage + + + + + Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + 0 + + + + + + + + + + + text/plain + + phone + HighestValueMostSecure + + + + PreventLiveTileDataCollection + + + + + This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + 0 + + + + + + + + + + + text/plain + + HighestValueMostSecure + + + + PreventSmartScreenPromptOverride + + + + + Don't allow Windows Defender SmartScreen warning overrides + 0 + + + + + + + + + + + text/plain + + HighestValueMostSecure + + + + PreventSmartScreenPromptOverrideForFiles + + + + + Don't allow Windows Defender SmartScreen warning overrides for unverified files. + 0 + + + + + + + + + + + text/plain + + HighestValueMostSecure + + + + PreventUsingLocalHostIPAddressForWebRTC + + + + + Prevent using localhost IP address for WebRTC + 0 + + + + + + + + + + + text/plain + + HighestValueMostSecure + + + + ProvisionFavorites + + + + + This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. + +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. + +Important +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. + + + + + + + + + + + + text/plain + + LastWrite + + + + SendIntranetTraffictoInternetExplorer + + + + + Sends all intranet traffic over to Internet Explorer. + 0 + + + + + + + + + + + text/plain + + phone + HighestValueMostSecure + + + + SetDefaultSearchEngine + + + + + Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. + +If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. + +If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + + text/plain + + LastWrite + + + + ShowMessageWhenOpeningSitesInInternetExplorer + + + + + Show message when opening sites in Internet Explorer + 0 + + + + + + + + + + + text/plain + + phone + HighestValueMostSecure + + + + SyncFavoritesBetweenIEAndMicrosoftEdge + + + + + Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. + 0 + + + + + + + + + + + text/plain + + phone + LowestValueMostSecure @@ -7346,6 +9252,7 @@ The XML below is the DDF for Windows 10, version 1709. credui.admx CredUI~AT~WindowsComponents~CredUI DisablePasswordReveal + LastWrite @@ -7392,6 +9299,7 @@ The XML below is the DDF for Windows 10, version 1709. desktop.admx desktop~AT~Desktop DisablePersonalDirChange + LastWrite @@ -7414,28 +9322,6 @@ The XML below is the DDF for Windows 10, version 1709. - - AllowUserPrinterInstallation - - - - - Boolean that specifies whether or not to allow user to install new printers - - - - - - - - - - - - text/plain - - - DefaultPrinterName @@ -7456,6 +9342,30 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LastWrite + + + + PreventAddingNewPrinters + + + + + Boolean that specifies whether or not to prevent user to install new printers + 0 + + + + + + + + + + + text/plain + + HighestValueMostSecure @@ -7478,6 +9388,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LastWrite @@ -7520,6 +9431,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LastWrite @@ -7542,6 +9454,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LastWrite @@ -7551,7 +9464,7 @@ The XML below is the DDF for Windows 10, version 1709. A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority - E1CF1107-FF90-4228-93BF-26052DD2C714 + @@ -7564,6 +9477,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LastWrite @@ -7586,6 +9500,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LastWrite @@ -7608,6 +9523,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LastWrite @@ -7630,6 +9546,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LastWrite @@ -7672,6 +9589,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LowestValueMostSecure @@ -7695,6 +9613,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain phone + LowestValueMostSecure @@ -7718,6 +9637,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain phone + LowestValueMostSecure @@ -7741,6 +9661,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain phone + LowestValueMostSecure @@ -7763,6 +9684,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LowestValueMostSecure @@ -7785,6 +9707,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LowestValueMostSecure @@ -7808,6 +9731,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain phone + LowestValueMostSecure @@ -7854,6 +9778,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer AddSearchProvider + LastWrite @@ -7880,6 +9805,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer TurnOnActiveXFiltering + LastWrite @@ -7906,6 +9832,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement AddonManagement_AddOnList + LastWrite @@ -7932,6 +9859,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer RestrictFormSuggestPW + LastWrite @@ -7958,6 +9886,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyWarnCertMismatch + LastWrite @@ -7984,6 +9913,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory DBHDisableDeleteOnExit + LastWrite @@ -8010,6 +9940,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_EnableEnhancedProtectedMode + LastWrite @@ -8036,6 +9967,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnterpriseModeEnable + LastWrite @@ -8062,10 +9994,11 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnterpriseModeSiteList + LastWrite - AllowInternetExplorer7PolicyList + AllowInternetExplorer7PolicyList @@ -8088,6 +10021,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView CompatView_UsePolicyList + LastWrite @@ -8114,6 +10048,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView CompatView_IntranetSites + LastWrite @@ -8140,6 +10075,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyInternetZoneTemplate + LastWrite @@ -8166,6 +10102,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyIntranetZoneTemplate + LastWrite @@ -8192,6 +10129,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyLocalMachineZoneTemplate + LastWrite @@ -8218,6 +10156,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyInternetZoneLockdownTemplate + LastWrite @@ -8244,6 +10183,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyIntranetZoneLockdownTemplate + LastWrite @@ -8270,6 +10210,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyLocalMachineZoneLockdownTemplate + LastWrite @@ -8296,6 +10237,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyRestrictedSitesZoneLockdownTemplate + LastWrite @@ -8322,6 +10264,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing UseIntranetSiteForOneWordEntry + LastWrite @@ -8348,6 +10291,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_Zonemaps + LastWrite @@ -8374,6 +10318,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyTrustedSitesZoneLockdownTemplate + LastWrite @@ -8400,6 +10345,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_InvalidSignatureBlock + LastWrite @@ -8426,6 +10372,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyRestrictedSitesZoneTemplate + LastWrite @@ -8452,6 +10399,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnableSuggestedSites + LastWrite @@ -8478,6 +10426,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyTrustedSitesZoneTemplate + LastWrite @@ -8504,6 +10453,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_CertificateRevocation + LastWrite @@ -8530,6 +10480,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DownloadSignatures + LastWrite @@ -8556,6 +10507,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction IESF_PolicyExplorerProcesses_2 + LastWrite @@ -8582,6 +10534,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement DisableFlashInIE + LastWrite @@ -8608,6 +10561,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDisable + LastWrite @@ -8634,6 +10588,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer DisableSafetyFilterOverride + LastWrite @@ -8660,6 +10615,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer DisableSafetyFilterOverrideForAppRepUnknown + LastWrite @@ -8686,6 +10642,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory RestrictHistory + LastWrite @@ -8712,6 +10669,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer AddonManagement_RestrictCrashDetection + LastWrite @@ -8738,10 +10696,11 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer SQM_DisableCEIP + LastWrite - DisableDeletingUserVisitedWebsites + DisableDeletingUserVisitedWebsites @@ -8764,6 +10723,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory DBHDisableDeleteHistory + LastWrite @@ -8790,6 +10750,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~RSS_Feeds Disable_Downloading_of_Enclosures + LastWrite @@ -8816,6 +10777,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_SetWinInetProtocols + LastWrite @@ -8842,6 +10804,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer NoFirstRunCustomise + LastWrite @@ -8868,6 +10831,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DisableFlipAhead + LastWrite @@ -8894,6 +10858,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer RestrictHomePage + LastWrite @@ -8920,6 +10885,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL NoCertError + LastWrite @@ -8946,6 +10912,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy DisableInPrivateBrowsing + LastWrite @@ -8972,6 +10939,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_EnableEnhancedProtectedMode64Bit + LastWrite @@ -8998,6 +10966,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer RestrictProxy + LastWrite @@ -9024,6 +10993,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer NoSearchProvider + LastWrite @@ -9050,6 +11020,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer SecondaryHomePages + LastWrite @@ -9076,6 +11047,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer Disable_Security_Settings_Check + LastWrite @@ -9102,6 +11074,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DisableEPMCompat + LastWrite @@ -9128,6 +11101,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDisable + LastWrite @@ -9154,6 +11128,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDomainAllowlist + LastWrite @@ -9180,6 +11155,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_IncludeUnspecifiedLocalSites + LastWrite @@ -9206,6 +11182,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_UNCAsIntranet + LastWrite @@ -9232,6 +11209,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAccessDataSourcesAcrossDomains_1 + LastWrite @@ -9258,6 +11236,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNotificationBarActiveXURLaction_1 + LastWrite @@ -9284,6 +11263,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNotificationBarDownloadURLaction_1 + LastWrite @@ -9310,6 +11290,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAllowPasteViaScript_1 + LastWrite @@ -9336,6 +11317,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDropOrPasteFiles_1 + LastWrite @@ -9362,6 +11344,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyFontDownload_1 + LastWrite @@ -9388,10 +11371,11 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyZoneElevationURLaction_1 + LastWrite - InternetZoneAllowLoadingOfXAMLFilesWRONG + InternetZoneAllowLoadingOfXAMLFiles @@ -9414,6 +11398,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_XAML_1 + LastWrite @@ -9440,6 +11425,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyUnsignedFrameworkComponentsURLaction_1 + LastWrite @@ -9464,8 +11450,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet + LastWrite @@ -9490,8 +11477,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAllowTDCControl_Both_LocalMachine + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyAllowTDCControl_Both_Internet + LastWrite @@ -9518,6 +11506,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_WebBrowserControl_1 + LastWrite @@ -9542,8 +11531,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyWindowsRestrictionsURLaction_6 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyWindowsRestrictionsURLaction_1 + LastWrite @@ -9570,6 +11560,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_AllowScriptlets_1 + LastWrite @@ -9596,6 +11587,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_Phishing_1 + LastWrite @@ -9622,6 +11614,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_ScriptStatusBar_1 + LastWrite @@ -9648,10 +11641,11 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyUserdataPersistence_1 + LastWrite - InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1 + InternetZoneDoNotRunAntimalwareAgainstActiveXControls @@ -9674,32 +11668,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 + LastWrite @@ -9724,8 +11693,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyDownloadSignedActiveX_3 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyDownloadSignedActiveX_1 + LastWrite @@ -9752,6 +11722,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDownloadUnsignedActiveX_1 + LastWrite @@ -9776,8 +11747,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyTurnOnXSSFilter_Both_LocalMachine + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyTurnOnXSSFilter_Both_Internet + LastWrite @@ -9804,6 +11776,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet + LastWrite @@ -9830,6 +11803,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet + LastWrite @@ -9856,6 +11830,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyMimeSniffingURLaction_1 + LastWrite @@ -9880,8 +11855,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_TurnOnProtectedMode_2 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_Policy_TurnOnProtectedMode_1 + LastWrite @@ -9908,6 +11884,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_LocalPathForUpload_1 + LastWrite @@ -9934,36 +11911,11 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyScriptActiveXNotMarkedSafe_1 + LastWrite - InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyScriptActiveXNotMarkedSafe_1 - - - - InternetZoneJavaPermissionsWRONG1 + InternetZoneJavaPermissions @@ -9986,32 +11938,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyJavaPermissions_1 - - - - InternetZoneJavaPermissionsWRONG2 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyJavaPermissions_3 + LastWrite @@ -10038,6 +11965,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyLaunchAppsAndFilesInIFRAME_1 + LastWrite @@ -10064,6 +11992,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyLogon_1 + LastWrite @@ -10090,6 +12019,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNavigateSubframesAcrossDomains_1 + LastWrite @@ -10116,6 +12046,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyUnsignedFrameworkComponentsURLaction_1 + LastWrite @@ -10142,6 +12073,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicySignedFrameworkComponentsURLaction_1 + LastWrite @@ -10168,6 +12100,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_UnsafeFiles_1 + LastWrite @@ -10194,6 +12127,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyBlockPopupWindows_1 + LastWrite @@ -10220,6 +12154,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyZoneElevationURLaction_1 + LastWrite @@ -10246,6 +12181,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyAccessDataSourcesAcrossDomains_3 + LastWrite @@ -10272,6 +12208,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNotificationBarActiveXURLaction_3 + LastWrite @@ -10298,6 +12235,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNotificationBarDownloadURLaction_3 + LastWrite @@ -10324,6 +12262,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyFontDownload_3 + LastWrite @@ -10350,6 +12289,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyZoneElevationURLaction_3 + LastWrite @@ -10376,6 +12316,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyUnsignedFrameworkComponentsURLaction_3 + LastWrite @@ -10402,6 +12343,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_Policy_AllowScriptlets_3 + LastWrite @@ -10428,6 +12370,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_Policy_Phishing_3 + LastWrite @@ -10454,6 +12397,34 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyUserdataPersistence_3 + LastWrite + + + + IntranetZoneDoNotRunAntimalwareAgainstActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 + LastWrite @@ -10480,6 +12451,61 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyScriptActiveXNotMarkedSafe_3 + LastWrite + + + + IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyScriptActiveXNotMarkedSafe_3 + LastWrite + + + + IntranetZoneJavaPermissions + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyJavaPermissions_3 + LastWrite @@ -10506,6 +12532,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNavigateSubframesAcrossDomains_3 + LastWrite @@ -10532,6 +12559,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyAccessDataSourcesAcrossDomains_9 + LastWrite @@ -10558,6 +12586,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNotificationBarActiveXURLaction_9 + LastWrite @@ -10584,6 +12613,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNotificationBarDownloadURLaction_9 + LastWrite @@ -10610,6 +12640,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyFontDownload_9 + LastWrite @@ -10636,6 +12667,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyZoneElevationURLaction_9 + LastWrite @@ -10662,6 +12694,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyUnsignedFrameworkComponentsURLaction_9 + LastWrite @@ -10688,6 +12721,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_Policy_AllowScriptlets_9 + LastWrite @@ -10714,6 +12748,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_Policy_Phishing_9 + LastWrite @@ -10740,6 +12775,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyUserdataPersistence_9 + LastWrite @@ -10764,8 +12800,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone~IZ_LocalMachineZone + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 + LastWrite @@ -10792,6 +12829,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyScriptActiveXNotMarkedSafe_9 + LastWrite @@ -10818,6 +12856,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyJavaPermissions_9 + LastWrite @@ -10844,6 +12883,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNavigateSubframesAcrossDomains_9 + LastWrite @@ -10870,6 +12910,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_2 + LastWrite @@ -10896,6 +12937,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_2 + LastWrite @@ -10922,6 +12964,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_2 + LastWrite @@ -10948,6 +12991,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyFontDownload_2 + LastWrite @@ -10974,6 +13018,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyZoneElevationURLaction_2 + LastWrite @@ -11000,6 +13045,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_2 + LastWrite @@ -11026,6 +13072,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_Policy_AllowScriptlets_2 + LastWrite @@ -11052,6 +13099,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_Policy_Phishing_2 + LastWrite @@ -11078,6 +13126,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyUserdataPersistence_2 + LastWrite @@ -11104,6 +13153,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_2 + LastWrite @@ -11130,6 +13180,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyJavaPermissions_2 + LastWrite @@ -11156,6 +13207,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_2 + LastWrite @@ -11182,6 +13234,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_4 + LastWrite @@ -11208,6 +13261,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_4 + LastWrite @@ -11234,6 +13288,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_4 + LastWrite @@ -11260,6 +13315,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyFontDownload_4 + LastWrite @@ -11286,6 +13342,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyZoneElevationURLaction_4 + LastWrite @@ -11312,6 +13369,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_4 + LastWrite @@ -11338,6 +13396,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_Policy_AllowScriptlets_4 + LastWrite @@ -11364,6 +13423,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_Policy_Phishing_4 + LastWrite @@ -11390,6 +13450,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyUserdataPersistence_4 + LastWrite @@ -11416,6 +13477,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_4 + LastWrite @@ -11442,6 +13504,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_4 + LastWrite @@ -11468,6 +13531,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_10 + LastWrite @@ -11494,6 +13558,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_10 + LastWrite @@ -11520,6 +13585,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_10 + LastWrite @@ -11546,6 +13612,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyFontDownload_10 + LastWrite @@ -11572,6 +13639,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyZoneElevationURLaction_10 + LastWrite @@ -11598,6 +13666,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_10 + LastWrite @@ -11624,6 +13693,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_Policy_AllowScriptlets_10 + LastWrite @@ -11650,6 +13720,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_Policy_Phishing_10 + LastWrite @@ -11676,6 +13747,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyUserdataPersistence_10 + LastWrite @@ -11702,6 +13774,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_10 + LastWrite @@ -11728,6 +13801,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyJavaPermissions_10 + LastWrite @@ -11754,6 +13828,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_10 + LastWrite @@ -11780,6 +13855,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_8 + LastWrite @@ -11806,6 +13882,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_8 + LastWrite @@ -11832,6 +13909,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_8 + LastWrite @@ -11858,6 +13936,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyFontDownload_8 + LastWrite @@ -11884,6 +13963,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyZoneElevationURLaction_8 + LastWrite @@ -11910,6 +13990,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_8 + LastWrite @@ -11936,6 +14017,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_Policy_AllowScriptlets_8 + LastWrite @@ -11962,6 +14044,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_Policy_Phishing_8 + LastWrite @@ -11988,6 +14071,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyUserdataPersistence_8 + LastWrite @@ -12014,6 +14098,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_8 + LastWrite @@ -12040,6 +14125,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyJavaPermissions_8 + LastWrite @@ -12066,6 +14152,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_8 + LastWrite @@ -12092,6 +14179,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_6 + LastWrite @@ -12118,6 +14206,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_6 + LastWrite @@ -12144,6 +14233,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_6 + LastWrite @@ -12170,6 +14260,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyFontDownload_6 + LastWrite @@ -12196,6 +14287,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyZoneElevationURLaction_6 + LastWrite @@ -12222,6 +14314,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_6 + LastWrite @@ -12248,6 +14341,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_Policy_AllowScriptlets_6 + LastWrite @@ -12274,6 +14368,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_Policy_Phishing_6 + LastWrite @@ -12300,6 +14395,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyUserdataPersistence_6 + LastWrite @@ -12326,6 +14422,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_6 + LastWrite @@ -12352,6 +14449,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyJavaPermissions_6 + LastWrite @@ -12378,6 +14476,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_6 + LastWrite @@ -12404,6 +14503,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature IESF_PolicyExplorerProcesses_6 + LastWrite @@ -12430,6 +14530,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction IESF_PolicyExplorerProcesses_3 + LastWrite @@ -12456,6 +14557,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar IESF_PolicyExplorerProcesses_10 + LastWrite @@ -12480,8 +14582,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadSignedActiveX_1 + inetres~AT~WindowsComponents~InternetExplorer + Disable_Managing_Safety_Filter_IE9 + LastWrite @@ -12508,6 +14611,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer DisablePerUserActiveXInstall + LastWrite @@ -12534,6 +14638,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation IESF_PolicyAllProcesses_9 + LastWrite @@ -12560,6 +14665,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDisableRunThisTime + LastWrite @@ -12586,6 +14692,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall IESF_PolicyAllProcesses_11 + LastWrite @@ -12612,6 +14719,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAccessDataSourcesAcrossDomains_7 + LastWrite @@ -12636,8 +14744,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyActiveScripting_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyActiveScripting_7 + LastWrite @@ -12664,6 +14773,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNotificationBarActiveXURLaction_7 + LastWrite @@ -12690,6 +14800,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNotificationBarDownloadURLaction_7 + LastWrite @@ -12714,8 +14825,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyBinaryBehaviors_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyBinaryBehaviors_7 + LastWrite @@ -12742,6 +14854,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowPasteViaScript_7 + LastWrite @@ -12768,6 +14881,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDropOrPasteFiles_7 + LastWrite @@ -12792,12 +14906,13 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyFileDownload_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyFileDownload_7 + LastWrite - RestrictedSitesZoneAllowFontDownloadsWRONG1 + RestrictedSitesZoneAllowFontDownloads @@ -12820,32 +14935,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyFontDownload_7 - - - - RestrictedSitesZoneAllowFontDownloadsWRONG2 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyFontDownload_1 + LastWrite @@ -12872,6 +14962,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyZoneElevationURLaction_7 + LastWrite @@ -12898,6 +14989,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_XAML_7 + LastWrite @@ -12922,8 +15014,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowMETAREFRESH_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyAllowMETAREFRESH_7 + LastWrite @@ -12950,6 +15043,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyUnsignedFrameworkComponentsURLaction_7 + LastWrite @@ -12976,6 +15070,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted + LastWrite @@ -13002,6 +15097,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowTDCControl_Both_Restricted + LastWrite @@ -13028,6 +15124,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_WebBrowserControl_7 + LastWrite @@ -13054,6 +15151,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyWindowsRestrictionsURLaction_7 + LastWrite @@ -13080,6 +15178,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_AllowScriptlets_7 + LastWrite @@ -13106,6 +15205,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_Phishing_7 + LastWrite @@ -13132,6 +15232,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_ScriptStatusBar_7 + LastWrite @@ -13158,6 +15259,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyUserdataPersistence_7 + LastWrite @@ -13184,6 +15286,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 + LastWrite @@ -13210,6 +15313,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDownloadSignedActiveX_7 + LastWrite @@ -13236,6 +15340,34 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDownloadUnsignedActiveX_7 + LastWrite + + + + RestrictedSitesZoneEnableCrossSiteScriptingFilter + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyTurnOnXSSFilter_Both_Restricted + LastWrite @@ -13262,6 +15394,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted + LastWrite @@ -13288,6 +15421,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted + LastWrite @@ -13314,6 +15448,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyMimeSniffingURLaction_7 + LastWrite @@ -13340,6 +15475,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_LocalPathForUpload_7 + LastWrite @@ -13366,6 +15502,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyScriptActiveXNotMarkedSafe_7 + LastWrite @@ -13392,6 +15529,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyJavaPermissions_7 + LastWrite @@ -13418,6 +15556,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyLaunchAppsAndFilesInIFRAME_7 + LastWrite @@ -13444,6 +15583,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyLogon_7 + LastWrite @@ -13470,6 +15610,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNavigateSubframesAcrossDomains_7 + LastWrite @@ -13494,8 +15635,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNavigateSubframesAcrossDomains_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyNavigateSubframesAcrossDomains_7 + LastWrite @@ -13520,8 +15662,9 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyRunActiveXControls_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyRunActiveXControls_7 + LastWrite @@ -13548,6 +15691,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicySignedFrameworkComponentsURLaction_7 + LastWrite @@ -13572,12 +15716,13 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyScriptActiveXMarkedSafe_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyScriptActiveXMarkedSafe_7 + LastWrite - RestrictedSitesZoneWRONG + RestrictedSitesZoneScriptingOfJavaApplets @@ -13598,12 +15743,13 @@ The XML below is the DDF for Windows 10, version 1709. phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyScriptingOfJavaApplets_6 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyScriptingOfJavaApplets_7 + LastWrite - RestrictedSitesZoneWRONG2 + RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles @@ -13626,10 +15772,11 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_UnsafeFiles_7 + LastWrite - RestrictedSitesZoneWRONG3 + RestrictedSitesZoneTurnOnCrossSiteScriptingFilter @@ -13652,10 +15799,11 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyTurnOnXSSFilter_Both_Restricted + LastWrite - RestrictedSitesZoneWRONG4 + RestrictedSitesZoneTurnOnProtectedMode @@ -13678,10 +15826,11 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_TurnOnProtectedMode_7 + LastWrite - RestrictedSitesZoneWRONG5 + RestrictedSitesZoneUsePopupBlocker @@ -13704,6 +15853,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyBlockPopupWindows_7 + LastWrite @@ -13730,6 +15880,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload IESF_PolicyAllProcesses_12 + LastWrite @@ -13756,6 +15907,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions IESF_PolicyAllProcesses_8 + LastWrite @@ -13782,6 +15934,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer SpecificSearchProvider + LastWrite @@ -13808,6 +15961,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer OnlyUseAXISForActiveXInstall + LastWrite @@ -13834,6 +15988,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyAccessDataSourcesAcrossDomains_5 + LastWrite @@ -13860,6 +16015,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNotificationBarActiveXURLaction_5 + LastWrite @@ -13886,6 +16042,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNotificationBarDownloadURLaction_5 + LastWrite @@ -13912,6 +16069,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyFontDownload_5 + LastWrite @@ -13938,6 +16096,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyZoneElevationURLaction_5 + LastWrite @@ -13964,6 +16123,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyUnsignedFrameworkComponentsURLaction_5 + LastWrite @@ -13990,6 +16150,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_Policy_AllowScriptlets_5 + LastWrite @@ -14016,6 +16177,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_Policy_Phishing_5 + LastWrite @@ -14042,6 +16204,61 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyUserdataPersistence_5 + LastWrite + + + + TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 + LastWrite + + + + TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 + LastWrite @@ -14068,6 +16285,61 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyScriptActiveXNotMarkedSafe_5 + LastWrite + + + + TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyScriptActiveXNotMarkedSafe_5 + LastWrite + + + + TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyScriptActiveXNotMarkedSafe_5 + LastWrite @@ -14094,6 +16366,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyJavaPermissions_5 + LastWrite @@ -14120,58 +16393,7 @@ The XML below is the DDF for Windows 10, version 1709. inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNavigateSubframesAcrossDomains_5 - - - - TrustedSitesZoneWRONG1 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 - - - - TrustedSitesZoneWRONG2 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_5 + LastWrite @@ -14214,6 +16436,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LowestValueMostSecure @@ -14260,6 +16483,7 @@ The XML below is the DDF for Windows 10, version 1709. Printing.admx Printing~AT~ControlPanel~CplPrinters PointAndPrint_Restrictions + LastWrite @@ -14302,6 +16526,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LastWrite @@ -14345,6 +16570,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain phone + LastWrite @@ -14387,6 +16613,7 @@ The XML below is the DDF for Windows 10, version 1709. text/plain + LowestValueMostSecure @@ -14642,87 +16869,6 @@ The XML below is the DDF for Windows 10, version 1709. - - AccountPolicies - - - - - - - - - - - - - - - - - - - - - MinDevicePasswordLength - - - - - - - - This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. - - - - - - - - - - - text/plain - - - - - PasswordMustMeetComplexityRequirement - - - - - - - - This security setting determines whether passwords must meet complexity requirements. - -If this policy is enabled, passwords must meet the following minimum requirements: - -Not contain the user's account name or parts of the user's full name that exceed two consecutive characters -Be at least six characters in length -Contain characters from three of the following four categories: -English uppercase characters (A through Z) -English lowercase characters (a through z) -Base 10 digits (0 through 9) -Non-alphabetic characters (for example, !, $, #, %) -Complexity requirements are enforced when passwords are changed or created. - - - - - - - - - - - text/plain - - - - Accounts @@ -15910,6 +18056,30 @@ Complexity requirements are enforced when passwords are changed or created. + + AllowAadPasswordReset + + + + + + + + Specifies whether password reset is enabled for AAD accounts. + + + + + + + + + + + text/plain + + + AllowFastReconnect @@ -16537,7 +18707,7 @@ Complexity requirements are enforced when passwords are changed or created. This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. +If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. @@ -16679,6 +18849,30 @@ This policy will only apply on domain joined machines or when the device is MDM + + AlwaysEnableBooksLibrary + + + + + + + + Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. + + + + + + + + + + + text/plain + + + ClearBrowsingDataOnExit @@ -16848,7 +19042,7 @@ Example: If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. Encapsulate each string with greater than and less than characters like any other XML tag. -Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. +Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. @@ -16863,6 +19057,37 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, yo + + LockdownFavorites + + + + + + + + This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. + +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. + +Important +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. + + + + + + + + + + + text/plain + + + PreventAccessToAboutFlagsInMicrosoftEdge @@ -17011,6 +19236,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + ProvisionFavorites + + + + + + + + This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. + +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. + +Important +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. + + + + + + + + + + + text/plain + + + SendIntranetTraffictoInternetExplorer @@ -17181,6 +19437,102 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + LetAppsAccessCellularData + + + + + + + + This policy setting specifies whether Windows apps can access cellular data. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCellularData_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCellularData_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCellularData_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + + + + + + + + + + + text/plain + + + ShowAppCellularAccessUI @@ -17633,6 +19985,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + EnableWindowsAutoPilotResetCredentials + + + + + + + + + + + + + + + + + + + text/plain + + + CredentialsUI @@ -18845,6 +21221,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + DOCacheHost + + + + + + + + + + + + + + + + + + + text/plain + + + DODownloadMode @@ -19520,7 +21920,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Specifies how many passwords can be stored in the history that can’t be used. + Specifies how many passwords can be stored in the history that can’t be used. @@ -20468,6 +22868,52 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + ExploitGuard + + + + + + + + + + + + + + + + + + + + + ExploitProtectionSettings + + + + + + + + + + + + + + + + + + + text/plain + + + + Games @@ -20514,6 +22960,52 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + Handwriting + + + + + + + + + + + + + + + + + + + + + PanelDefaultModeDocked + + + + + + + + Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen + + + + + + + + + + + text/plain + + + + InternetExplorer @@ -20752,7 +23244,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - AllowInternetExplorer7PolicyList + AllowInternetExplorer7PolicyList @@ -21376,7 +23868,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - DisableDeletingUserVisitedWebsites + DisableDeletingUserVisitedWebsites @@ -22024,7 +24516,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - InternetZoneAllowLoadingOfXAMLFilesWRONG + InternetZoneAllowLoadingOfXAMLFiles @@ -22264,31 +24756,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2 + InternetZoneDoNotRunAntimalwareAgainstActiveXControls @@ -22528,55 +24996,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneJavaPermissionsWRONG1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneJavaPermissionsWRONG2 + InternetZoneJavaPermissions @@ -23007,6 +25427,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + IntranetZoneDoNotRunAntimalwareAgainstActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + IntranetZoneInitializeAndScriptActiveXControls @@ -23031,6 +25475,54 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneJavaPermissions + + + + + + + + + + + + + + + + + + + text/plain + + + IntranetZoneNavigateWindowsAndFrames @@ -25168,31 +27660,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - RestrictedSitesZoneAllowFontDownloadsWRONG1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFontDownloadsWRONG2 + RestrictedSitesZoneAllowFontDownloads @@ -25575,6 +28043,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + RestrictedSitesZoneEnableCrossSiteScriptingFilter + + + + + + + + + + + + + + + + + + + text/plain + + + RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows @@ -25888,7 +28380,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - RestrictedSitesZoneWRONG + RestrictedSitesZoneScriptingOfJavaApplets @@ -25912,7 +28404,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - RestrictedSitesZoneWRONG2 + RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles @@ -25936,7 +28428,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - RestrictedSitesZoneWRONG3 + RestrictedSitesZoneTurnOnCrossSiteScriptingFilter @@ -25960,7 +28452,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - RestrictedSitesZoneWRONG4 + RestrictedSitesZoneTurnOnProtectedMode @@ -25984,7 +28476,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - RestrictedSitesZoneWRONG5 + RestrictedSitesZoneUsePopupBlocker @@ -26080,7 +28572,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - SecurityZonesUseOnlyMachineSettings + SecurityZonesUseOnlyMachineSettings @@ -26343,6 +28835,54 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + TrustedSitesZoneInitializeAndScriptActiveXControls @@ -26367,6 +28907,54 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe + + + + + + + + + + + + + + + + + + + text/plain + + + TrustedSitesZoneJavaPermissions @@ -26415,54 +29003,6 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - - TrustedSitesZoneWRONG1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneWRONG2 - - - - - - - - - - - - - - - - - - - text/plain - - - Kerberos @@ -26708,9 +29248,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor This policy setting prevents users from adding new Microsoft accounts on this computer. -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. +If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. +If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. @@ -26883,6 +29423,130 @@ Default: Guest. + + Devices_AllowedToFormatAndEjectRemovableMedia + + + + + + + + Devices: Allowed to format and eject removable media + +This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: + +Administrators +Administrators and Interactive Users + +Default: This policy is not defined and only Administrators have this ability. + + + + + + + + + + + text/plain + + + + + Devices_AllowUndockWithoutHavingToLogon + + + + + + + + Devices: Allow undock without having to log on +This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. +Default: Enabled. + +Caution +Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. + + + + + + + + + + + text/plain + + + + + Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters + + + + + + + + Devices: Prevent users from installing printer drivers when connecting to shared printers + +For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. + +Default on servers: Enabled. +Default on workstations: Disabled + +Notes + +This setting does not affect the ability to add a local printer. +This setting does not affect Administrators. + + + + + + + + + + + text/plain + + + + + Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly + + + + + + + + Devices: Restrict CD-ROM access to locally logged-on user only + +This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. + +If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. + +Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. + + + + + + + + + + + text/plain + + + InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked @@ -26911,7 +29575,7 @@ Do not display user information (3) - Interactivelogon_DoNotDisplayLastSignedIn + InteractiveLogon_DoNotDisplayLastSignedIn @@ -26941,7 +29605,7 @@ Default: Disabled. - Interactivelogon_DoNotDisplayUsernameAtSignIn + InteractiveLogon_DoNotDisplayUsernameAtSignIn @@ -26971,7 +29635,7 @@ Default: Disabled. - Interactivelogon_DoNotRequireCTRLALTDEL + InteractiveLogon_DoNotRequireCTRLALTDEL @@ -27233,6 +29897,39 @@ Default: This policy is not defined and automatic administrative logon is not al + + Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn + + + + + + + + Shutdown: Allow system to be shut down without having to log on + +This security setting determines whether a computer can be shut down without having to log on to Windows. + +When this policy is enabled, the Shut Down command is available on the Windows logon screen. + +When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. + +Default on workstations: Enabled. +Default on servers: Disabled. + + + + + + + + + + + text/plain + + + Shutdown_ClearVirtualMemoryPageFile @@ -27278,9 +29975,9 @@ Default: Disabled. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. +• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. +• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. @@ -27310,17 +30007,17 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: -• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. +• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. @@ -27349,11 +30046,43 @@ This policy setting controls the behavior of the elevation prompt for standard u The options are: -• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. +• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + + + + + + + + + + + text/plain + + + + + UserAccountControl_DetectApplicationInstallationsAndPromptForElevation + + + + + + + + User Account Control: Detect application installations and prompt for elevation + +This policy setting controls the behavior of application installation detection for the computer. + +The options are: + +Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + +Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. @@ -27383,9 +30112,9 @@ This policy setting enforces public key infrastructure (PKI) signature checks fo The options are: -• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. +• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. -• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. +• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. @@ -27413,17 +30142,17 @@ The options are: This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows +- …\Program Files\, including subfolders +- …\Windows\system32\ +- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: -• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. +• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. -• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. +• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. @@ -27453,9 +30182,9 @@ This policy setting controls the behavior of all User Account Control (UAC) poli The options are: -• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. +• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. -• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. +• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. @@ -27485,9 +30214,9 @@ This policy setting controls whether the elevation request prompt is displayed o The options are: -• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. +• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. +• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. @@ -27517,9 +30246,9 @@ This policy setting controls the behavior of Admin Approval Mode for the built-i The options are: -• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. +• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. -• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. +• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. @@ -27549,9 +30278,9 @@ This policy setting controls whether application write failures are redirected t The options are: -• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. +• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. -• Disabled: Applications that write data to protected locations fail. +• Disabled: Applications that write data to protected locations fail. @@ -28846,102 +31575,6 @@ The options are: - - LetAppsAccessCellularData - - - - - - - - This policy setting specifies whether Windows apps can access cellular data. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data privacy setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - LetAppsAccessContacts @@ -30199,7 +32832,7 @@ The options are: - This policy setting specifies whether Windows apps can sync with devices. + This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. @@ -30223,7 +32856,7 @@ The options are: - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -30247,7 +32880,7 @@ The options are: - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -30271,7 +32904,7 @@ The options are: - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -31258,6 +33891,30 @@ The options are: + + AllowCloudSearch + + + + + + + + + + + + + + + + + + + text/plain + + + AllowIndexingEncryptedStoresOrItems @@ -32950,6 +35607,30 @@ The options are: + + AllowDiskHealthModelUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + EnhancedStorageDevices @@ -33221,7 +35902,7 @@ The options are: - This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. @@ -33260,6 +35941,30 @@ The options are: + + FeedbackHubAlwaysSaveDiagnosticsLocally + + + + + + + + Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. + + + + + + + + + + + text/plain + + + TelemetryProxy @@ -34070,6 +36775,30 @@ The options are: + + DisableDualScan + + + + + + + + Do not allow update deferral policies to cause scans against Windows Update + + + + + + + + + + + text/plain + + + EngagedRestartDeadline @@ -34239,7 +36968,7 @@ The options are: - ManageBuildPreview + ManagePreviewBuilds @@ -35739,6 +38468,7 @@ The options are: text/plain desktop + LowestValueMostSecure @@ -35761,6 +38491,7 @@ The options are: text/plain + LowestValueMostSecure @@ -35783,83 +38514,7 @@ The options are: text/plain - - - - - AccountPolicies - - - - - - - - - - - - - - - - - - - MinDevicePasswordLength - - - - - This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. - 7 - - - - - - - - - - - text/plain - - phone - - - - PasswordMustMeetComplexityRequirement - - - - - This security setting determines whether passwords must meet complexity requirements. - -If this policy is enabled, passwords must meet the following minimum requirements: - -Not contain the user's account name or parts of the user's full name that exceed two consecutive characters -Be at least six characters in length -Contain characters from three of the following four categories: -English uppercase characters (A through Z) -English lowercase characters (a through z) -Base 10 digits (0 through 9) -Non-alphabetic characters (for example, !, $, #, %) -Complexity requirements are enforced when passwords are changed or created. - 0 - - - - - - - - - - - text/plain - - phone + LowestValueMostSecure @@ -35902,6 +38557,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -35924,6 +38580,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -35946,6 +38603,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LastWrite @@ -35968,6 +38626,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LastWrite @@ -36014,6 +38673,7 @@ Complexity requirements are enforced when passwords are changed or created.ActiveXInstallService.admx ActiveXInstallService~AT~WindowsComponents~AxInstSv ApprovedActiveXInstallSites + LastWrite @@ -36057,6 +38717,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain phone + LastWrite @@ -36099,6 +38760,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -36121,6 +38783,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -36143,6 +38806,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -36166,6 +38830,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain phone + LowestValueMostSecure @@ -36188,6 +38853,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -36211,6 +38877,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain desktop + LowestValueMostSecure @@ -36234,6 +38901,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain desktop + LastWrite @@ -36256,6 +38924,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -36278,6 +38947,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -36300,6 +38970,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -36346,6 +39017,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV EnableAppV + LastWrite @@ -36372,6 +39044,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Virtualization Virtualization_JITVEnable + LastWrite @@ -36398,6 +39071,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_PackageManagement PackageManagement_AutoCleanupEnable + LastWrite @@ -36424,6 +39098,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Scripting Scripting_Enable_Package_Scripts + LastWrite @@ -36450,6 +39125,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Enable_Publishing_Refresh_UX + LastWrite @@ -36476,6 +39152,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Reporting Reporting_Server_Policy + LastWrite @@ -36502,6 +39179,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Integration Integration_Roaming_File_Exclusions + LastWrite @@ -36528,6 +39206,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Integration Integration_Roaming_Registry_Exclusions + LastWrite @@ -36554,6 +39233,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Steaming_Autoload + LastWrite @@ -36580,6 +39260,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Client_Coexistence Client_Coexistence_Enable_Migration_mode + LastWrite @@ -36606,6 +39287,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Integration Integration_Root_User + LastWrite @@ -36632,6 +39314,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Integration Integration_Root_Global + LastWrite @@ -36658,6 +39341,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Publishing_Server1_Policy + LastWrite @@ -36684,6 +39368,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Publishing_Server2_Policy + LastWrite @@ -36710,6 +39395,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Publishing_Server3_Policy + LastWrite @@ -36736,6 +39422,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Publishing_Server4_Policy + LastWrite @@ -36762,6 +39449,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Publishing Publishing_Server5_Policy + LastWrite @@ -36788,6 +39476,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Certificate_Filter_For_Client_SSL + LastWrite @@ -36814,6 +39503,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Allow_High_Cost_Launch + LastWrite @@ -36840,6 +39530,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Location_Provider + LastWrite @@ -36866,6 +39557,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Package_Installation_Root + LastWrite @@ -36892,6 +39584,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Package_Source_Root + LastWrite @@ -36918,6 +39611,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Reestablishment_Interval + LastWrite @@ -36944,6 +39638,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Reestablishment_Retries + LastWrite @@ -36970,6 +39665,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Shared_Content_Store_Mode + LastWrite @@ -36996,6 +39692,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Support_Branch_Cache + LastWrite @@ -37022,6 +39719,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Streaming Streaming_Verify_Certificate_Revocation_List + LastWrite @@ -37048,6 +39746,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx appv~AT~System~CAT_AppV~CAT_Virtualization Virtualization_JITVAllowList + LastWrite @@ -37070,6 +39769,30 @@ Complexity requirements are enforced when passwords are changed or created. + + AllowAadPasswordReset + + + + + Specifies whether password reset is enabled for AAD accounts. + 0 + + + + + + + + + + + text/plain + + phone + LowestValueMostSecure + + AllowFastReconnect @@ -37090,6 +39813,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -37113,6 +39837,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain phone + LowestValueMostSecure @@ -37135,6 +39860,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -37181,6 +39907,7 @@ Complexity requirements are enforced when passwords are changed or created.AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay NoAutoplayfornonVolume + LastWrite @@ -37207,6 +39934,7 @@ Complexity requirements are enforced when passwords are changed or created.AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay NoAutorun + LastWrite @@ -37233,6 +39961,7 @@ Complexity requirements are enforced when passwords are changed or created.AutoPlay.admx AutoPlay~AT~WindowsComponents~AutoPlay Autorun + LastWrite @@ -37275,6 +40004,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LastWrite @@ -37317,6 +40047,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -37339,6 +40070,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -37361,6 +40093,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -37383,6 +40116,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LastWrite @@ -37405,6 +40139,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LastWrite @@ -37448,6 +40183,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain phone + LowestValueMostSecure @@ -37470,6 +40206,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -37493,6 +40230,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain desktop + LowestValueMostSecure @@ -37515,6 +40253,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -37538,6 +40277,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain phone + LowestValueMostSecure @@ -37560,6 +40300,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -37583,6 +40324,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain phone + LowestValueMostSecure @@ -37606,6 +40348,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain phone + HighestValueMostSecure @@ -37629,6 +40372,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain phone + HighestValueMostSecure @@ -37651,6 +40395,7 @@ Complexity requirements are enforced when passwords are changed or created. text/plain + LowestValueMostSecure @@ -37661,7 +40406,7 @@ Complexity requirements are enforced when passwords are changed or created. This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. +If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. 1 @@ -37677,6 +40422,7 @@ If you disable this setting, the Microsoft Compatibility List will not be used d text/plain + LowestValueMostSecure @@ -37699,6 +40445,7 @@ If you disable this setting, the Microsoft Compatibility List will not be used d text/plain + LowestValueMostSecure @@ -37722,6 +40469,7 @@ If you disable this setting, the Microsoft Compatibility List will not be used d text/plain phone + LowestValueMostSecure @@ -37749,6 +40497,7 @@ This policy will only apply on domain joined machines or when the device is MDM text/plain + LowestValueMostSecure @@ -37771,6 +40520,7 @@ This policy will only apply on domain joined machines or when the device is MDM text/plain + LowestValueMostSecure @@ -37793,6 +40543,30 @@ This policy will only apply on domain joined machines or when the device is MDM text/plain + LowestValueMostSecure + + + + AlwaysEnableBooksLibrary + + + + + Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. + 0 + + + + + + + + + + + text/plain + + LowestValueMostSecure @@ -37816,6 +40590,7 @@ This policy will only apply on domain joined machines or when the device is MDM text/plain phone + LowestValueMostSecure @@ -37844,6 +40619,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LastWrite @@ -37872,6 +40648,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo text/plain phone + LowestValueMostSecure @@ -37895,6 +40672,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo text/plain phone + LastWrite @@ -37918,6 +40696,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo text/plain phone + LastWrite @@ -37941,6 +40720,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo text/plain desktop + LastWrite @@ -37954,7 +40734,7 @@ Example: If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. Encapsulate each string with greater than and less than characters like any other XML tag. -Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. +Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. @@ -37969,6 +40749,37 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, yo text/plain phone + LastWrite + + + + LockdownFavorites + + + + + This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. + +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. + +Important +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. + 0 + + + + + + + + + + + text/plain + + LowestValueMostSecure @@ -37991,6 +40802,7 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, yo text/plain + HighestValueMostSecure @@ -38016,6 +40828,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -38040,6 +40853,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + HighestValueMostSecure @@ -38062,6 +40876,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + HighestValueMostSecure @@ -38084,6 +40899,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + HighestValueMostSecure @@ -38106,6 +40922,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + HighestValueMostSecure + + + + ProvisionFavorites + + + + + This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. + +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. + +Important +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. + + + + + + + + + + + + text/plain + + LastWrite @@ -38129,6 +40976,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -38157,6 +41005,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LastWrite @@ -38180,6 +41029,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -38203,6 +41053,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LowestValueMostSecure @@ -38245,6 +41096,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -38267,6 +41119,101 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + LetAppsAccessCellularData + + + + + This policy setting specifies whether Windows apps can access cellular data. + 0 + + + + + + + + + + + text/plain + + HighestValueMostSecure + + + + LetAppsAccessCellularData_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + + + + + + + + + + + + text/plain + + LastWrite + ; + + + + LetAppsAccessCellularData_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + + + + + + + + + + + + text/plain + + LastWrite + ; + + + + LetAppsAccessCellularData_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + + + + + + + + + + + + text/plain + + LastWrite + ; + + ShowAppCellularAccessUI @@ -38290,6 +41237,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on wwansvc.admx wwansvc~AT~Network~WwanSvc_Category~UISettings_Category ShowAppCellularAccessUI + LastWrite @@ -38332,6 +41280,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -38354,6 +41303,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -38376,6 +41326,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -38398,6 +41349,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -38421,6 +41373,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain desktop + LowestValueMostSecure @@ -38444,6 +41397,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain desktop + LowestValueMostSecure @@ -38466,6 +41420,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -38488,6 +41443,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -38514,6 +41470,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on ICM.admx ICM~AT~System~InternetManagement~InternetManagement_Settings DisableHTTPPrinting_2 + LastWrite @@ -38540,6 +41497,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on ICM.admx ICM~AT~System~InternetManagement~InternetManagement_Settings DisableWebPnPDownload_2 + LastWrite @@ -38566,6 +41524,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on ICM.admx ICM~AT~System~InternetManagement~InternetManagement_Settings ShellPreventWPWDownload_2 + LastWrite @@ -38588,6 +41547,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + HighestValueMostSecure @@ -38614,6 +41574,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on networkprovider.admx NetworkProvider~AT~Network~Cat_NetworkProvider Pol_HardenedPaths + LastWrite @@ -38640,6 +41601,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on NetworkConnections.admx NetworkConnections~AT~Network~NetworkConnections NC_AllowNetBridge_NLA + LastWrite @@ -38686,6 +41648,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on credentialproviders.admx CredentialProviders~AT~System~Logon AllowDomainPINLogon + LastWrite @@ -38712,6 +41675,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on credentialproviders.admx CredentialProviders~AT~System~Logon BlockDomainPicturePassword + LastWrite + + + + EnableWindowsAutoPilotResetCredentials + + + + + + 0 + + + + + + + + + + + text/plain + + LowestValueMostSecure @@ -38758,6 +41745,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on credui.admx CredUI~AT~WindowsComponents~CredUI DisablePasswordReveal + LastWrite @@ -38784,6 +41772,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on credui.admx CredUI~AT~WindowsComponents~CredUI EnumerateAdministrators + LastWrite @@ -38826,6 +41815,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LastWrite @@ -38848,6 +41838,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LastWrite @@ -38890,6 +41881,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -38912,6 +41904,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LastWrite @@ -38957,6 +41950,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on wwansvc.admx wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category SetCost3G + LastWrite @@ -38982,6 +41976,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on wwansvc.admx wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category SetCost4G + LastWrite @@ -39025,6 +42020,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39048,6 +42044,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39071,6 +42068,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39094,6 +42092,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39117,6 +42116,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39140,6 +42140,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39163,6 +42164,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39186,6 +42188,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39209,6 +42212,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39232,6 +42236,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39255,6 +42260,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39278,6 +42284,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39301,6 +42308,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39324,6 +42332,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39347,6 +42356,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39370,6 +42380,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39393,6 +42404,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39416,6 +42428,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39439,6 +42452,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39462,6 +42476,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39485,6 +42500,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39508,6 +42524,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39531,6 +42548,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39554,6 +42572,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39577,6 +42596,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39600,6 +42620,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39623,6 +42644,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39646,6 +42668,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LowestValueMostSecure @@ -39669,6 +42692,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39692,6 +42716,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39715,6 +42740,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39738,6 +42764,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39761,6 +42788,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39784,6 +42812,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -39807,6 +42836,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39850,6 +42880,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39873,6 +42904,31 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LowestValueMostSecure + + + + DOCacheHost + + + + + + + + + + + + + + + + + text/plain + + phone + LastWrite @@ -39896,6 +42952,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39919,6 +42976,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39942,6 +43000,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39965,6 +43024,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -39988,6 +43048,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40011,6 +43072,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40034,6 +43096,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40057,6 +43120,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40080,6 +43144,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40103,6 +43168,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40126,6 +43192,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40149,6 +43216,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40172,6 +43240,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40195,6 +43264,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40238,6 +43308,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -40261,6 +43332,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LowestValueMostSecureZeroHasNoLimits @@ -40284,6 +43356,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + HighestValueMostSecure @@ -40330,6 +43403,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on deviceinstallation.admx DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category DeviceInstall_IDs_Deny + LastWrite @@ -40356,6 +43430,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on deviceinstallation.admx DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category DeviceInstall_Classes_Deny + LastWrite @@ -40399,6 +43474,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain desktop + LowestValueMostSecure @@ -40421,6 +43497,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LastWrite @@ -40443,6 +43520,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -40465,6 +43543,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -40487,6 +43566,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecure @@ -40509,6 +43589,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecureZeroHasNoLimits @@ -40517,7 +43598,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Specifies how many passwords can be stored in the history that can’t be used. + Specifies how many passwords can be stored in the history that can’t be used. 0 @@ -40531,6 +43612,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + HighestValueMostSecure @@ -40554,6 +43636,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain phone + LastWrite @@ -40576,6 +43659,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LastWrite @@ -40598,6 +43682,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecureZeroHasNoLimits @@ -40620,6 +43705,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + LowestValueMostSecureZeroHasNoLimits @@ -40643,6 +43729,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain desktop + LowestValueMostSecure @@ -40665,6 +43752,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + HighestValueMostSecure @@ -40687,6 +43775,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain + HighestValueMostSecureZeroHasNoLimits @@ -40714,6 +43803,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain phone + HighestValueMostSecure @@ -40740,6 +43830,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor ControlPanelDisplay.admx ControlPanelDisplay~AT~ControlPanel~Personalization CPL_Personalization_NoLockScreenSlideshow + LastWrite @@ -40762,6 +43853,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + LastWrite @@ -40805,6 +43897,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain phone + LastWrite @@ -40828,6 +43921,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain phone + LastWrite @@ -40874,6 +43968,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor ErrorReporting.admx ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting WerConsentCustomize_2 + LastWrite @@ -40900,6 +43995,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor ErrorReporting.admx ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting WerDisable_2 + LastWrite @@ -40926,6 +44022,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor ErrorReporting.admx ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting PCH_ShowUI + LastWrite @@ -40952,6 +44049,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor ErrorReporting.admx ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting WerNoSecondLevelData_2 + LastWrite @@ -40978,6 +44076,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor ErrorReporting.admx ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting WerDoNotShowUI + LastWrite @@ -41024,6 +44123,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor eventlog.admx EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application Channel_Log_Retention_1 + LastWrite @@ -41050,6 +44150,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor eventlog.admx EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application Channel_LogMaxSize_1 + LastWrite @@ -41076,6 +44177,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor eventlog.admx EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Security Channel_LogMaxSize_2 + LastWrite @@ -41102,6 +44204,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor eventlog.admx EventLog~AT~WindowsComponents~EventLogCategory~EventLog_System Channel_LogMaxSize_4 + LastWrite @@ -41145,6 +44248,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain desktop + LowestValueMostSecure @@ -41167,6 +44271,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + LowestValueMostSecure @@ -41189,6 +44294,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + LowestValueMostSecure @@ -41211,6 +44317,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + LowestValueMostSecure @@ -41233,6 +44340,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + LowestValueMostSecure @@ -41255,6 +44363,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + LowestValueMostSecure @@ -41277,6 +44386,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + LowestValueMostSecure @@ -41299,6 +44409,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + LowestValueMostSecure @@ -41321,6 +44432,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + HighestValueMostSecure @@ -41343,6 +44455,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + LowestValueMostSecure @@ -41366,6 +44479,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain desktop + LowestValueMostSecure @@ -41389,6 +44503,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain desktop + LowestValueMostSecure @@ -41412,6 +44527,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain phone + LowestValueMostSecure @@ -41434,6 +44550,50 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + HighestValueMostSecure + + + + + ExploitGuard + + + + + + + + + + + + + + + + + + + ExploitProtectionSettings + + + + + + + + + + + + + + + + + text/plain + + LastWrite @@ -41476,6 +44636,51 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain + LowestValueMostSecure + + + + + Handwriting + + + + + + + + + + + + + + + + + + + PanelDefaultModeDocked + + + + + Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen + 0 + + + + + + + + + + + text/plain + + phone + LowestValueMostSecure @@ -41522,6 +44727,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer AddSearchProvider + LastWrite @@ -41548,6 +44754,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer TurnOnActiveXFiltering + LastWrite @@ -41574,6 +44781,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement AddonManagement_AddOnList + LastWrite @@ -41600,6 +44808,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyWarnCertMismatch + LastWrite @@ -41626,6 +44835,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory DBHDisableDeleteOnExit + LastWrite @@ -41652,6 +44862,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_EnableEnhancedProtectedMode + LastWrite @@ -41678,6 +44889,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnterpriseModeEnable + LastWrite @@ -41704,6 +44916,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnterpriseModeSiteList + LastWrite @@ -41730,10 +44943,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures Advanced_EnableSSL3Fallback + LastWrite - AllowInternetExplorer7PolicyList + AllowInternetExplorer7PolicyList @@ -41756,6 +44970,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView CompatView_UsePolicyList + LastWrite @@ -41782,6 +44997,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView CompatView_IntranetSites + LastWrite @@ -41808,6 +45024,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyInternetZoneTemplate + LastWrite @@ -41834,6 +45051,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyIntranetZoneTemplate + LastWrite @@ -41860,6 +45078,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyLocalMachineZoneTemplate + LastWrite @@ -41886,6 +45105,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyInternetZoneLockdownTemplate + LastWrite @@ -41912,6 +45132,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyIntranetZoneLockdownTemplate + LastWrite @@ -41938,6 +45159,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyLocalMachineZoneLockdownTemplate + LastWrite @@ -41964,6 +45186,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyRestrictedSitesZoneLockdownTemplate + LastWrite @@ -41990,6 +45213,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing UseIntranetSiteForOneWordEntry + LastWrite @@ -42016,6 +45240,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_Zonemaps + LastWrite @@ -42042,6 +45267,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyTrustedSitesZoneLockdownTemplate + LastWrite @@ -42068,6 +45294,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_InvalidSignatureBlock + LastWrite @@ -42094,6 +45321,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyRestrictedSitesZoneTemplate + LastWrite @@ -42120,6 +45348,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer EnableSuggestedSites + LastWrite @@ -42146,6 +45375,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_PolicyTrustedSitesZoneTemplate + LastWrite @@ -42172,6 +45402,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_CertificateRevocation + LastWrite @@ -42198,6 +45429,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DownloadSignatures + LastWrite @@ -42224,6 +45456,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction IESF_PolicyExplorerProcesses_2 + LastWrite @@ -42250,6 +45483,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement DisableFlashInIE + LastWrite @@ -42276,6 +45510,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDisable + LastWrite @@ -42300,6 +45535,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + DisableSafetyFilterOverride + LastWrite @@ -42324,6 +45562,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + DisableSafetyFilterOverrideForAppRepUnknown + LastWrite @@ -42350,6 +45591,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory RestrictHistory + LastWrite @@ -42374,6 +45616,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + AddonManagement_RestrictCrashDetection + LastWrite @@ -42400,10 +45645,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer SQM_DisableCEIP + LastWrite - DisableDeletingUserVisitedWebsites + DisableDeletingUserVisitedWebsites @@ -42426,6 +45672,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory DBHDisableDeleteHistory + LastWrite @@ -42452,6 +45699,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~RSS_Feeds Disable_Downloading_of_Enclosures + LastWrite @@ -42478,6 +45726,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_SetWinInetProtocols + LastWrite @@ -42504,6 +45753,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer NoFirstRunCustomise + LastWrite @@ -42530,6 +45780,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DisableFlipAhead + LastWrite @@ -42556,6 +45807,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL NoCertError + LastWrite @@ -42582,6 +45834,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy DisableInPrivateBrowsing + LastWrite @@ -42608,6 +45861,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_EnableEnhancedProtectedMode64Bit + LastWrite @@ -42632,6 +45886,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + RestrictProxy + LastWrite @@ -42658,6 +45915,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer NoSearchProvider + LastWrite @@ -42684,6 +45942,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer SecondaryHomePages + LastWrite @@ -42710,6 +45969,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer Disable_Security_Settings_Check + LastWrite @@ -42736,6 +45996,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer NoUpdateCheck + LastWrite @@ -42762,6 +46023,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage Advanced_DisableEPMCompat + LastWrite @@ -42788,6 +46050,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer Security_zones_map_edit + LastWrite @@ -42814,6 +46077,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer Security_options_edit + LastWrite @@ -42840,6 +46104,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDisable + LastWrite @@ -42866,6 +46131,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDomainAllowlist + LastWrite @@ -42892,6 +46158,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_IncludeUnspecifiedLocalSites + LastWrite @@ -42918,6 +46185,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage IZ_UNCAsIntranet + LastWrite @@ -42944,6 +46212,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAccessDataSourcesAcrossDomains_1 + LastWrite @@ -42970,6 +46239,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNotificationBarActiveXURLaction_1 + LastWrite @@ -42996,6 +46266,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNotificationBarDownloadURLaction_1 + LastWrite @@ -43022,6 +46293,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAllowPasteViaScript_1 + LastWrite @@ -43048,6 +46320,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDropOrPasteFiles_1 + LastWrite @@ -43074,6 +46347,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyFontDownload_1 + LastWrite @@ -43100,10 +46374,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyZoneElevationURLaction_1 + LastWrite - InternetZoneAllowLoadingOfXAMLFilesWRONG + InternetZoneAllowLoadingOfXAMLFiles @@ -43126,6 +46401,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_XAML_1 + LastWrite @@ -43152,6 +46428,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyUnsignedFrameworkComponentsURLaction_1 + LastWrite @@ -43176,8 +46453,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet + LastWrite @@ -43202,8 +46480,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAllowTDCControl_Both_LocalMachine + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyAllowTDCControl_Both_Internet + LastWrite @@ -43230,6 +46509,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_WebBrowserControl_1 + LastWrite @@ -43254,8 +46534,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyWindowsRestrictionsURLaction_6 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyWindowsRestrictionsURLaction_1 + LastWrite @@ -43282,6 +46563,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_AllowScriptlets_1 + LastWrite @@ -43308,6 +46590,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_Phishing_1 + LastWrite @@ -43334,6 +46617,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_ScriptStatusBar_1 + LastWrite @@ -43360,10 +46644,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyUserdataPersistence_1 + LastWrite - InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1 + InternetZoneDoNotRunAntimalwareAgainstActiveXControls @@ -43386,32 +46671,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 + LastWrite @@ -43436,8 +46696,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyDownloadSignedActiveX_3 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyDownloadSignedActiveX_1 + LastWrite @@ -43464,6 +46725,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDownloadUnsignedActiveX_1 + LastWrite @@ -43488,8 +46750,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyTurnOnXSSFilter_Both_LocalMachine + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyTurnOnXSSFilter_Both_Internet + LastWrite @@ -43516,6 +46779,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet + LastWrite @@ -43542,6 +46806,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet + LastWrite @@ -43568,6 +46833,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyMimeSniffingURLaction_1 + LastWrite @@ -43592,8 +46858,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_TurnOnProtectedMode_2 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_Policy_TurnOnProtectedMode_1 + LastWrite @@ -43620,6 +46887,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_LocalPathForUpload_1 + LastWrite @@ -43646,36 +46914,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyScriptActiveXNotMarkedSafe_1 + LastWrite - InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyScriptActiveXNotMarkedSafe_1 - - - - InternetZoneJavaPermissionsWRONG1 + InternetZoneJavaPermissions @@ -43698,32 +46941,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyJavaPermissions_1 - - - - InternetZoneJavaPermissionsWRONG2 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyJavaPermissions_3 + LastWrite @@ -43750,6 +46968,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyLaunchAppsAndFilesInIFRAME_1 + LastWrite @@ -43776,6 +46995,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyLogon_1 + LastWrite @@ -43802,6 +47022,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyNavigateSubframesAcrossDomains_1 + LastWrite @@ -43828,6 +47049,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyUnsignedFrameworkComponentsURLaction_1 + LastWrite @@ -43854,6 +47076,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicySignedFrameworkComponentsURLaction_1 + LastWrite @@ -43880,6 +47103,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_Policy_UnsafeFiles_1 + LastWrite @@ -43906,6 +47130,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyBlockPopupWindows_1 + LastWrite @@ -43932,6 +47157,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone IZ_PolicyZoneElevationURLaction_1 + LastWrite @@ -43958,6 +47184,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyAccessDataSourcesAcrossDomains_3 + LastWrite @@ -43984,6 +47211,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNotificationBarActiveXURLaction_3 + LastWrite @@ -44010,6 +47238,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNotificationBarDownloadURLaction_3 + LastWrite @@ -44036,6 +47265,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyFontDownload_3 + LastWrite @@ -44062,6 +47292,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyZoneElevationURLaction_3 + LastWrite @@ -44088,6 +47319,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyUnsignedFrameworkComponentsURLaction_3 + LastWrite @@ -44114,6 +47346,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_Policy_AllowScriptlets_3 + LastWrite @@ -44140,6 +47373,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_Policy_Phishing_3 + LastWrite @@ -44166,6 +47400,34 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyUserdataPersistence_3 + LastWrite + + + + IntranetZoneDoNotRunAntimalwareAgainstActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 + LastWrite @@ -44192,6 +47454,61 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyScriptActiveXNotMarkedSafe_3 + LastWrite + + + + IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyScriptActiveXNotMarkedSafe_3 + LastWrite + + + + IntranetZoneJavaPermissions + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyJavaPermissions_3 + LastWrite @@ -44218,6 +47535,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone IZ_PolicyNavigateSubframesAcrossDomains_3 + LastWrite @@ -44244,6 +47562,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyAccessDataSourcesAcrossDomains_9 + LastWrite @@ -44270,6 +47589,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNotificationBarActiveXURLaction_9 + LastWrite @@ -44296,6 +47616,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNotificationBarDownloadURLaction_9 + LastWrite @@ -44322,6 +47643,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyFontDownload_9 + LastWrite @@ -44348,6 +47670,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyZoneElevationURLaction_9 + LastWrite @@ -44374,6 +47697,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyUnsignedFrameworkComponentsURLaction_9 + LastWrite @@ -44400,6 +47724,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_Policy_AllowScriptlets_9 + LastWrite @@ -44426,6 +47751,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_Policy_Phishing_9 + LastWrite @@ -44452,6 +47778,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyUserdataPersistence_9 + LastWrite @@ -44476,8 +47803,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone~IZ_LocalMachineZone + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 + LastWrite @@ -44504,6 +47832,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyScriptActiveXNotMarkedSafe_9 + LastWrite @@ -44530,6 +47859,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyJavaPermissions_9 + LastWrite @@ -44556,6 +47886,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone IZ_PolicyNavigateSubframesAcrossDomains_9 + LastWrite @@ -44582,6 +47913,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_2 + LastWrite @@ -44608,6 +47940,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_2 + LastWrite @@ -44634,6 +47967,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_2 + LastWrite @@ -44660,6 +47994,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyFontDownload_2 + LastWrite @@ -44686,6 +48021,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyZoneElevationURLaction_2 + LastWrite @@ -44712,6 +48048,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_2 + LastWrite @@ -44738,6 +48075,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_Policy_AllowScriptlets_2 + LastWrite @@ -44764,6 +48102,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_Policy_Phishing_2 + LastWrite @@ -44790,6 +48129,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyUserdataPersistence_2 + LastWrite @@ -44816,6 +48156,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_2 + LastWrite @@ -44842,6 +48183,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyJavaPermissions_2 + LastWrite @@ -44868,6 +48210,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_2 + LastWrite @@ -44894,6 +48237,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_4 + LastWrite @@ -44920,6 +48264,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_4 + LastWrite @@ -44946,6 +48291,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_4 + LastWrite @@ -44972,6 +48318,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyFontDownload_4 + LastWrite @@ -44998,6 +48345,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyZoneElevationURLaction_4 + LastWrite @@ -45024,6 +48372,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_4 + LastWrite @@ -45050,6 +48399,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_Policy_AllowScriptlets_4 + LastWrite @@ -45076,6 +48426,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_Policy_Phishing_4 + LastWrite @@ -45102,6 +48453,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyUserdataPersistence_4 + LastWrite @@ -45128,6 +48480,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_4 + LastWrite @@ -45154,6 +48507,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_4 + LastWrite @@ -45180,6 +48534,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_10 + LastWrite @@ -45206,6 +48561,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_10 + LastWrite @@ -45232,6 +48588,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_10 + LastWrite @@ -45258,6 +48615,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyFontDownload_10 + LastWrite @@ -45284,6 +48642,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyZoneElevationURLaction_10 + LastWrite @@ -45310,6 +48669,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_10 + LastWrite @@ -45336,6 +48696,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_Policy_AllowScriptlets_10 + LastWrite @@ -45362,6 +48723,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_Policy_Phishing_10 + LastWrite @@ -45388,6 +48750,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyUserdataPersistence_10 + LastWrite @@ -45414,6 +48777,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_10 + LastWrite @@ -45440,6 +48804,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyJavaPermissions_10 + LastWrite @@ -45466,6 +48831,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_10 + LastWrite @@ -45492,6 +48858,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_8 + LastWrite @@ -45518,6 +48885,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_8 + LastWrite @@ -45544,6 +48912,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_8 + LastWrite @@ -45570,6 +48939,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyFontDownload_8 + LastWrite @@ -45596,6 +48966,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyZoneElevationURLaction_8 + LastWrite @@ -45622,6 +48993,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_8 + LastWrite @@ -45648,6 +49020,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_Policy_AllowScriptlets_8 + LastWrite @@ -45674,6 +49047,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_Policy_Phishing_8 + LastWrite @@ -45700,6 +49074,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyUserdataPersistence_8 + LastWrite @@ -45726,6 +49101,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_8 + LastWrite @@ -45752,6 +49128,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyJavaPermissions_8 + LastWrite @@ -45778,6 +49155,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_8 + LastWrite @@ -45804,6 +49182,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyAccessDataSourcesAcrossDomains_6 + LastWrite @@ -45830,6 +49209,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNotificationBarActiveXURLaction_6 + LastWrite @@ -45856,6 +49236,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNotificationBarDownloadURLaction_6 + LastWrite @@ -45882,6 +49263,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyFontDownload_6 + LastWrite @@ -45908,6 +49290,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyZoneElevationURLaction_6 + LastWrite @@ -45934,6 +49317,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyUnsignedFrameworkComponentsURLaction_6 + LastWrite @@ -45960,6 +49344,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_Policy_AllowScriptlets_6 + LastWrite @@ -45986,6 +49371,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_Policy_Phishing_6 + LastWrite @@ -46012,6 +49398,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyUserdataPersistence_6 + LastWrite @@ -46038,6 +49425,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyScriptActiveXNotMarkedSafe_6 + LastWrite @@ -46064,6 +49452,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyJavaPermissions_6 + LastWrite @@ -46090,6 +49479,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown IZ_PolicyNavigateSubframesAcrossDomains_6 + LastWrite @@ -46116,6 +49506,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature IESF_PolicyExplorerProcesses_6 + LastWrite @@ -46142,6 +49533,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction IESF_PolicyExplorerProcesses_3 + LastWrite @@ -46168,6 +49560,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar IESF_PolicyExplorerProcesses_10 + LastWrite @@ -46192,8 +49585,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadSignedActiveX_1 + inetres~AT~WindowsComponents~InternetExplorer + Disable_Managing_Safety_Filter_IE9 + LastWrite @@ -46220,6 +49614,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer DisablePerUserActiveXInstall + LastWrite @@ -46246,6 +49641,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation IESF_PolicyAllProcesses_9 + LastWrite @@ -46272,6 +49668,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement VerMgmtDisableRunThisTime + LastWrite @@ -46298,6 +49695,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall IESF_PolicyAllProcesses_11 + LastWrite @@ -46324,6 +49722,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAccessDataSourcesAcrossDomains_7 + LastWrite @@ -46348,8 +49747,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyActiveScripting_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyActiveScripting_7 + LastWrite @@ -46376,6 +49776,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNotificationBarActiveXURLaction_7 + LastWrite @@ -46402,6 +49803,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNotificationBarDownloadURLaction_7 + LastWrite @@ -46426,8 +49828,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyBinaryBehaviors_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyBinaryBehaviors_7 + LastWrite @@ -46454,6 +49857,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowPasteViaScript_7 + LastWrite @@ -46480,6 +49884,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDropOrPasteFiles_7 + LastWrite @@ -46504,12 +49909,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyFileDownload_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyFileDownload_7 + LastWrite - RestrictedSitesZoneAllowFontDownloadsWRONG1 + RestrictedSitesZoneAllowFontDownloads @@ -46532,32 +49938,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyFontDownload_7 - - - - RestrictedSitesZoneAllowFontDownloadsWRONG2 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyFontDownload_1 + LastWrite @@ -46584,6 +49965,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyZoneElevationURLaction_7 + LastWrite @@ -46610,6 +49992,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_XAML_7 + LastWrite @@ -46634,8 +50017,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowMETAREFRESH_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyAllowMETAREFRESH_7 + LastWrite @@ -46662,6 +50046,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyUnsignedFrameworkComponentsURLaction_7 + LastWrite @@ -46688,6 +50073,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted + LastWrite @@ -46714,6 +50100,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAllowTDCControl_Both_Restricted + LastWrite @@ -46740,6 +50127,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_WebBrowserControl_7 + LastWrite @@ -46766,6 +50154,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyWindowsRestrictionsURLaction_7 + LastWrite @@ -46792,6 +50181,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_AllowScriptlets_7 + LastWrite @@ -46818,6 +50208,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_Phishing_7 + LastWrite @@ -46844,6 +50235,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_ScriptStatusBar_7 + LastWrite @@ -46870,6 +50262,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyUserdataPersistence_7 + LastWrite @@ -46896,6 +50289,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 + LastWrite @@ -46922,6 +50316,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDownloadSignedActiveX_7 + LastWrite @@ -46948,6 +50343,34 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDownloadUnsignedActiveX_7 + LastWrite + + + + RestrictedSitesZoneEnableCrossSiteScriptingFilter + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyTurnOnXSSFilter_Both_Restricted + LastWrite @@ -46974,6 +50397,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted + LastWrite @@ -47000,6 +50424,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted + LastWrite @@ -47026,6 +50451,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyMimeSniffingURLaction_7 + LastWrite @@ -47052,6 +50478,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_LocalPathForUpload_7 + LastWrite @@ -47078,6 +50505,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyScriptActiveXNotMarkedSafe_7 + LastWrite @@ -47104,6 +50532,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyJavaPermissions_7 + LastWrite @@ -47130,6 +50559,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyLaunchAppsAndFilesInIFRAME_7 + LastWrite @@ -47156,6 +50586,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyLogon_7 + LastWrite @@ -47182,6 +50613,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyNavigateSubframesAcrossDomains_7 + LastWrite @@ -47206,8 +50638,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNavigateSubframesAcrossDomains_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyNavigateSubframesAcrossDomains_7 + LastWrite @@ -47232,8 +50665,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyRunActiveXControls_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyRunActiveXControls_7 + LastWrite @@ -47260,6 +50694,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicySignedFrameworkComponentsURLaction_7 + LastWrite @@ -47284,12 +50719,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyScriptActiveXMarkedSafe_1 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyScriptActiveXMarkedSafe_7 + LastWrite - RestrictedSitesZoneWRONG + RestrictedSitesZoneScriptingOfJavaApplets @@ -47310,12 +50746,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyScriptingOfJavaApplets_6 + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyScriptingOfJavaApplets_7 + LastWrite - RestrictedSitesZoneWRONG2 + RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles @@ -47338,10 +50775,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_UnsafeFiles_7 + LastWrite - RestrictedSitesZoneWRONG3 + RestrictedSitesZoneTurnOnCrossSiteScriptingFilter @@ -47364,10 +50802,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyTurnOnXSSFilter_Both_Restricted + LastWrite - RestrictedSitesZoneWRONG4 + RestrictedSitesZoneTurnOnProtectedMode @@ -47390,10 +50829,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_Policy_TurnOnProtectedMode_7 + LastWrite - RestrictedSitesZoneWRONG5 + RestrictedSitesZoneUsePopupBlocker @@ -47416,6 +50856,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone IZ_PolicyBlockPopupWindows_7 + LastWrite @@ -47442,6 +50883,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload IESF_PolicyAllProcesses_12 + LastWrite @@ -47468,6 +50910,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions IESF_PolicyAllProcesses_8 + LastWrite @@ -47494,10 +50937,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer SpecificSearchProvider + LastWrite - SecurityZonesUseOnlyMachineSettings + SecurityZonesUseOnlyMachineSettings @@ -47520,6 +50964,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer Security_HKLM_only + LastWrite @@ -47546,6 +50991,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer OnlyUseAXISForActiveXInstall + LastWrite @@ -47572,6 +51018,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyAccessDataSourcesAcrossDomains_5 + LastWrite @@ -47598,6 +51045,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNotificationBarActiveXURLaction_5 + LastWrite @@ -47624,6 +51072,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNotificationBarDownloadURLaction_5 + LastWrite @@ -47650,6 +51099,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyFontDownload_5 + LastWrite @@ -47676,6 +51126,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyZoneElevationURLaction_5 + LastWrite @@ -47702,6 +51153,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyUnsignedFrameworkComponentsURLaction_5 + LastWrite @@ -47728,6 +51180,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_Policy_AllowScriptlets_5 + LastWrite @@ -47754,6 +51207,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_Policy_Phishing_5 + LastWrite @@ -47780,6 +51234,61 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyUserdataPersistence_5 + LastWrite + + + + TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 + LastWrite + + + + TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 + LastWrite @@ -47806,6 +51315,61 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyScriptActiveXNotMarkedSafe_5 + LastWrite + + + + TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyScriptActiveXNotMarkedSafe_5 + LastWrite + + + + TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyScriptActiveXNotMarkedSafe_5 + LastWrite @@ -47832,6 +51396,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyJavaPermissions_5 + LastWrite @@ -47858,58 +51423,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor inetres.admx inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone IZ_PolicyNavigateSubframesAcrossDomains_5 - - - - TrustedSitesZoneWRONG1 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 - - - - TrustedSitesZoneWRONG2 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_5 + LastWrite @@ -47956,6 +51470,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor Kerberos.admx Kerberos~AT~System~kerberos ForestSearch + LastWrite @@ -47982,6 +51497,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor Kerberos.admx Kerberos~AT~System~kerberos EnableCbacAndArmor + LastWrite @@ -48008,6 +51524,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor Kerberos.admx Kerberos~AT~System~kerberos ClientRequireFast + LastWrite @@ -48034,6 +51551,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor Kerberos.admx Kerberos~AT~System~kerberos ValidateKDC + LastWrite @@ -48060,6 +51578,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor Kerberos.admx Kerberos~AT~System~kerberos MaxTokenSize + LastWrite @@ -48103,6 +51622,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain phone + LowestValueMostSecure @@ -48126,6 +51646,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor text/plain phone + LowestValueMostSecure @@ -48156,9 +51677,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor This policy setting prevents users from adding new Microsoft accounts on this computer. -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. +If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. +If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. 0 @@ -48175,6 +51696,7 @@ If you disable or do not configure this policy (recommended), users will be able text/plain phone + LastWrite @@ -48206,7 +51728,8 @@ Default: Disabled. text/plain - desktop + phone + LastWrite @@ -48233,7 +51756,8 @@ Note: If the Guest account is disabled and the security option Network Access: S text/plain - desktop + phone + LastWrite @@ -48272,6 +51796,7 @@ It is possible for applications that use remote interactive logons to bypass thi text/plain phone + LastWrite @@ -48285,7 +51810,7 @@ It is possible for applications that use remote interactive logons to bypass thi This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Default: Administrator. - + Administrator @@ -48299,6 +51824,7 @@ Default: Administrator. text/plain phone + LastWrite @@ -48312,7 +51838,7 @@ Default: Administrator. This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. - + Guest @@ -48326,6 +51852,131 @@ Default: Guest. text/plain phone + LastWrite + + + + Devices_AllowedToFormatAndEjectRemovableMedia + + + + + Devices: Allowed to format and eject removable media + +This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: + +Administrators +Administrators and Interactive Users + +Default: This policy is not defined and only Administrators have this ability. + 0 + + + + + + + + + + + text/plain + + phone + LastWrite + + + + Devices_AllowUndockWithoutHavingToLogon + + + + + Devices: Allow undock without having to log on +This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. +Default: Enabled. + +Caution +Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. + 1 + + + + + + + + + + + text/plain + + phone + LastWrite + + + + Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters + + + + + Devices: Prevent users from installing printer drivers when connecting to shared printers + +For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. + +Default on servers: Enabled. +Default on workstations: Disabled + +Notes + +This setting does not affect the ability to add a local printer. +This setting does not affect Administrators. + 0 + + + + + + + + + + + text/plain + + phone + LastWrite + + + + Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly + + + + + Devices: Restrict CD-ROM access to locally logged-on user only + +This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. + +If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. + +Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. + 0 + + + + + + + + + + + text/plain + + phone + LastWrite @@ -48352,10 +52003,11 @@ Do not display user information (3) text/plain phone + LastWrite - Interactivelogon_DoNotDisplayLastSignedIn + InteractiveLogon_DoNotDisplayLastSignedIn @@ -48381,10 +52033,11 @@ Default: Disabled. text/plain phone + LastWrite - Interactivelogon_DoNotDisplayUsernameAtSignIn + InteractiveLogon_DoNotDisplayUsernameAtSignIn @@ -48396,7 +52049,7 @@ If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. - 0 + 1 @@ -48410,10 +52063,11 @@ Default: Disabled. text/plain phone + LastWrite - Interactivelogon_DoNotRequireCTRLALTDEL + InteractiveLogon_DoNotRequireCTRLALTDEL @@ -48442,6 +52096,7 @@ Default on stand-alone computers: Enabled. text/plain phone + LastWrite @@ -48468,6 +52123,8 @@ Default: not enforced. text/plain + phone + LastWrite @@ -48497,6 +52154,8 @@ Default: No message. text/plain phone + LastWrite + 0xF000 @@ -48524,6 +52183,7 @@ Default: No message. text/plain phone + LastWrite @@ -48553,6 +52213,7 @@ Default: Disabled. text/plain phone + LastWrite @@ -48582,6 +52243,7 @@ Default: Enabled. text/plain phone + LastWrite @@ -48611,6 +52273,7 @@ This policy is supported on at least Windows Server 2016. text/plain phone + LastWrite @@ -48636,6 +52299,7 @@ This policy will be turned off by default on domain joined machines. This would text/plain phone + LastWrite @@ -48663,6 +52327,40 @@ Default: This policy is not defined and automatic administrative logon is not al text/plain phone + LastWrite + + + + Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn + + + + + Shutdown: Allow system to be shut down without having to log on + +This security setting determines whether a computer can be shut down without having to log on to Windows. + +When this policy is enabled, the Shut Down command is available on the Windows logon screen. + +When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. + +Default on workstations: Enabled. +Default on servers: Disabled. + 1 + + + + + + + + + + + text/plain + + phone + LastWrite @@ -48694,6 +52392,7 @@ Default: Disabled. text/plain phone + LastWrite @@ -48706,10 +52405,10 @@ Default: Disabled. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. +• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. - 1 +• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. + 0 @@ -48723,6 +52422,7 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U text/plain phone + LastWrite @@ -48737,18 +52437,18 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: -• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. +• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - 0 +• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + 5 @@ -48762,6 +52462,7 @@ The options are: text/plain phone + LastWrite @@ -48775,12 +52476,12 @@ This policy setting controls the behavior of the elevation prompt for standard u The options are: -• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. +• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - 0 +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + 3 @@ -48794,6 +52495,39 @@ The options are: text/plain phone + LastWrite + + + + UserAccountControl_DetectApplicationInstallationsAndPromptForElevation + + + + + User Account Control: Detect application installations and prompt for elevation + +This policy setting controls the behavior of application installation detection for the computer. + +The options are: + +Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + +Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. + 1 + + + + + + + + + + + text/plain + + phone + LastWrite @@ -48808,77 +52542,9 @@ This policy setting enforces public key infrastructure (PKI) signature checks fo The options are: -• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. +• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. -• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. - 1 - - - - - - - - - - - text/plain - - phone - - - - UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations - - - - - User Account Control: Only elevate UIAccess applications that are installed in secure locations - -This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows - -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. - -The options are: - -• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - -• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. - 1 - - - - - - - - - - - text/plain - - phone - - - - UserAccountControl_RunAllAdministratorsInAdminApprovalMode - - - - - User Account Control: Turn on Admin Approval Mode - -This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. - -The options are: - -• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - -• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. +• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. 0 @@ -48893,6 +52559,77 @@ The options are: text/plain phone + LastWrite + + + + UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations + + + + + User Account Control: Only elevate UIAccess applications that are installed in secure locations + +This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: + +- …\Program Files\, including subfolders +- …\Windows\system32\ +- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows + +Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. + +The options are: + +• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. + +• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. + 1 + + + + + + + + + + + text/plain + + phone + LastWrite + + + + UserAccountControl_RunAllAdministratorsInAdminApprovalMode + + + + + User Account Control: Turn on Admin Approval Mode + +This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. + +The options are: + +• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. + +• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + 1 + + + + + + + + + + + text/plain + + phone + LastWrite @@ -48907,9 +52644,9 @@ This policy setting controls whether the elevation request prompt is displayed o The options are: -• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. +• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. +• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. 1 @@ -48924,6 +52661,7 @@ The options are: text/plain phone + LastWrite @@ -48938,10 +52676,10 @@ This policy setting controls the behavior of Admin Approval Mode for the built-i The options are: -• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. +• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. -• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. - 1 +• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. + 0 @@ -48955,6 +52693,7 @@ The options are: text/plain phone + LastWrite @@ -48969,9 +52708,9 @@ This policy setting controls whether application write failures are redirected t The options are: -• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. +• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. -• Disabled: Applications that write data to protected locations fail. +• Disabled: Applications that write data to protected locations fail. 1 @@ -48986,6 +52725,7 @@ The options are: text/plain phone + LastWrite @@ -49028,6 +52768,7 @@ The options are: text/plain + LastWrite @@ -49071,6 +52812,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -49113,6 +52855,7 @@ The options are: text/plain + LastWrite @@ -49135,6 +52878,7 @@ The options are: text/plain + LastWrite @@ -49178,6 +52922,7 @@ The options are: text/plain desktop + LowestValueMostSecure @@ -49201,6 +52946,7 @@ The options are: text/plain desktop + LowestValueMostSecure @@ -49224,6 +52970,7 @@ The options are: text/plain desktop + LowestValueMostSecure @@ -49266,6 +53013,7 @@ The options are: text/plain + LastWrite @@ -49288,6 +53036,7 @@ The options are: text/plain + LastWrite @@ -49310,6 +53059,7 @@ The options are: text/plain + LastWrite @@ -49332,6 +53082,7 @@ The options are: text/plain + LastWrite @@ -49354,6 +53105,7 @@ The options are: text/plain + LastWrite @@ -49376,6 +53128,7 @@ The options are: text/plain + LastWrite @@ -49398,6 +53151,7 @@ The options are: text/plain + LastWrite @@ -49420,6 +53174,7 @@ The options are: text/plain + LastWrite @@ -49466,6 +53221,7 @@ The options are: power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat AllowStandbyStatesAC_2 + LastWrite @@ -49492,6 +53248,7 @@ The options are: power.admx Power~AT~System~PowerManagementCat~PowerVideoSettingsCat VideoPowerDownTimeOutDC_2 + LastWrite @@ -49518,6 +53275,7 @@ The options are: power.admx Power~AT~System~PowerManagementCat~PowerVideoSettingsCat VideoPowerDownTimeOutAC_2 + LastWrite @@ -49544,6 +53302,7 @@ The options are: power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat DCHibernateTimeOut_2 + LastWrite @@ -49570,6 +53329,7 @@ The options are: power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat ACHibernateTimeOut_2 + LastWrite @@ -49596,6 +53356,7 @@ The options are: power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat DCPromptForPasswordOnResume_2 + LastWrite @@ -49622,6 +53383,7 @@ The options are: power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat ACPromptForPasswordOnResume_2 + LastWrite @@ -49648,6 +53410,7 @@ The options are: power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat DCStandbyTimeOut_2 + LastWrite @@ -49674,6 +53437,7 @@ The options are: power.admx Power~AT~System~PowerManagementCat~PowerSleepSettingsCat ACStandbyTimeOut_2 + LastWrite @@ -49720,6 +53484,7 @@ The options are: Printing.admx Printing~AT~ControlPanel~CplPrinters PointAndPrint_Restrictions_Win7 + LastWrite @@ -49746,6 +53511,7 @@ The options are: Printing2.admx Printing2~AT~Printers PublishPrinters + LastWrite @@ -49788,7 +53554,7 @@ The options are: text/plain - desktop + LowestValueMostSecure @@ -49812,6 +53578,7 @@ The options are: text/plain 10.0.10240 + LowestValueMostSecure @@ -49834,6 +53601,7 @@ The options are: text/plain + LowestValueMostSecureZeroHasNoLimits @@ -49856,6 +53624,7 @@ The options are: text/plain + HighestValueMostSecure @@ -49878,6 +53647,7 @@ The options are: text/plain + HighestValueMostSecure @@ -49900,6 +53670,8 @@ The options are: text/plain + LastWrite + ; @@ -49922,6 +53694,8 @@ The options are: text/plain + LastWrite + ; @@ -49944,6 +53718,8 @@ The options are: text/plain + LastWrite + ; @@ -49966,6 +53742,7 @@ The options are: text/plain + HighestValueMostSecure @@ -49988,6 +53765,8 @@ The options are: text/plain + LastWrite + ; @@ -50010,6 +53789,8 @@ The options are: text/plain + LastWrite + ; @@ -50032,6 +53813,8 @@ The options are: text/plain + LastWrite + ; @@ -50054,6 +53837,7 @@ The options are: text/plain + HighestValueMostSecure @@ -50076,6 +53860,8 @@ The options are: text/plain + LastWrite + ; @@ -50098,6 +53884,8 @@ The options are: text/plain + LastWrite + ; @@ -50120,6 +53908,8 @@ The options are: text/plain + LastWrite + ; @@ -50142,6 +53932,7 @@ The options are: text/plain + HighestValueMostSecure @@ -50164,6 +53955,8 @@ The options are: text/plain + LastWrite + ; @@ -50186,6 +53979,8 @@ The options are: text/plain + LastWrite + ; @@ -50208,94 +54003,8 @@ The options are: text/plain - - - - LetAppsAccessCellularData - - - - - This policy setting specifies whether Windows apps can access cellular data. - 0 - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_ForceAllowTheseApps - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_ForceDenyTheseApps - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_UserInControlOfTheseApps - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data privacy setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - - text/plain - + LastWrite + ; @@ -50318,6 +54027,7 @@ The options are: text/plain + HighestValueMostSecure @@ -50340,6 +54050,8 @@ The options are: text/plain + LastWrite + ; @@ -50362,6 +54074,8 @@ The options are: text/plain + LastWrite + ; @@ -50384,6 +54098,8 @@ The options are: text/plain + LastWrite + ; @@ -50406,6 +54122,7 @@ The options are: text/plain + HighestValueMostSecure @@ -50428,6 +54145,8 @@ The options are: text/plain + LastWrite + ; @@ -50450,6 +54169,8 @@ The options are: text/plain + LastWrite + ; @@ -50472,6 +54193,8 @@ The options are: text/plain + LastWrite + ; @@ -50494,6 +54217,7 @@ The options are: text/plain + HighestValueMostSecure @@ -50516,6 +54240,8 @@ The options are: text/plain + LastWrite + ; @@ -50538,6 +54264,8 @@ The options are: text/plain + LastWrite + ; @@ -50560,6 +54288,8 @@ The options are: text/plain + LastWrite + ; @@ -50582,6 +54312,7 @@ The options are: text/plain + HighestValueMostSecure @@ -50604,6 +54335,8 @@ The options are: text/plain + LastWrite + ; @@ -50626,6 +54359,8 @@ The options are: text/plain + LastWrite + ; @@ -50648,6 +54383,8 @@ The options are: text/plain + LastWrite + ; @@ -50670,6 +54407,7 @@ The options are: text/plain + HighestValueMostSecure @@ -50692,6 +54430,8 @@ The options are: text/plain + LastWrite + ; @@ -50714,6 +54454,8 @@ The options are: text/plain + LastWrite + ; @@ -50736,6 +54478,8 @@ The options are: text/plain + LastWrite + ; @@ -50758,6 +54502,7 @@ The options are: text/plain + HighestValueMostSecure @@ -50780,6 +54525,8 @@ The options are: text/plain + LastWrite + ; @@ -50802,6 +54549,8 @@ The options are: text/plain + LastWrite + ; @@ -50824,6 +54573,8 @@ The options are: text/plain + LastWrite + ; @@ -50846,6 +54597,7 @@ The options are: text/plain + HighestValueMostSecure @@ -50868,6 +54620,8 @@ The options are: text/plain + LastWrite + ; @@ -50890,6 +54644,8 @@ The options are: text/plain + LastWrite + ; @@ -50912,6 +54668,8 @@ The options are: text/plain + LastWrite + ; @@ -50934,6 +54692,7 @@ The options are: text/plain + HighestValueMostSecure @@ -50956,6 +54715,8 @@ The options are: text/plain + LastWrite + ; @@ -50978,6 +54739,8 @@ The options are: text/plain + LastWrite + ; @@ -51000,6 +54763,8 @@ The options are: text/plain + LastWrite + ; @@ -51022,6 +54787,7 @@ The options are: text/plain + HighestValueMostSecure @@ -51044,6 +54810,8 @@ The options are: text/plain + LastWrite + ; @@ -51066,6 +54834,8 @@ The options are: text/plain + LastWrite + ; @@ -51088,6 +54858,8 @@ The options are: text/plain + LastWrite + ; @@ -51110,6 +54882,7 @@ The options are: text/plain + HighestValueMostSecure @@ -51132,6 +54905,8 @@ The options are: text/plain + LastWrite + ; @@ -51154,6 +54929,8 @@ The options are: text/plain + LastWrite + ; @@ -51176,6 +54953,8 @@ The options are: text/plain + LastWrite + ; @@ -51198,6 +54977,7 @@ The options are: text/plain + HighestValueMostSecure @@ -51220,6 +55000,8 @@ The options are: text/plain + LastWrite + ; @@ -51242,6 +55024,8 @@ The options are: text/plain + LastWrite + ; @@ -51264,6 +55048,8 @@ The options are: text/plain + LastWrite + ; @@ -51286,6 +55072,7 @@ The options are: text/plain + HighestValueMostSecure @@ -51308,6 +55095,8 @@ The options are: text/plain + LastWrite + ; @@ -51330,6 +55119,8 @@ The options are: text/plain + LastWrite + ; @@ -51352,6 +55143,8 @@ The options are: text/plain + LastWrite + ; @@ -51374,6 +55167,7 @@ The options are: text/plain + HighestValueMostSecure @@ -51396,6 +55190,8 @@ The options are: text/plain + LastWrite + ; @@ -51418,6 +55214,8 @@ The options are: text/plain + LastWrite + ; @@ -51440,6 +55238,8 @@ The options are: text/plain + LastWrite + ; @@ -51448,7 +55248,7 @@ The options are: - This policy setting specifies whether Windows apps can sync with devices. + This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. 0 @@ -51462,6 +55262,7 @@ The options are: text/plain + HighestValueMostSecure @@ -51470,7 +55271,7 @@ The options are: - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -51484,6 +55285,8 @@ The options are: text/plain + LastWrite + ; @@ -51492,7 +55295,7 @@ The options are: - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -51506,6 +55309,8 @@ The options are: text/plain + LastWrite + ; @@ -51514,7 +55319,7 @@ The options are: - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -51528,6 +55333,8 @@ The options are: text/plain + LastWrite + ; @@ -51550,6 +55357,7 @@ The options are: text/plain + HighestValueMostSecure @@ -51596,6 +55404,7 @@ The options are: remoteassistance.admx RemoteAssistance~AT~System~RemoteAssist RA_Options + LastWrite @@ -51622,6 +55431,7 @@ The options are: remoteassistance.admx RemoteAssistance~AT~System~RemoteAssist RA_Logging + LastWrite @@ -51648,6 +55458,7 @@ The options are: remoteassistance.admx RemoteAssistance~AT~System~RemoteAssist RA_Solicit + LastWrite @@ -51674,6 +55485,7 @@ The options are: remoteassistance.admx RemoteAssistance~AT~System~RemoteAssist RA_Unsolicit + LastWrite @@ -51720,6 +55532,7 @@ The options are: terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_CONNECTIONS TS_DISABLE_CONNECTIONS + LastWrite @@ -51746,6 +55559,7 @@ The options are: terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY TS_ENCRYPTION_POLICY + LastWrite @@ -51772,6 +55586,7 @@ The options are: terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_REDIRECTION TS_CLIENT_DRIVE_M + LastWrite @@ -51798,6 +55613,7 @@ The options are: terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_CLIENT TS_CLIENT_DISABLE_PASSWORD_SAVING_2 + LastWrite @@ -51824,6 +55640,7 @@ The options are: terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY TS_PASSWORD + LastWrite @@ -51850,6 +55667,7 @@ The options are: terminalserver.admx TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY TS_RPC_ENCRYPTION + LastWrite @@ -51896,6 +55714,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient AllowBasic_2 + LastWrite @@ -51922,6 +55741,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService AllowBasic_1 + LastWrite @@ -51946,8 +55766,9 @@ The options are: phone WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowCredSSP_1 + WindowsRemoteManagement~AT~WindowsComponents~WinRMClient + AllowCredSSP_2 + LastWrite @@ -51973,7 +55794,8 @@ The options are: phone WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowCredSSP_2 + AllowCredSSP_1 + LastWrite @@ -52000,6 +55822,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService AllowAutoConfig + LastWrite @@ -52026,6 +55849,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient AllowUnencrypted_2 + LastWrite @@ -52052,6 +55876,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService AllowUnencrypted_1 + LastWrite @@ -52078,6 +55903,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient DisallowDigest + LastWrite @@ -52102,8 +55928,9 @@ The options are: phone WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - DisallowNegotiate_1 + WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient + DisallowNegotiate_2 + LastWrite @@ -52128,8 +55955,9 @@ The options are: phone WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - DisallowNegotiate_2 + WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService + DisallowNegotiate_1 + LastWrite @@ -52156,6 +55984,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService DisableRunAs + LastWrite @@ -52182,6 +56011,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService CBTHardeningLevel_1 + LastWrite @@ -52208,6 +56038,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient TrustedHosts + LastWrite @@ -52234,6 +56065,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService HttpCompatibilityListener + LastWrite @@ -52260,6 +56092,7 @@ The options are: WindowsRemoteManagement.admx WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService HttpsCompatibilityListener + LastWrite @@ -52306,6 +56139,7 @@ The options are: rpc.admx RPC~AT~System~Rpc RpcRestrictRemoteClients + LastWrite @@ -52332,6 +56166,7 @@ The options are: rpc.admx RPC~AT~System~Rpc RpcEnableAuthEpResolution + LastWrite @@ -52378,6 +56213,7 @@ The options are: WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS AllowRemoteShellAccess + LastWrite @@ -52404,6 +56240,7 @@ The options are: WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS MaxConcurrentUsers + LastWrite @@ -52430,6 +56267,7 @@ The options are: WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS IdleTimeout + LastWrite @@ -52456,6 +56294,7 @@ The options are: WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS MaxMemoryPerShellMB + LastWrite @@ -52482,6 +56321,7 @@ The options are: WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS MaxProcessesPerShell + LastWrite @@ -52508,6 +56348,7 @@ The options are: WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS MaxShellsPerUser + LastWrite @@ -52534,6 +56375,7 @@ The options are: WindowsRemoteShell.admx WindowsRemoteShell~AT~WindowsComponents~WinRS ShellTimeOut + LastWrite @@ -52556,6 +56398,29 @@ The options are: + + AllowCloudSearch + + + + + + 2 + + + + + + + + + + + text/plain + + LowestValueMostSecure + + AllowIndexingEncryptedStoresOrItems @@ -52576,6 +56441,7 @@ The options are: text/plain + LowestValueMostSecure @@ -52598,6 +56464,7 @@ The options are: text/plain + LowestValueMostSecure @@ -52620,6 +56487,7 @@ The options are: text/plain + LowestValueMostSecure @@ -52642,6 +56510,7 @@ The options are: text/plain + HighestValueMostSecure @@ -52664,6 +56533,7 @@ The options are: text/plain + LowestValueMostSecure @@ -52686,6 +56556,7 @@ The options are: text/plain + HighestValueMostSecure @@ -52708,6 +56579,7 @@ The options are: text/plain + HighestValueMostSecure @@ -52730,6 +56602,7 @@ The options are: text/plain + HighestValueMostSecure @@ -52752,6 +56625,7 @@ The options are: text/plain + HighestValueMostSecure @@ -52774,6 +56648,7 @@ The options are: text/plain + HighestValueMostSecure @@ -52797,6 +56672,7 @@ The options are: text/plain desktop + HighestValueMostSecure @@ -52839,6 +56715,7 @@ The options are: text/plain + LowestValueMostSecure @@ -52862,6 +56739,7 @@ The options are: text/plain desktop + LowestValueMostSecure @@ -52884,6 +56762,7 @@ The options are: text/plain + LowestValueMostSecure @@ -52907,6 +56786,7 @@ The options are: text/plain desktop + LowestValueMostSecure @@ -52930,6 +56810,7 @@ The options are: text/plain phone + HighestValueMostSecure @@ -52952,6 +56833,7 @@ The options are: text/plain + LastWrite @@ -52974,6 +56856,7 @@ The options are: text/plain + HighestValueMostSecure @@ -52996,6 +56879,7 @@ The options are: text/plain + HighestValueMostSecure @@ -53018,6 +56902,7 @@ The options are: text/plain + HighestValueMostSecure @@ -53061,6 +56946,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53083,6 +56969,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53105,6 +56992,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53127,6 +57015,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53150,6 +57039,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53173,6 +57063,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53196,6 +57087,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53219,6 +57111,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53241,6 +57134,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53264,6 +57158,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53286,6 +57181,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53308,6 +57204,7 @@ The options are: text/plain + LastWrite @@ -53351,6 +57248,7 @@ The options are: text/plain phone + HighestValueMostSecure @@ -53374,6 +57272,7 @@ The options are: text/plain phone + HighestValueMostSecure @@ -53397,6 +57296,7 @@ The options are: text/plain phone + HighestValueMostSecure @@ -53439,6 +57339,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53482,6 +57383,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53505,6 +57407,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53528,6 +57431,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53551,6 +57455,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53574,6 +57479,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53597,6 +57503,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53620,6 +57527,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53643,6 +57551,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53666,6 +57575,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53689,6 +57599,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53712,6 +57623,7 @@ The options are: text/plain phone + LastWrite @@ -53735,6 +57647,7 @@ The options are: text/plain phone + LastWrite @@ -53757,6 +57670,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53780,6 +57694,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53802,6 +57717,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53824,6 +57740,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53847,6 +57764,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53869,6 +57787,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53892,6 +57811,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53915,6 +57835,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -53937,6 +57858,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53959,6 +57881,7 @@ The options are: text/plain + LowestValueMostSecure @@ -53981,6 +57904,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54003,6 +57927,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54025,6 +57950,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54047,6 +57973,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54070,6 +57997,7 @@ The options are: text/plain phone + LastWrite @@ -54093,6 +58021,7 @@ The options are: text/plain phone + HighestValueMostSecure @@ -54116,6 +58045,7 @@ The options are: text/plain phone + LastWrite @@ -54138,6 +58068,30 @@ The options are: + + AllowDiskHealthModelUpdates + + + + + + 1 + + + + + + + + + + + text/plain + + phone + LastWrite + + EnhancedStorageDevices @@ -54162,6 +58116,7 @@ The options are: enhancedstorage.admx EnhancedStorage~AT~System~EnStorDeviceAccess TCGSecurityActivationDisabled + LastWrite @@ -54204,6 +58159,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54226,6 +58182,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54248,6 +58205,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54270,6 +58228,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54292,6 +58251,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54314,6 +58274,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54336,6 +58297,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54358,6 +58320,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54384,6 +58347,7 @@ The options are: earlylauncham.admx EarlyLaunchAM~AT~System~ELAMCategory POL_DriverLoadPolicy_Name + LastWrite @@ -54392,7 +58356,7 @@ The options are: - This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. 0 @@ -54406,6 +58370,7 @@ The options are: text/plain + HighestValueMostSecure @@ -54432,6 +58397,30 @@ The options are: systemrestore.admx SystemRestore~AT~System~SR SR_DisableSR + LastWrite + + + + FeedbackHubAlwaysSaveDiagnosticsLocally + + + + + Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. + 0 + + + + + + + + + + + text/plain + + LastWrite @@ -54454,6 +58443,7 @@ The options are: text/plain + LastWrite @@ -54497,6 +58487,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -54520,6 +58511,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -54543,6 +58535,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -54566,6 +58559,7 @@ The options are: text/plain phone + HighestValueMostSecure @@ -54589,6 +58583,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -54612,6 +58607,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -54635,6 +58631,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -54657,6 +58654,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54680,6 +58678,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -54702,6 +58701,7 @@ The options are: text/plain + HighestValueMostSecure @@ -54725,6 +58725,7 @@ The options are: text/plain phone + HighestValueMostSecure @@ -54748,6 +58749,7 @@ The options are: text/plain phone + HighestValueMostSecure @@ -54791,6 +58793,7 @@ The options are: text/plain desktop + LowestValueMostSecure @@ -54833,6 +58836,7 @@ The options are: text/plain + LastWrite @@ -54855,6 +58859,7 @@ The options are: text/plain + LastWrite @@ -54877,6 +58882,7 @@ The options are: text/plain + LastWrite @@ -54899,6 +58905,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54921,6 +58928,7 @@ The options are: text/plain + LastWrite @@ -54944,6 +58952,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -54966,6 +58975,7 @@ The options are: text/plain + LowestValueMostSecure @@ -54988,6 +58998,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55010,6 +59021,7 @@ The options are: text/plain + LastWrite @@ -55032,6 +59044,7 @@ The options are: text/plain + LastWrite @@ -55054,6 +59067,7 @@ The options are: text/plain + LastWrite @@ -55076,6 +59090,7 @@ The options are: text/plain + LastWrite @@ -55098,6 +59113,7 @@ The options are: text/plain + LastWrite @@ -55120,6 +59136,7 @@ The options are: text/plain + LastWrite @@ -55142,6 +59159,7 @@ The options are: text/plain + LastWrite @@ -55164,6 +59182,7 @@ The options are: text/plain + LastWrite @@ -55186,6 +59205,30 @@ The options are: text/plain + LastWrite + + + + DisableDualScan + + + + + Do not allow update deferral policies to cause scans against Windows Update + 0 + + + + + + + + + + + text/plain + + LastWrite @@ -55208,6 +59251,7 @@ The options are: text/plain + LastWrite @@ -55230,6 +59274,7 @@ The options are: text/plain + LastWrite @@ -55252,6 +59297,7 @@ The options are: text/plain + LastWrite @@ -55274,6 +59320,7 @@ The options are: text/plain + LastWrite @@ -55296,6 +59343,7 @@ The options are: text/plain + LastWrite @@ -55318,6 +59366,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55340,10 +59389,11 @@ The options are: text/plain + LowestValueMostSecure - ManageBuildPreview + ManagePreviewBuilds @@ -55362,6 +59412,7 @@ The options are: text/plain + LastWrite @@ -55384,6 +59435,7 @@ The options are: text/plain + LastWrite @@ -55406,6 +59458,7 @@ The options are: text/plain + LastWrite @@ -55428,6 +59481,7 @@ The options are: text/plain + LastWrite @@ -55450,6 +59504,7 @@ The options are: text/plain + LastWrite @@ -55472,6 +59527,7 @@ The options are: text/plain + LastWrite @@ -55494,6 +59550,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55516,6 +59573,7 @@ The options are: text/plain + LastWrite @@ -55538,6 +59596,7 @@ The options are: text/plain + HighestValueMostSecure @@ -55560,6 +59619,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55582,6 +59642,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55604,6 +59665,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55626,6 +59688,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55648,6 +59711,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55670,6 +59734,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55692,6 +59757,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55714,6 +59780,7 @@ The options are: text/plain + LastWrite @@ -55736,6 +59803,7 @@ The options are: text/plain + LastWrite @@ -55758,6 +59826,7 @@ The options are: text/plain + LastWrite @@ -55780,6 +59849,7 @@ The options are: text/plain + LastWrite @@ -55802,6 +59872,7 @@ The options are: text/plain + LastWrite @@ -55825,6 +59896,7 @@ The options are: text/plain phone + LastWrite @@ -55867,6 +59939,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55889,6 +59962,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55911,6 +59985,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55933,6 +60008,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55955,6 +60031,7 @@ The options are: text/plain + LowestValueMostSecure @@ -55977,6 +60054,7 @@ The options are: text/plain + HighestValueMostSecureZeroHasNoLimits @@ -56020,6 +60098,7 @@ The options are: text/plain phone + LastWrite @@ -56043,6 +60122,7 @@ The options are: text/plain phone + LastWrite @@ -56066,6 +60146,7 @@ The options are: text/plain phone + LastWrite @@ -56089,6 +60170,7 @@ The options are: text/plain phone + LastWrite @@ -56112,6 +60194,7 @@ The options are: text/plain phone + LastWrite @@ -56135,6 +60218,7 @@ The options are: text/plain phone + LastWrite @@ -56158,6 +60242,7 @@ The options are: text/plain phone + LastWrite @@ -56181,6 +60266,7 @@ The options are: text/plain phone + LastWrite @@ -56204,6 +60290,7 @@ The options are: text/plain phone + LastWrite @@ -56227,6 +60314,7 @@ The options are: text/plain phone + LastWrite @@ -56250,6 +60338,7 @@ The options are: text/plain phone + LastWrite @@ -56273,6 +60362,7 @@ The options are: text/plain phone + LastWrite @@ -56296,6 +60386,7 @@ The options are: text/plain phone + LastWrite @@ -56319,6 +60410,7 @@ The options are: text/plain phone + LastWrite @@ -56362,6 +60454,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -56385,6 +60478,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -56431,6 +60525,7 @@ The options are: logon.admx Logon~AT~System~Logon DisableLockScreenAppNotifications + LastWrite @@ -56457,6 +60552,7 @@ The options are: logon.admx Logon~AT~System~Logon DontDisplayNetworkSelectionUI + LastWrite @@ -56479,6 +60575,7 @@ The options are: text/plain + HighestValueMostSecure @@ -56521,6 +60618,7 @@ The options are: text/plain + LowestValueMostSecure @@ -56543,6 +60641,7 @@ The options are: text/plain + LowestValueMostSecure @@ -56567,6 +60666,7 @@ The options are: text/plain + LowestValueMostSecure @@ -56591,6 +60691,7 @@ The options are: text/plain + LowestValueMostSecure @@ -56616,6 +60717,7 @@ The options are: text/plain phone + LowestValueMostSecure @@ -56640,6 +60742,7 @@ The options are: text/plain + LowestValueMostSecure @@ -56662,6 +60765,7 @@ The options are: text/plain + LowestValueMostSecure @@ -56686,6 +60790,7 @@ The options are: text/plain + LowestValueMostSecure diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index f4b6271552..a1cd701480 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -97,7 +97,7 @@ Appv.admx file: ## ADMX-backed policy examples -The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use the [Coder’s Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ### Enabling a policy @@ -119,7 +119,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b **Request SyncML** ```XML - + 2 @@ -169,7 +169,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b **Request SyncML** ```XML - + 2 @@ -209,7 +209,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b **Request SyncML** ``` - + 1 @@ -292,7 +292,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit ```XML - + $CmdId$ @@ -333,7 +333,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and ```XML - + 2 @@ -377,7 +377,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar #### Corresponding SyncML: ```XML - + 2 @@ -409,7 +409,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar #### Corresponding SyncML: ```XML - + 2 @@ -466,7 +466,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar #### Corresponding SyncML: ```XML - + 2 @@ -503,7 +503,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar #### Corresponding SyncML: ```XML - + 2 @@ -552,7 +552,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ```XML - + 2 diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md new file mode 100644 index 0000000000..03b15f9859 --- /dev/null +++ b/windows/client-management/windows-10-support-solutions.md @@ -0,0 +1,62 @@ +--- +title: Top support solutions for Windows 10 +description: Get links to solutions for Windows 10 issues +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.author: elizapo +author: kaushika-msft +ms.localizationpriority: high +--- +# Top support solutions for Windows 10 + +Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates: + +- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/) +- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/) +- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/) + + +These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles. + +## Solutions related to installing Windows updates or hotfixes +- [Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760/understanding-the-windowsupdate-log-file-for-advanced-users) +- [You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer) +- [Get-WindowsUpdateLog](https://technet.microsoft.com/itpro/powershell/windows/windowsupdate/get-windowsupdatelog) +- [How to read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file) +- [Can't download updates from Windows Update from behind a firewall or proxy server](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) +- [Computer staged from a SysPrepped image doesn't receive WSUS updates](https://support.microsoft.com/help/4010909/computer-staged-from-a-sysprepped-image-doesn-t-receive-wsus-updates) +- [Servicing stack update for Windows 10 Version 1703: June 13, 2017](https://support.microsoft.com/help/4022405/servicingstackupdateforwindows10version1703june13-2017) +- [Servicing stack update for Windows 10 Version 1607 and Windows Server 2016: March 14, 2017](https://support.microsoft.com/help/4013418/servicing-stack-update-for-windows-10-version-1607-and-windows-server) + +## Solutions related to Bugchecks or Stop Errors +- [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros) +- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) +- [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues) +- [Understanding Bugchecks](https://blogs.technet.microsoft.com/askperf/2007/12/18/understanding-bugchecks/) +- [Understanding Crash Dump Files](https://blogs.technet.microsoft.com/askperf/2008/01/08/understanding-crash-dump-files/) + +## Solutions related to installing or upgrading Windows +- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) +- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the) +- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) +- [0xC1900101 error when Windows 10 upgrade fails after the second system restart'(https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) +- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem) +- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008) +- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632) +- [OOBE update for Windows 10 Version 1511: May 30, 2017](https://support.microsoft.com/help/4022633) + +## Solutions related to configuring or managing the Start menu +- [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies) +- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) +- [Changes to Group Policy settings for Windows 10 Start](/windows/configuration/changes-to-start-policies-in-windows-10) +- [Preinstalled system applications and Start menu may not work when you upgrade to Windows 10, Version 1511](https://support.microsoft.com/help/3152599) +- [Start menu shortcuts aren't immediately accessible in Windows Server 2016](https://support.microsoft.com/help/3198613) +- [Troubleshoot problems opening the Start menu or Cortana](https://support.microsoft.com/help/12385/windows-10-troubleshoot-problems-opening-start-menu-cortana) +- [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic) + +## Solutions related to wireless networking and 802.1X authentication + +- [Windows 10 devices can't connect to an 802.1X environment](http://support.microsoft.com/kb/3121002) +- [Windows 10 wireless connection displays "Limited" status](http://support.microsoft.com/kb/3114149) +- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](http://support.microsoft.com/kb/3084164) diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index f4a06d5d6a..8ccede5240 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -58,9 +58,65 @@ ### [Provision PCs with common settings for initial deployment (desktop wizard)](provisioning-packages/provision-pcs-for-initial-deployment.md) ### [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md) ### [Use a script to install a desktop app in provisioning packages](provisioning-packages/provisioning-script-to-install-app.md) +### [Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md) ### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md) ### [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md) -### [Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md) +### [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) +#### [Accounts](wcd/wcd-accounts.md) +#### [ADMXIngestion](wcd/wcd-admxingestion.md) +#### [ApplicationManagement](wcd/wcd-applicationmanagement.md) +#### [AssignedAccess](wcd/wcd-assignedaccess.md) +#### [AutomaticTime](wcd/wcd-automatictime.md) +#### [Browser](wcd/wcd-browser.md) +#### [CallAndMessagingEnhancement](wcd/wcd-callandmessagingenhancement.md) +#### [Cellular](wcd/wcd-cellular.md) +#### [Certificates](wcd/wcd-certificates.md) +#### [CleanPC](wcd/wcd-cleanpc.md) +#### [Connections](wcd/wcd-connections.md) +#### [ConnectivityProfiles](wcd/wcd-connectivityprofiles.md) +#### [CountryAndRegion](wcd/wcd-countryandregion.md) +#### [DesktopBackgroundAndColors](wcd/wcd-desktopbackgroundandcolors.md) +#### [DeveloperSetup](wcd/wcd-developersetup.md) +#### [DeviceFormFactor](wcd/wcd-deviceformfactor.md) +#### [DeviceManagement](wcd/wcd-devicemanagement.md) +#### [DMClient](wcd/wcd-dmclient.md) +#### [EditionUpgrade](wcd/wcd-editionupgrade.md) +#### [EmbeddedLockdownProfiles](wcd/wcd-embeddedlockdownprofiles.md) +#### [FirewallConfiguration](wcd/wcd-firewallconfiguration.md) +#### [FirstExperience](wcd/wcd-firstexperience.md) +#### [Folders](wcd/wcd-folders.md) +#### [InitialSetup](wcd/wcd-initialsetup.md) +#### [InternetExplorer](wcd/wcd-internetexplorer.md) +#### [Licensing](wcd/wcd-licensing.md) +#### [Maps](wcd/wcd-maps.md) +#### [Messaging](wcd/wcd-messaging.md) +#### [ModemConfigurations](wcd/wcd-modemconfigurations.md) +#### [Multivariant](wcd/wcd-multivariant.md) +#### [NetworkProxy](wcd/wcd-networkproxy.md) +#### [NetworkQOSPolicy](wcd/wcd-networkqospolicy.md) +#### [NFC](wcd/wcd-nfc.md) +#### [OOBE](wcd/wcd-oobe.md) +#### [OtherAssets](wcd/wcd-otherassets.md) +#### [Personalization](wcd/wcd-personalization.md) +#### [Policies](wcd/wcd-policies.md) +#### [ProvisioningCommands](wcd/wcd-provisioningcommands.md) +#### [SharedPC](wcd/wcd-sharedpc.md) +#### [Shell](wcd/wcd-shell.md) +#### [SMISettings](wcd/wcd-smisettings.md) +#### [Start](wcd/wcd-start.md) +#### [StartupApp](wcd/wcd-startupapp.md) +#### [StartupBackgroundTasks](wcd/wcd-startupbackgroundtasks.md) +#### [SurfaceHubManagement](wcd/wcd-surfacehubmanagement.md) +#### [TabletMode](wcd/wcd-tabletmode.md) +#### [TakeATest](wcd/wcd-takeatest.md) +#### [Theme](wcd/wcd-theme.md) +#### [UnifiedWriteFilter](wcd/wcd-unifiedwritefilter.md) +#### [UniversalAppInstall](wcd/wcd-universalappinstall.md) +#### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md) +#### [WeakCharger](wcd/wcd-weakcharger.md) +#### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md) +#### [WLAN](wcd/wcd-wlan.md) +#### [Workplace](wcd/wcd-workplace.md) ## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) ## [User Experience Virtualization (UE-V) for Windows](ue-v/uev-for-windows.md) ### [Get Started with UE-V](ue-v/uev-getting-started.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 9d2b98bf69..76c39cc45d 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -14,6 +14,12 @@ author: jdeckerms This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## August 2017 + +New or changed topic | Description +--- | --- + [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) | New section; reference content from [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx) is being relocated here from MSDN. + ## July 2017 | New or changed topic | Description | | --- | --- | @@ -38,6 +44,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md) | [Configure cellular settings for tablets and PCs](provisioning-apn.md) | New | | [ Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings | + ## April 2017 | New or changed topic | Description | @@ -45,6 +52,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md) | [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Added instructions for using WMI bridge to configure shared PC | + ## RELEASE: Windows 10, version 1703 The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: diff --git a/windows/configuration/images/admx-category.PNG b/windows/configuration/images/admx-category.PNG new file mode 100644 index 0000000000..465dd53fe3 Binary files /dev/null and b/windows/configuration/images/admx-category.PNG differ diff --git a/windows/configuration/images/admx-policy.PNG b/windows/configuration/images/admx-policy.PNG new file mode 100644 index 0000000000..c3c7b9a088 Binary files /dev/null and b/windows/configuration/images/admx-policy.PNG differ diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 9c7505d906..e5ebed0c80 100644 --- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -457,7 +457,7 @@ To turn off Live Tiles: - Create a REG\_DWORD registry setting called **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one). -You must also unpin all tiles that are pinned to Start. +In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start. ### 10. Mail synchronization @@ -1261,7 +1261,7 @@ To turn off **Let apps read or send messages (text or MMS)**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two). +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two). To turn off **Choose apps that can read or send messages**: @@ -1690,6 +1690,9 @@ If you're running Windows 10, version 1607 or later, you only need to enable the - **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features** + > [!NOTE] + > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting. + -or- - Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one). diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index c12120567c..baa60ac6fd 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -18,6 +18,9 @@ ms.localizationpriority: high Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime"). +>[!NOTE] +>Applying a provisioning package to a desktop device requires administrator privileges on the device. + ## Desktop editions ### During initial setup, from a USB drive diff --git a/windows/configuration/set-up-a-device-for-anyone-to-use.md b/windows/configuration/set-up-a-device-for-anyone-to-use.md deleted file mode 100644 index af7765d2f8..0000000000 --- a/windows/configuration/set-up-a-device-for-anyone-to-use.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Set up a device for anyone to use in kiosk mode (Windows 10) -description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. -ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8 -keywords: ["kiosk", "lockdown", "assigned access"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerms -ms.localizationpriority: high ---- - -# Set up a device for anyone to use (kiosk mode) - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -**Looking for Windows Embedded 8.1 Industry information?** - -- [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) - -You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. - -Do you need a computer that can only do one thing? For example: - -- A device in the lobby that customers can use to view your product catalog. - -- A portable device that drivers can use to check a route on a map. - -- A device that a temporary worker uses to enter data. - -The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device. - -> [!NOTE]   -> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. - -  - -| Windows 10 edition | Universal Windows app | Classic Windows application | -|--------------------|------------------------------------|--------------------------------------| -| Mobile | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | -| Mobile Enterprise | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | -| Pro | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | -| Enterprise | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | -| Education | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | - -  - -## In this section - - - ---- - - - - - - - - - - - - - - - - -
    TopicDescription

    [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)

    A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the assigned access feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use Shell Launcher to set a custom user interface as the shell.

    [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)

    A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.

    - - ## Learn more - -[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) - -  - -  - - - - - diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index 0bf7db49e7..e203016bfa 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -191,7 +191,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. - The following example shows how to pin the Internet Explorer Windows desktop application: + The following example shows how to pin the File Explorer Windows desktop application: ```XML \AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState` and replace those images with your customized images + >[!TIP] >A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images. diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md new file mode 100644 index 0000000000..7e89dfdb30 --- /dev/null +++ b/windows/configuration/wcd/wcd-accounts.md @@ -0,0 +1,58 @@ +--- +title: Accounts (Windows 10) +description: This section describes the account settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Accounts (Windows Configuration Designer reference) + +Use these settings to join a device to an Active Directory domain or an Azure Active Directory tenant, or to add local user accounts to the device. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [Azure](#azure) | X | X | X | | | +| [ComputerAccount](#computeraccount) | X | | X | | X | +| [Users](#users) | X | | X | X | | + + +## Azure + +The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure additional provisioning settings. For information about using the wizards, see: + +- [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md) +- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) +- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard) + +## ComputerAccount + +Specifies the settings you can configure when joining a device to a domain, including the computer name and the account to use for joining the computer to the domain. + +>[!NOTE] +>If you want to create a provisioning package that joins a device to Active Directory AND sets `HideOobe`, and you want to apply that package during OOBE, we also recommend setting the `ComputerName` and creating a local admin account in the provisioning package. + +| Setting | Value | Description | +| --- | --- | --- | +| Account | string | Account to use to join computer to domain | +| AccountOU | string | Name of organizational unit for the computer account | +| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIALNUMBER% characters in the name.

    ComputerName is a string with a maximum length of 15 bytes of content:

    - ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.

    - ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.

    - ComputerName cannot use some non-standard characters, such as emoji.

    Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) | +| DomainName | string (cannot be empty) | Specify the name of the domain that the device will join | +| Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. | + +## Users + +Use these settings to add local user accounts to the device. + +| Setting | Value | Description | +| --- | --- | --- | +| UserName | string (cannot be empty) | Specify a name for the local user account | +| HomeDir | string (cannot be ampty) | Specify the path of the home directory for the user | +| Password | string (cannot be empty) | Specify the password for the user account | +| UserGroup | string (cannot be empty) | Specify the local user group for the user | \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md new file mode 100644 index 0000000000..52223258ad --- /dev/null +++ b/windows/configuration/wcd/wcd-admxingestion.md @@ -0,0 +1,97 @@ +--- +title: ADMXIngestion (Windows 10) +description: This section describes the ADMXIngestion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# ADMXIngestion (Windows Configuration Designer reference) + +Starting in Windows 10, version 1703, you can import (*ingest*) select Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](https://docs.microsoft.com/windows/client-management/mdm/win32-and-centennial-app-policy-configuration). + +- The settings under [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) allow you to set values for policies in the imported ADMX file. +- The settings under [ConfigOperations](#configoperations) specify the ADMX file to be imported. + + +>[!IMPORTANT] +>Only per-device policies can be set using a provisioning package. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | X | | | | | +| [ConfigOperations](#configoperations) | X | | | | | + +## ConfigADMXInstalledPolicy + +>[!IMPORTANT] +>Configure the settings to import the ADMX file in [ConfigOperations](#configoperations) first. + +In **ConfigADMXInstalledPolicy**, you provide a policy setting and value for that policy from the imported ADMX. You will need information from the ADMX that you import in **ConfigOperations** to complete **ConfigADMXInstalledPolicy**. + +1. Enter an area name, and then click **Add**. The structure of the area name is the following: + + `AppName (from ConfigOperations)`~`SettingType`~`category name from ADMX` + + See [Category and policy in ADMX](#category-and-policy-in-admx) for more information. A setting may have multiple levels of category names, as in the following example. + + Example: `Office16~Policy~L_MicrosoftOfficemachine~L_Updates` + +2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**. For example, `L_HideEnableDisableUpdates`. +3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field. For example, ``. + +## ConfigOperations + +Use **ConfigOperations** to import an ADXM file or policies from an ADMX file. + +1. Enter an app name, and then click **Add**. + + This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Office 16, enter an app name of **Office 16**. + +2. Select the app name in the Customizations pane, select a setting type, and then click **Add**. + + The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add. + +3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**. + + The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future. + +4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions. + + >[!NOTE] + >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line). + +5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one. + + + +## Convert multi-line to single line + +Use the following PowerShell cmdlet to remove carriage returns and line feeds from a multi-line file to create a single-line file that you can paste in **AdmxFileUid**. + +```PS +$path="file path" +Get-Content $path -Raw).Replace("'r'n","") | Set-Content $path -Force +``` + +## Category and policy in ADMX + +The following images show snippets of the ADMX file for Office 16 that are used in the examples in the procedures above. The first image highlights the category names. + +![Snippet of ADMX shows category names highlighted](../images/admx-category.png) + +The next image highlights the specific policy. + +![Snipped of ADMX shows policy setting highlighted](../images/admx-policy.png) + + +## Related topics + +- [Policy configuration service provider (CSP): ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed) +- [Understanding ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/understanding-admx-backed-policies) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md new file mode 100644 index 0000000000..af27cea5f0 --- /dev/null +++ b/windows/configuration/wcd/wcd-applicationmanagement.md @@ -0,0 +1,69 @@ +--- +title: ApplicationManagement (Windows 10) +description: This section describes the ApplicationManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# ApplicationManagement (Windows Configuration Designer reference) + +Use these settings to manage app installation and management. + +## Applies to + +| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [AllowAllTrustedApps](#allowalltrustedapps) | | | | | X | +| [AllowAppStoreAutoUpdate](#allowappstoreautoupdate) | | | | | X | +| [RestrictAppDataToSystemVolume](#restrictappdatatosystemvolume) | | | | | X | +| [RestrictAppToSystemVolume](#restrictapptosystemvolume) | | | | | X | + +## AllowAllTrustedApps + +Specifies whether non-Microsoft Store apps are allowed. + +| Value | Description | +| --- | --- | +| No | Only Microsoft Store apps are allowed | +| Yes | Non-Microsoft Store apps are allowed | + +## AllowAppStoreAutoUpdate + +Specifies whether automatic update of apps from Microsoft Store are allowed + +| Value | Description | +| --- | --- | +| Disallowed | Automatic update of apps is not allowed | +| Allowed | Automatic update of apps is allowed | + + +## RestrictAppDataToSystemVolume + +Specifies whether application data is restricted to the system drive. + +| Value | Description | +| --- | --- | +| 0 | Not restricted | +| 1 | Restricted | + + +## RestrictAppToSystemVolume + +Specifies whether the installation of applications is restricted to the system drive. + +| Value | Description | +| --- | --- | +| 0 | Not restricted | +| 1 | Restricted | + +## Related topics + +- [Policy configuration service provider (CSP): ApplicationManagement/AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) +- [Policy CSP: ApplicationManagement/AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) +- [Policy CSP: ApplicationManagement/RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) +- [Policy CSP: ApplicationManagement/RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md new file mode 100644 index 0000000000..201fc633e1 --- /dev/null +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -0,0 +1,35 @@ +--- +title: AssignedAccess (Windows 10) +description: This section describes the AssignedAccess setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# AssignedAccess (Windows Configuration Designer reference) + +Use this setting to configure single use (kiosk) devices. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [AssignedAccessSettings](#assignedaccesssettings) | X | | | X | | + + +## AssignedAccessSettings + +Enter the account and the application you want to use for Assigned access, using [the AUMID](https://msdn.microsoft.com/windows/hardware/commercialize/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). When that user account signs in on the device, only the specified app will run. + +**Example**: + +``` +"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" +``` +## Related topics + +- [AssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/assignedaccess-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md new file mode 100644 index 0000000000..52d9845460 --- /dev/null +++ b/windows/configuration/wcd/wcd-automatictime.md @@ -0,0 +1,45 @@ +--- +title: AutomaticTime (Windows 10) +description: This section describes the AutomaticTime settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# AutomaticTime (Windows Configuration Designer reference) + +Use these settings to configure automatic time updates. + +## Applies to + +| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [NTPRegularSyncInterval](#ntpregularsyncinterval) | | X | | | | +| [NTPRetryInterval](#ntpretryinterval) | | X | | | | +| [NTPServer](#ntpserver) | | X | | | | + + +## NTPRegularSyncInterval + +Set the regular sync interval for phones that are set to use Network Time Protocol (NTP) time servers. Select a value between `1` and `168` hours, inclusive, The default sync interval is `12` hours. + + +## NTPRetryInterval + +Set the retry interval if the regular sync fails. Select a value between `1` and `24` hours, inclusive. + +## NTPServer + +Change the default NTP server for phones that are set to use NTP. To enumerate the NTP source server(s) used by the NTP client, set the value for NTPServer to a list of server names, delimited by semi-colons. + +**Example**: + +``` +ntpserver1.contoso.com;ntpserver2.fabrikam.com;ntpserver3.contoso.com +``` + +The list should contain one or more server names. The default NTP source server value is `time.windows.com`. diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md new file mode 100644 index 0000000000..a8af54b4f9 --- /dev/null +++ b/windows/configuration/wcd/wcd-browser.md @@ -0,0 +1,86 @@ +--- +title: Browser (Windows 10) +description: This section describes the Browser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Browser (Windows Configuration Designer reference) + +Use to configure browser settings that should only be set by OEMs who are part of the Partner Search Code program. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [Favorites](#favorites) | | X | | | | +| [PartnerSearchCode](#partnersearchcode) | X | X | X | X | | +| [SearchProviders](#searchproviders) | | X | | | | + +## Favorites + +Use to configure the default list of Favorites that show up in the browser. + +To add a new item under the browser's **Favorites** list: + +1. In the **Name** field, enter a friendly name for the item, and then click **Add**. + +2. In the **Available customizations** pane, select the friendly name that you just created, and in the text field, enter the URL for the item. + +For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and "http://www.contoso.com" for the URL. + + +## PartnerSearchCode + +>[!IMPORTANT] +>This setting should only be set by OEMs who are part of the Partner Search Code program. + +Set the value to a character string that corresponds to the OEM's Partner Search Code. This identification code must match the one assigned to you by Microsoft. + +OEMs who are part of the program only have one PartnerSearchCode and this should be used for all Windows 10 for desktop editions images. + + + + +## SearchProviders + +Contains the settings you can use to configure the default and additional search providers. + +Microsoft Bing is the default search provider for Windows 10 Mobile. The default search provider must be set to Bing, except for devices shipping to certain countries where a different default search provider is required as specified in the [Specific region guidance](#specific-region-guidance) section of [Default](#default). + + +### Default + +Use *Default* to specify a name that matches one of the search providers you enter in [SearchProviderList](#searchproviderlist). If you don't specify a default search provider, this will default to Microsoft Bing. + +#### Specific region guidance + +Some countries require specific, default search providers. The following table lists the applicable countries and information for configuring the necessary search provider. + +>[!NOTE] +>For Russia + Commonwealth of Independent States (CIS), the independent states consist of Russia, Ukraine, Georgia, The Republic of Azerbaijan, Republic Of Belarus, The Republic of Kazakhstan, The Kyrgyz Republic, The Republic of Moldova, The Republic of Tajikistan, The Republic of Armenia, Turkmenistan, The Republic of Uzbekistan, and Turkey. + + + +### SearchProviderList + +Use to specify a list of additional search providers. + +1. In the **Name** field, enter a name for the item, and then click **Add**. + +2. In the **Available customizations** pane, select the name that you just created, and in the text field, enter the URL for the additional search provider. + +For example, to specify Yandex in Russia and Commonwealth of Independent States (CIS), set the value of URL to "https://yandex.ru/search/touch/?text={searchTerm}&clid=2234144". + +When configured with multiple search providers, the browser can display up to ten search providers. + +>[!IMPORTANT] +>Microsoft Bing is the default search provider for Windows 10 Mobile. The default search provider must be set to Bing, except for devices shipping to certain countries where a different default search provider is required as specified in the [Specific region guidance](#specific-region-guidance) section of [Default](#default). + + + diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md new file mode 100644 index 0000000000..f3905fe8bc --- /dev/null +++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md @@ -0,0 +1,36 @@ +--- +title: CallAndMessageEnhancement (Windows 10) +description: This section describes the CallAndMessagingEnhancement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# CallAndMessagingEnhancement (Windows Configuration Designer reference) + +Use to configure call origin and blocking apps. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [BlockingApp](#blockingapp) | | X | | | | +| [CallOriginApp](#calloriginapp) | | X | | | | + +## BlockingApp + +| Setting | Value | Description | +| --- | --- | --- | +| ActiveBlockingAppUserModelId | AUMID | The AUMID of the application that will be set as the active blocking app by default. | +| DefaultBlockingAppUserModelId | AUMID | The AUMID of the application that the OS will select as the active blocking app if the user uninstalls the current active blocking app. This app should be uninstallable. | + +## CallOriginApp + +| Setting | Value | Description | +| --- | --- | --- | +| ActiveCallOriginAppUserModelId | AUMID | The AUMID of the application to be set as the active call origin provider app by default. | +| DefaultCallOriginAppUserModelId | AUMID | The AUMID of the application that the OS will select as the active call origin provider app if the user uninstalls the current active call origin app. This app should be uninstallable. | diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md new file mode 100644 index 0000000000..7ea42d279d --- /dev/null +++ b/windows/configuration/wcd/wcd-cellular.md @@ -0,0 +1,43 @@ +--- +title: Cellular (Windows 10) +description: This section describes the Cellular settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Cellular (Windows Configuration Designer reference) + +Use to configure settings for cellular connections. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [AccountExperienceURL](#accountexperienceurl) | X | | | | | +| [AppID](#appid) | X | | | | | +| [NetworkBlockList](#networkblocklist) | X | | | | | +| [SIMBlockList](#simblocklist) | X | | | | | + + +To begin, enter a SIM integrated circuit card identifier (**SimIccid**), and click **Add**. In the **Customizations** pane, select the SimIccid that you just entered and configure the following settings for it. + +## AccountExperienceURL + +Enter the URL for the mobile operator's web page. + +## AppID + +Enter the AppID for the mobile operator's app in Microsoft Store. + +## NetworkBlockList + +Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC). + +## SIMBlockList + +Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC). \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md new file mode 100644 index 0000000000..4e414b4677 --- /dev/null +++ b/windows/configuration/wcd/wcd-certificates.md @@ -0,0 +1,71 @@ +--- +title: Certificates (Windows 10) +description: This section describes the Certificates settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Certificates (Windows Configuration Designer reference) + +Use to deploy Root Certificate Authority (CA) certificates to devices. The following list describes the purpose of each setting group. + +- In [CACertificates](#cacertificates), you specify a certificate that will be added to the Intermediate CA store on the target device. +- In [ClientCertificates](#clientcertificates), you specify a certificate that will be added to the Personal store on the target device, and provide (password, keylocation), (and configure whether the certificate can be exported). +- In [RootCertificates](#rootcertificates), you specify a certificate that will be added to the Trusted Root CA store on the target device. +- In [TrustedPeopleCertificates](#trustedpeoplecertificates), you specify a certificate that will be added to the Trusted People store on the target device. +- In [TrustedProvisioners](#trustedprovisioners), you specify a certificate which allows devices to automatically trust packages from the specified publisher. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All setting groups | X | X | X | X | X | + + +## CACertificates + +1. In **Available customizations**, select **CACertificates**, enter a friendly name for the certificate, and then click **Add**. +2. In **Available customizations**, select the name that you just created. +3. In **CertificatePath**, browse to or enter the path to the certificate. + + +## ClientCertificates + +1. In **Available customizations**, select **ClientCertificates**, enter a friendly name for the certificate, and then click **Add**. +2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. Settings in **bold** are required. + +| Setting | Value | Description | +| --- | --- | ---- | +| **CertificatePassword** | | | +| **CertificatePath** | | Adds the selected certificate to the Personal store on the target device. | +| ExportCertificate | True or false | Set to **True** to allow certificate export. | +| **KeyLocation** | - TPM only
    - TPM with software fallback
    - Software only | | + +## RootCertificates + +1. In **Available customizations**, select **RootCertificates**, enter a friendly name for the certificate, and then click **Add**. +2. In **Available customizations**, select the name that you just created. +3. In **CertificatePath**, browse to or enter the path to the certificate. + +## TrustedPeopleCertificates + +1. In **Available customizations**, select **TrustedPeopleCertificates**, enter a friendly name for the certificate, and then click **Add**. +2. In **Available customizations**, select the name that you just created. +3. In **TrustedCertificate**, browse to or enter the path to the certificate. + + +## TrustedProvisioners + +1. In **Available customizations**, select **TrustedPprovisioners**, enter a CertificateHash, and then click **Add**. +2. In **Available customizations**, select the name that you just created. +3. In **TrustedProvisioner**, browse to or enter the path to the certificate. + +## Related topics + + +- [RootCATrustedCertficates configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/rootcacertificates-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md new file mode 100644 index 0000000000..fa14dead06 --- /dev/null +++ b/windows/configuration/wcd/wcd-cleanpc.md @@ -0,0 +1,28 @@ +--- +title: CleanPC (Windows 10) +description: This section describes the CleanPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# CleanPC (Windows Configuration Designer reference) + +Use to remove user-installed and pre-installed applications, with the option to persist user data. + +## Applies to + +| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| CleanPCRetainingUserData | X | | | | | +| CleanPCWithoutRetainingUserData | X | | | | | + +For each setting, the options are **Enable** and **Not configured**. + +## Related topics + +- [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md new file mode 100644 index 0000000000..98fdd61592 --- /dev/null +++ b/windows/configuration/wcd/wcd-connections.md @@ -0,0 +1,45 @@ +--- +title: Connections (Windows 10) +description: This section describes the Connections settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Connections (Windows Configuration Designer reference) + +Use to configure settings related to various types of phone connections. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [Cellular](#cellular) | X | X | X | X | | +| [EnterpriseAPN](#enterpriseapn) | X | X | X | X | | +| [Policies](#policies) | X | X | X | X | | +| [Proxies](#proxies) | X | X | X | X | | + +For each setting group: +1. In **Available customizations**, select the setting group (such as **Cellular**), enter a friendly name for the connection, and then click **Add**. +2. In **Available customizations**, select the name that you just created. + +## Cellular + +See [CM_CellularEntries configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cm-cellularentries-csp) for settings and values. + +## EnterpriseAPN + +See [Configure cellular settings for tablets and PCs](https://docs.microsoft.com/windows/configuration/provisioning-apn) and +[EnterpriseAPN CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseapn-csp) for settings and values. + +## Policies + +See [CMPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cmpolicy-csp) for settings and values. + +## Proxies + +See [CM_ProxyEntries CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cm-proxyentries-csp) for settings and values. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md new file mode 100644 index 0000000000..2a71e900c4 --- /dev/null +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -0,0 +1,183 @@ +--- +title: ConnectivityProfiles (Windows 10) +description: This section describes the ConnectivityProfile settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# ConnectivityProfiles (Windows Configuration Designer reference) + +Use to configure profiles that a user will connect with, such as an email account or VPN profile. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [Email](#email) | X | X | X | X | X | +| [Exchange](#exchange) | X | X | X | X | X | +| [KnownAccounts](#knownaccounts) | X | X | X | X | X | +| [VPN](#vpn) | X | X | X | X | X | +| [WiFiSense](#wifisense) | X | X | X | X | X | +| [WLAN](#wlan) | X | X | X | X | X | + +## Email + +Specify an email account to be automatically set up on the device. + +1. In **Available customizations**, select **Email**, enter a friendly name for the account, and then click **Add**. +2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure for each account. Settings in **bold** are required. + +| Setting | Description | +| --- | --- | +| **AccountType** | Select between **Normal email** and **Visual voice mail** | +| AuthForOutgoingMail | Set to **True** if the outgoing server requires authentication | +| Domain | Enter the domain for the account | +| HaveAlternateCredentialsForSMTP | Specify whether the user's alternate SMTP account is enabled. If enabled, configure the **SMTPDomain**, **SMTPName**, and **SMTPPassword** settings | +| InboxUpdateFrequency | Specify the time between email send/receive updates, in minutes. Available values are:

    - Manual update
    - Every 2 hours
    - Every 15 minutes
    - Every 30 minutes
    - Every hour | +| **IncomingMailServerName** | Enter the name of the messaging service's incoming email server | +| **OutgoingServerName** | Enter the name of the messaging service's outgoing mail server | +| Password | Enter the password for the account | +| ReplyAddress | Enter the reply address for the account | +| SenderName | Enter the name of the sender for the account | +| **ServiceName** | Enter the name of the email service | +| **ServiceType** | Select **IMAP4** or **POP3** for service type | +| SMTPDomain | Enter the domain name for the user's alternate SMTP account, if **HaveAlternateCredentialsForSMTP** is enabled | +| SMTPName | Enter the display name associated with the user's alternate SMTP account, if **HaveAlternateCredentialsForSMTP** is enabled | +| SMTPPassword | Enter the password for the user's alternate SMTP account, if **HaveAlternateCredentialsForSMTP** is enabled | +| SSLIncoming | Specify whether the incoming email server uses SSL | +| SSLOutgoing | Specify whether the outgoing email server uses SSL | +| SyncOptions | Specify how many days' worth of emails should be downloaded from the server. Available values are:

    - All mail
    - Two weeks
    - One month
    - One week | +| **UserName** | Enter the user name for the account | + +## Exchange + +Configure settings related to Exchange email server. These settings are related to the [ActiveSync configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/activesync-csp). + + +1. In **Available customizations**, select **Exchange**, enter a name for the account, and then click **Add**. A globally unique identifier (GUID) is generated for the account. +2. In **Available customizations**, select the GUID that you just created. The following table describes the settings you can configure. Settings in **bold** are required. + +| Setting | Description | +| --- | --- | +| AccountIcon | Specify the location of the icon associated with the account.

    The account icon can be used as a tile in the Start list or as an icon in the applications list under **Settings > Email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at `res://AccountSettingsSharedRes{ScreenResolution}!%s.genericmail.png`. The suggested icon for Exchange Accounts is at `res://AccountSettingsSharedRes{ScreenResolution}!%s.office.outlook.png`. Custom icons can be added if desired. | +| **AccountName** | Enter the name that refers to the account on the device | +| **AccountType** | Select **Exchange** | +| **DiagnosticLogging** | Select whether to disable logging, enable basic logging, or enable advanced logging | +| Domain | Enter the domain name of the Exchange server | +| **EmailAddress** | Enter the email address associated with the Exchange ActiveSync account. | +| **MailAgeFilter** | Specify the time window used for syncing email items to the device. Available values are:

    - All email is synced
    - Only email up to three days old is synced
    -Email up to a week old is synced (default)
    - Email up to two weeks old is synced
    - Email up to a month old is synced | +| **Password** | Enter the password for the account | +| **Schedule** | Specify the time until the next sync is performed, in minutes. Available values are:

    - As items are received (default)
    - Sync manually
    - Every 15 minutes
    - Every 30 minutes
    - Every 60 minutes | +| **ServerName**| Enter the server name used by the account | +| SyncCalendar_Enable | Enable or disable calendar sync | +| SyncCalendar_Name | If you enable calendar sync, enter **Calendar** | +| SyncContacts_Enable | Enable or disable contacts sync | +| SyncContacts_Name | If you enable contacts sync, enter **Contacts** | +| SyncEmail_Enable| Enable or disable email sync | +| SyncEmail_Name | If you enable email sync, enter **Email** | +| SyncTasks_Enable | Enable or disable tasks sync | +| SyncTasks_Name | If you enable tasks sync, enter **Tasks** | +| **UserName** | Enter the user name for the account | +| UseSSL | Specify whether to use Secure Sockets Layer (SSL) | + +## KnownAccounts + +Configure the settings to add additional email accounts. + +| Setting | Description | +| --- | --- | +| KnownAccountsOEM |Enter the source or file location of the KnownAccountsOEM.xml file on your development workstation. | +| OemFilePath | Enter the name of the XML file that defines the new account to be added. The name must be KnownAccountsOEM.xml. | + +## VPN + +Configure settings to change the default maximum transmission unit ([MTU](#mtu)) size settings for Point-to-Point Protocol (PPP) connections or for virtual private network (VPN) connections, or to create a [VPN profile](#vpn). + +### MTU + +| Setting | Description | +| --- | --- | +| PPPProtocolType | Select **VPNPPPProtocolType** | +| ProtocolType | Select **VPNProtocolType** | +| TunnelMTU | Enter the desired MTU size, between **1** and **1500** | + +### VPN + +1. In **Available customizations**, select **VPNSetting**, enter a friendly name for the account, and then click **Add**. +2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. Settings in **bold** are required. + +| Setting | Description | +| --- | --- | +| **ProfileType** | Choose between **Native** and **Third Party** | +| RememberCredentials | Select whether credentials should be cached | +| AlwaysOn | Set to **True** to automatically connect the VPN at sign-in | +| LockDown | When set to **True**:
    - Profile automatically becomes an "always on" profile
    - VPN cannot be disconnected
    -If the profile is not connected, the user has no network connectivity
    - No other profiles can be connected or modified | +| ByPassForLocal | When set to **True**, requests to local resources on the same Wi-Fi neetwork as the VPN client can bypass VPN | +| DnsSuffix | Enter one or more comma-separated DNS suffixes. The first suffix listed is usedas the primary connection-specific DNS suffix for the VPN interface. The list is added to the SuffixSearchList. | +| TrustedNetworkDetection | Enter a comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. | +| Proxy | Configure to **Automatic** or **Manual** | +| ProxyAutoConfigUrl | When **Proxy** is set to **Automatic**, enter the URL to automatically retrieve the proxy settings | +| ProxyServer | When **Proxy** is set to **Manual**, enter the proxy server address as a fully qualified hostname or enter `IP address:Port` | + +## WiFiSense + +Configure settings related to Wi-Fi Sense. + +### Config + +The **Config** settings are initial settings that can be overwritten when settings are pushed to the device by the cloud. + +| Setting | Description | +| --- | --- | +| WiFiSharingFacebookInitial | Enable or disable sharing of Wi-Fi networks with Facebook contacts | +| WiFiSharingOutlookInitial | Enable or disable sharing of Wi-Fi networks with Outlook contacts | +| WiFiSharingSkypeInitial | Enable or disable sharing of Wi-Fi networks with Skype contacts | + +### FirstBoot + +| Setting | Description | +| --- | --- | +| DefaultAutoConnectOpenState | When enabled, the OOBE Wi-Fi Sense checkbox to automatically connect to open networks will be checked. | +| DefaultAutoConnectSharedState | When enabled, the OOBE Wi-Fi Sense checkbox to share networks with contacts will be checked. | +| WiFiSenseAllowed | Enable or disable Wi-Fi Sense. Wi-Fi Sense features include auto-connect to Wi-Fi hotspots and credential sharing. | + +### SystemCapabilities + +You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Telemetry data is generated by the system to provide data that can be used to diagnose both software and hardware issues. + +| Setting | Description | +| --- | --- | +| CoexistenceSupport | Specify the type of co-existence that's supported on the device:

    - **Both**: Both Wi-Fi and Bluetooth work at the same performance level during co-existence
    - **Wi-Fi reduced**: On a 2X2 system, Wi-Fi performance is reduced to 1X1 level
    - **Bluetooth centered**: When co-existing, Bluetooth has priority and restricts Wi-Fi performance
    - **One**: Either Wi-Fi or Bluetooth will stop working | +| NumAntennaConnected | Enter the number of antennas that are connected to the WLAN radio | +| SimultaneousMultiChannelSupported | Enter the maximum number of channels that the Wi-Fi device can simultaneously operate on. For example, you can use this to specify support for Station mode and Wi-Fi Direct GO on separate channels simultaneously. | +| WLANFunctionLevelDeviceResetSupported | Select whether the device supports functional level device reset (FLDR). The FLDR feature in the OS checks this system capability exclusively to determine if it can run. | +| WLANPlatformLevelDeviceResetSupported | Select whether the device supports platform level device reset (PLDR). The PLDR feature in the OS checks this system capability exclusively to determine if it can run. | + + +## WLAN + +Configure settings for wireless connectivity. + +### Profiles + +**To add a profile** + +1. Create [the wireless profile XML](https://msdn.microsoft.com/library/windows/desktop/aa369853.aspx). +2. In **WLAN > Profiles**, browse to and select the profile XML file. +3. Click **Add**. + +### WLANXmlSettings + +Enter a SSID, click **Add**, and then configure the following settings for the SSID. + +| Settings | Description | +| --- | --- | +| ProxyServerPort | (Optional) Specify the configuration of the network proxy as **host:port**. A proxy server host and port can be specified per connection for Windows 10 for mobile devices. The host can be server name, FQDN, or SLN or IPv4 or IPv6 address. This proxy configuration is only supported in Windows 10 for mobile devices. Using this configuration in Windows 10 for desktop editions will result in failure. | +| AutoConnect | (Optional) Select **True** or **false** to specify whether to automatically connect to WLAN. | +| HiddenNetwork | (Optional) Select **True** or **false** to specify whether the network is hidden. | +| SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**.

    If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. | \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md new file mode 100644 index 0000000000..84e1e611f1 --- /dev/null +++ b/windows/configuration/wcd/wcd-countryandregion.md @@ -0,0 +1,23 @@ +--- +title: CountryAndRegion (Windows 10) +description: This section describes the CountryAndRegion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# CountryAndRegion (Windows Configuration Designer reference) + +Use to configure a setting that partners must customize to ship Windows devices to specific countries/regions. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| CountryCodeForExtendedCapabilityPrompts | X | X | X | X | | + +You can set the **CountryCodeForExtendedCapabilityPrompts** setting for **China** to enable additional capability prompts when apps use privacy-sensitive features (such as Contacts or Microphone). diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md new file mode 100644 index 0000000000..6f954aec14 --- /dev/null +++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md @@ -0,0 +1,22 @@ +--- +title: DesktopBackgrounAndColors (Windows 10) +description: This section describes the DesktopBackgrounAndColors settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# DesktopBackgrounAndColors (Windows Configuration Designer reference) + +Do not use. Instead, use the [Personalization settings](wcd-personalization.md). + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | | | | | + diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md new file mode 100644 index 0000000000..76c7f07631 --- /dev/null +++ b/windows/configuration/wcd/wcd-developersetup.md @@ -0,0 +1,37 @@ +--- +title: DeveloperSetup (Windows 10) +description: This section describes the DeveloperSetup settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# DeveloperSetup (Windows Configuration Designer reference) + +Use to unlock developer mode on HoloLens devices and configure authentication to Windows Device Portal. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [EnableDeveloperMode](#enabledevelopermode) | | | | X | | +| [AuthenticationMode](#authenticationmode) | | | | X | | + + + +## DeveloperSetupSettings: EnableDeveloperMode + +When this setting is configured as **True**, the device is unlocked for developer functionality. + + +## WindowsDevicePortalSettings: Authentication Mode + +When AuthenticationMode is set to **Basic Auth**, enter a user name and password to enable the device to connect to and authenticate with the Windows Device Portal. + +## Related topics + +- [Device Portal for HoloLens](https://docs.microsoft.com/windows/uwp/debug-test-perf/device-portal-hololens) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md new file mode 100644 index 0000000000..c9d4434a24 --- /dev/null +++ b/windows/configuration/wcd/wcd-deviceformfactor.md @@ -0,0 +1,67 @@ +--- +title: DeviceFormFactor (Windows 10) +description: This section describes the DeviceFormFactor setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# DeviceFormFactor (Windows Configuration Designer reference) + +Use to identify the form factor of the device. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| DeviceForm | X | X | X | X | | + +Specifies the device form factor running Windows 10. Generally, the device form is set by the original equipment manufacturer (OEM), however you might want to change the device form based on its usage in your organization. + +DeviceForm supports the following features or components: + +- Cortana and Bing use the DeviceForm value to determine the accuracy of specific signals, such as location (GPS versus Wi-Fi versus reverse IP address lookup). +- Windows 10 features, such as Bluetooth and camera, may require DeviceForm to be accurately configured for full functionality. + +Select the appropriate form from the dropdown menu. + +| Device form | Description | +| --- | --- | +| Phone | A typical smartphone combines cellular connectivity, a touch screen, rechargeable power source, and other components into a single chassis. | +| LargeScreen | Microsoft Surface Hub | +| HMD | (Head-mounted display) A holographic computer that is completely untethered - no wires, phones, or connection to a PC needed. | +| IndustryHandheld | A device screen less than 7” diagonal designed for industrial solutions. May or may not have a cellular stack. | +| IndustryTablet | A device with an integrated screen greater than 7” diagonal and no attached keyboard designed for industrial solutions as opposed to consumer personal computer. May or may not have a cellular stack. | +| Banking | A machine at a bank branch or another location that enables customers to perform basic banking activities including withdrawing money and checking one's bank balance. | +| BuildingAutomation | A controller for industrial environments that can include the scheduling and automatic operation of certain systems such as conferencing, heating and air conditioning, and lighting. | +| DigitalSignage | A computer or playback device that's connected to a large digital screen and displays video or multimedia content for informational or advertising purposes. | +| Gaming | A device that's used for playing a game. It can be mechanical, electronic, or electromechanical equipment. | +| HomeAutomation | A controller that can include the scheduling and automatic operation of certain systems including heating and air conditioning, security, and lighting. | +| Industrial Automation | Computers that are used to automate manufacturing systems such as controlling an assembly line where each station is occupied by industrial robots. | +| Tablet | A device with an integrated screen that's less than 18". It combines a touch screen, rechargeable power source, and other components into a single chassis with an optional attachable keyboard. | +| Kiosk | An unattended structure that can include a keyboard and touch screen and provides a user interface to display interactive information and allow users to get more information. | +| MakerBoard | A low-cost and compact development board that's used for prototyping any number IoT-related things. | +| Medical | Devices built specifically to provide medical staff with information about the health and well-being of a patient. | +| Networking | A device or software that determines where messages, packets, and other signals will go next. | +| POS | (Point of Service) An electronic cash register or self-service checkout. | +| Printing | A printer, copy machine, or a combination of both. | +| ThinClient | A device that connects to a server to perform computing tasks as opposed to running apps locally. | +| Toy | A device used solely for enjoyment or entertainment. | +| Vending | A machine that dispenses items in exchange for payment in the form of coin, currency, or credit/debit card. | +| IndustryOther |A device that doesn't fit into any of the previous categories. | +| Desktop | A desktop PC form factor traditional comes in an upright tower or small desktop chassis and does not have an integrated screen. | +| Notebook | A notebook is a portable clamshell device with an attached keyboard that cannot be removed. | +| Convertible | A convertible device is an evolution of the traditional notebook where the keyboard can be swiveled, rotated or flipped, but not completely removed. It is a blend between a traditional notebook and tablet, also called a 2-in-1. | +| Detachable | A detachable device is an evolution of the traditional notebook where the keyboard can be completely removed. It is a blend between a traditional notebook and tablet, also called a 2-in-1. | +| AIO | An All-in-One (AIO) device is an evolution of the traditional desktop with an attached display. | +| Stick | A device that turns your TV into a Windows computer. Plug the stick into the HDMI slot on the TV and connect a USB or Bluetooth keyboard or mouse. | +| Puck | A small-size PC that users can use to plug in a monitor and keyboard. | + + + + + diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md new file mode 100644 index 0000000000..297225f5a1 --- /dev/null +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -0,0 +1,92 @@ +--- +title: DeviceManagement (Windows 10) +description: This section describes the DeviceManagement setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# DeviceManagement (Windows Configuration Designer reference) + +Use to... + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [Accounts](#accounts) | X | X | X | X | | +| [PGList](#pglist) | X | X | X | X | | +| [Policies](#policies) | X | X | X | X | | +| [TrustedProvisioningSource](#trustedprovisioningsource) | X | X | X | X | | + +## Accounts + +1. In **Available customizations**, select **Accounts**, enter a friendly name for the account, and then click **Add**. +2. In **Available customizations**, select the account that you just created. The following table describes the settings you can configure. Settings in **bold** are required. + +| Setting | Description | +| --- | --- | +| **Address** | Enter the OMA DM server address | +| **AddressType** | Choose between **IPv4** and **URI** for the type of OMA DM server address. The default value of **URI** specifies that the OMA DM account address is a URI address. A value of **IPv4** specifies that the OMA DM account address is an IP address. | +| **AppID** | Select **w7** | +| Authentication > Credentials | 1. Select a credentials level (CLCRED or SRVCRED). A value of **CLCRED** indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of **SRVCRED** indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level.
    2. In **Available customizations**, select the level.
    3. For **Data**, enter the authentication nonce as a Base64 encoded string.
    4. For **Level**, select **CLCRED** or **SRVCRED**.
    5. For **Name**, enter the authentication name.
    6. For **Secret**, enter the password or secret used for authentication.
    7. For **Type**, select between **Basic**, **Digest**, and **HMAC**. For **CLCRED**, the supported values are **BASIC** and **DIGEST**. For **SRVCRED**, the supported value is **DIGEST**. | +| AuthenticationPreference | Select between **Basic**, **Digest**, and **HMAC** | +| BackCompatRetryDisabled | Specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr on subsequent attempts (not including the first time). The default value of "FALSE" indicates that backward-compatible retries are enabled. A value of "TRUE" indicates that backward-compatible retries are disabled. | +| ConnectionRetries | Enter a number to specify how many retries the DM client performs when there are Connection Manager-level or wininet-level errors. The default value is `3`. | +| CRLCheck | Specify whether a CRL Check should be performed. Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to **True** to enable SSL revocation. | +| DefaultEncoding | Select whether the OMA DM client will use **WBXML** or **XML** for the DM package when communicating with the server | +| DisableOnRoaming | Specify whether the client will connect while cellular roaming | +| InitialBackOffTime | Specify the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry | +| InitiateSession | Specify whether a session should be started with the MDM server when the account is provisioned | +| MaxBackOffTime | Specify the maximum number of milliseconds to wait before attemption a connection retry | +| Name | Enter a display name for the management server | +| Port | Enter the OMA DM server port | +| PrefConRef | Enter a URI to NAP management object or a connection GUID used by the device Connection Manager | +| ProtocolVersion | Select between **1.1** and **1.2** for the OMA DM protocol version that the server supports | +| **Role** | Select between **Enterprise** and **Mobile Operator** for the role mask that the DM session runs with when it communicates with the server | +| **ServerID** | Enter the OMA DM server's unique identifier for the current OMA DM account | +| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certficate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). | +| UseHardwareDeviceID | Specify whether to use the hardware ID for the ./DevInfo/DevID parameter in the DM account to identify the device | +| UseNonceResync | Specify whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication | + + +## PGList + +1. In **Available customizations**, select **PGList**, enter a LogicalProxyName, and then click **Add**. +2. In **Available customizations**, select the LogicalProxyName that you just created, and then select **PhysicalProxies**. +3. Enter a PhysicalProxyName, and then click **Add**. The following table describes the settings you can configure for the physical proxy and for **Trust**. + +| Setting | Description | +| --- | --- | +| Address | Enter the address of the physical proxy | +| AddressType | Select between **E164**, **IPV4**, and **IPV^** for the format and protocol of the PXADDR element for a physical proxy | +| MatchedNapID | Enter a string that defines the SMS bearer. This string must match the NAPID exactly. The value must contains MVID macro if it is an IPv4 PXADDRTYPE. | +| PushEnabled | Select whether push operations are enabled | +| Trust | Specify whether or not the physical proxies in this logical proxy are privileged | + + +## Policies + +The following table describes the settings you can configure for **Policies**. + +| Setting | Description | +| --- | --- | +| MMS > MMSMessageRoles | Select between **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. If a message contains at least one of the roles in the selected role mask, then the message is processed. | +| OMACP > NetwpinRoles | Select a policy role to specify whether OMA network PIN-signed messages will be accepted. OMA Client Provisioning Network PIN policy determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

    Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**.

    **Note** IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. | +| OMACP > UsernetwpinRoles | Select a policy role to specify whether the OMA user network PIN-signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

    Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**.

    **Note** IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. | +| OMACP > UserpinRoles | Select a policy role to specify whether the OMA user PIN or user MAC signed message will be accepted. OMA Client Provisioning User PIN policy determines whether the OMA user PIN or user MAC signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

    Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. | +| SISL > ServiceIndicationRoles | Specify the security roles that can accept SI messages. Service Indication (SI) Message policy indicates whether SI messages are accepted by specifying the security roles that can accept SI messages. An SI message is sent to the phone to notify users of new services, service updates, and provisioning services.

    Available roles are: **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. | +| SISL > ServiceLoadingRoles | Specify the security roles that can accept SL messages. Service Loading (SL) Message policy indicates whether SL messages are accepted by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the phone.

    Available roles are: **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. | + +## TrustedProvisioningSource + +In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS). + +## Related topics + +- [DMAcc configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/dmacc-csp) +- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md new file mode 100644 index 0000000000..27a6b9dd36 --- /dev/null +++ b/windows/configuration/wcd/wcd-dmclient.md @@ -0,0 +1,27 @@ +--- +title: DMClient (Windows 10) +description: This section describes the DMClient setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# DMClient (Windows Configuration Designer reference) + +Use to specify enterprise-specific mobile device management configuration setting. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| UpdateManagementServiceAddress | X | X | X | X | X | + +For the **UpdateManagementServiceAddress** setting, enter a list of servers. The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions. + +## Related topics + +- [DMClient configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md new file mode 100644 index 0000000000..76e05d28ae --- /dev/null +++ b/windows/configuration/wcd/wcd-editionupgrade.md @@ -0,0 +1,46 @@ +--- +title: EditionUpgrade (Windows 10) +description: This section describes the EditionUpgrade settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# EditionUpgrade (Windows Configuration Designer reference) + +Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10 edition upgrades.](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades) + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [ChangeProductKey](#changeproductkey) | X | X | | X | | +| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | X | X | | X | | +| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | X | X | | X | | + + +## ChangeProductKey + +Enter a product key, which will be used to update the existing product key on the device. + +## UpgradeEditionWithLicense + +Browse to and select a license XML file for the edition upgrade. + + +## UpgradeEditionWithProductKey + +Enter a product key for an edition upgrade of Windows 10 devices. + +If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and changepk.exe runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart. + +After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. + + +## Related topics + +- [WindowsLicensing configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/windowslicensing-csp) diff --git a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md new file mode 100644 index 0000000000..2203a1cb2b --- /dev/null +++ b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md @@ -0,0 +1,29 @@ +--- +title: EmbeddedLockdownProfiles (Windows 10) +description: This section describes the EmbeddedLockdownProfiles setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# EmbeddedLockdownProfiles (Windows Configuration Designer reference) + +Use to apply an XML configuration to a mobile device that locks down the device, configures custom layouts, and define multiple roles. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| AssignedAccessXml | | X | | | | + +1. Create a lockdown XML file, either by using [the Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) or [manually](../mobile-devices/lockdown-xml.md). +2. In the **AssignedAccessXml** setting, browse to and select the lockdown XML file that you created. + + +## Related topics + +- [EnterpriseAssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md new file mode 100644 index 0000000000..df61861e90 --- /dev/null +++ b/windows/configuration/wcd/wcd-firewallconfiguration.md @@ -0,0 +1,27 @@ +--- +title: FirewallConfiguration (Windows 10) +description: This section describes the FirewallConfiguration setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# FirewallConfiguration (Windows Configuration Designer reference) + +Use to enable AllJoyn router to work on public networks. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| EnableAllJoynOnPublicNetwork | | | | | X | + +Set to **True** or **False**. + +## Related topics + +- [AllJoyn](https://developer.microsoft.com/windows/iot/docs/alljoyn) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md new file mode 100644 index 0000000000..cf0f7c1983 --- /dev/null +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -0,0 +1,16 @@ +--- +title: FirstExperience (Windows 10) +description: This section describes the FirstExperience settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# FirstExperience (Windows Configuration Designer reference) + +Do not configure **FirstExperience** in provisioning packages at this time. These settings will be available to configure the out-of-box experience (OOBE) to set up HoloLens in a future release. + diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md new file mode 100644 index 0000000000..08eff6065d --- /dev/null +++ b/windows/configuration/wcd/wcd-folders.md @@ -0,0 +1,23 @@ +--- +title: Folders (Windows 10) +description: This section describes the Folders settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Folders (Windows Configuration Designer reference) + +Use to add files to the device. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| PublicDocuments | X | X | X | X | | + +Browse to and select a file or files that will be included in the provisioning package and added to the public profile documents folder on the target device. You can use the **Relative path to directory on target device** field to create a new folder within the public profile documents folder. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-initialsetup.md b/windows/configuration/wcd/wcd-initialsetup.md new file mode 100644 index 0000000000..a579fca408 --- /dev/null +++ b/windows/configuration/wcd/wcd-initialsetup.md @@ -0,0 +1,30 @@ +--- +title: InitialSetup (Windows 10) +description: This section describes the InitialSetup setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# InitialSetup (Windows Configuration Designer reference) + +Use to set the name of the Windows mobile device. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| DeviceName | | X | | | | + +In **DeviceName**, enter a name for the device. If **DeviceName** is set to an asterisk (*) or is an empty string, a random device name will be generated. + +**DeviceName** is a string with a maximum length of 15 bytes of content: + +- **DeviceName** can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content. +- **DeviceName** cannot use spaces or any of the following characters: { | } ~ [ \ ] ^ ' : ; < = > ? @ ! " # $ % ` ( ) + / . , * &, or contain any spaces. +- **DeviceName** cannot use some non-standard characters, such as emoji. + diff --git a/windows/configuration/wcd/wcd-internetexplorer.md b/windows/configuration/wcd/wcd-internetexplorer.md new file mode 100644 index 0000000000..e3290e6905 --- /dev/null +++ b/windows/configuration/wcd/wcd-internetexplorer.md @@ -0,0 +1,95 @@ +--- +title: InternetExplorer (Windows 10) +description: This section describes the InternetExplorer settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# InternetExplorer (Windows Configuration Designer reference) + +Use to configure settings related to Internet Explorer. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [CustomHTTPHeaders](#customhttpheaders) | | X | | | | +| [CustomUserAgentString](#customuseragentstring) | | X | | | | +| DataSaving > [BrowseDataSaver](#browsedatasaver) | | X | | | | +| DataSaving > [ShowPicturesAutomatically](#showpicturesautomatically) | | X | | | | +| [FirstRunURL](#firstrunurl) | | X | | | | + +## CustomHTTPHeaders + +Configure Microsoft Edge to send custom HTTP headers. These will be sent in addition to the default HTTP headers with all HTTP and HTTPS requests. The header is the portion of the HTTP request that defines the form of the message. + +- A maximum of 16 custom headers can be defined. +- Custom headers cannot be used to modify the user agent string. +- Each header must be no more than 1 KB in length. + +The following header names are reserved and must not be overwritten: + +- Accept +- Accept-Charset +- Accept-Encoding +- Authorization +- Expect +- Host +- If-Match +- If-Modified-Since +- If-None-Match +- If-Range +- If-Unmodified-Since +- Max-Forwards +- Proxy-Authorization +- Range +- Referer +- TE +- USER-AGENT +- X-WAP-PROFILE + +1. In **Available customizations**, select **CustomHTTPHeaders**, enter a name, and then click **Add**. +2. In **Available customizations**, select the name that you just created. +3. Enter the custom header. + +## CustomUserAgentString + +The user agent string indicates which browser you are using, its version number, and details about your system, such as operating system and version. A web server can use this information to provide content that is tailored for your specific browser and phone. + +The user agent string for the browser cannot be modified. By default, the string has the following format: + +`Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; ; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Mobile Safari/537.36 Edge/12.10166` + +- is automatically replaced with the OEM name. This is the same as the PhoneManufacturer setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo. +- is replaced with the device name or phone name. This is the same as the PhoneModelName setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo. + + +**Limitations and restrictions:** + +- The user agent string for the browser cannot be modified outside of the customizations listed above. +- The user agent type registry setting cannot be modified or used to change the default browser view from Mobile to Desktop. + + + +## BrowseDataSaver + +Use to set the browser data saver default setting. **True** turns on the browser data saver feature. + +Partners can configure the default setting for the browser data saver feature by turning the browser optimization service (through the BrowserDataSaver setting) on or off. + + +## ShowPicturesAutomatically + +Use to enable or disable whether the **Show pictures automatically** setting is available in Internet Explorer **advanced settings**. + + +## FirstRunURL + +Use to set the home page that appears the first time that Microsoft Edge is opened. This page is only shown the first time the browser is opened. After that, the browser displays either the most recently viewed page or an empty page if the user has closed all tabs or opens a new tab. + +Specify the **FirstRunURL** value with a valid link that starts with http://. It is recommended you use a forward link that redirects the user to a localized page. diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md new file mode 100644 index 0000000000..7ae7661ea8 --- /dev/null +++ b/windows/configuration/wcd/wcd-licensing.md @@ -0,0 +1,30 @@ +--- +title: Licensing (Windows 10) +description: This section describes the Licensing settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Licensing (Windows Configuration Designer reference) + +Use for settings related to Microsoft licensing programs. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | X | | | | | +| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | X | | | | | + +## AllowWindowsEntitlementReactivation + +Enable or disable Windows license reactivation. + +## DisallowKMSClientOnlineAVSValidation + +Enable this setting to prevent the device from sending data to Microsoft regarding its activation state. diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md new file mode 100644 index 0000000000..afe5f92c1c --- /dev/null +++ b/windows/configuration/wcd/wcd-maps.md @@ -0,0 +1,48 @@ +--- +title: Maps (Windows 10) +description: This section describes the Maps settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Maps (Windows Configuration Designer reference) + +Use for settings related to Maps. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [ChinaVariantWin10](#chinavariantwin10) | X | X | X | X | | +| [UseExternalStorage](#useexternalstorage) | X | X | X | X | | +| [UseSmallerCache](#usesmallercache) | X | X | X | X | | + + +## ChinaVariantWin10 + +Use **ChinaVariantWin10** to specify that the Windows device is intended to ship in China. When set to **True**, maps approved by the State Bureau of Surveying and Mapping in China are used, which are obtained from a server located in China. + +This customization may result in different maps, servers, or other configuration changes on the device. + + +## UseExternalStorage + +Use to store map data on an SD card. + +Map data is used by the Maps application and the map control for third-party applications. This data can be store on an SD card, which provides the advantage of saving internal memory space for user data and allows the user to download more offline map data. Microsoft recommends enabling the **UseExternalStorage** setting on devices that have less than 8 GB of user storage and an SD card slot. + +You can use **UseExternalStorage** whether or not you include an SD card with preloaded map data on the phone. If set to **True**, the OS only allows the user to download offline maps when an SD card is present. If an SD card is not present, users can still view and cache maps, but they will not be able to download a region of offline maps until an SD card is inserted. + +If set to **False**, map data will always be stored on the internal data partition of the device. + +>[!NOTE] +>SD card performance can affect the quality of the Maps experience when maps are stored on the SD card. When an SD card is used, Microsoft recommends that you test the Maps experience and the speed of map downloads with the specific SD card part that will be used on retail phones to determine if performance is satisfactory. + +## UseSmallerCache + +Do not use. diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md new file mode 100644 index 0000000000..871e87042c --- /dev/null +++ b/windows/configuration/wcd/wcd-messaging.md @@ -0,0 +1,171 @@ +--- +title: Messaging (Windows 10) +description: This section describes the Messaging settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Messaging (Windows Configuration Designer reference) + +Use for settings related to Messaging. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | X | | | | + +## GlobalSettings > ShowSendingStatus + +Set **ShowSendingStatus** to **True** to display the sending status for SMS/MMS messages. + +## PerSimSettings > _ICCID + +Use to configure settings for each subscriber identification module (SIM) card. + +### AllowSelectAllContacts + +Set to **True** to show the select all contacts/unselect all menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks. + +Windows 10 Mobile supports the following select multiple recipients features: + +- A multi-select chooser, which enables users to choose multiple contacts. +- A **select all contacts/unselect all** menu option, which enables users to select or unselect all their contacts. This option is not shown by default and must be enabled by the OEM. + +### AllowSendingDeliveryReport + +Specify whether the phone automatically sends a receipt acknowledgment for MMS messages. Partners can specify whether the phone automatically sends a receipt acknowledgment for MMS messages when they arrive, and they can determine whether users can control the receipt acknowledgments by using the **Send MMS acknowledgment** toggle in **Messaging > settings**. By default, this user setting is visible and turned on. + +| Setting | Description | +| --- | --- | +| AllowSendingDeliveryReport | **True** sets the **Send MMS acknowledgment** toggle to **On** | +| AllowSendingDeliveryReportIsSupported | **True** shows the **Send MMS acknowledgment** toggle, and **False** hides the toggle | + +### AutomaticallyDownload + +Specify whether MMS messages are automatically downloaded. + +| Setting | Description | +| --- | --- | +| AutomaticallyDownload | **True** sets the **Automatically download MMS** toggle to **On** | +| ShowAutomaticallyDownloadMMSToggle | **True** shows the **Automatically download MMS** toggle, and **False** hides the toggle | + +### DefaultContentLocationUrl + +For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification. + +Set **DefaultContentLocationUrl** to specify the default GET path within the MMSC. + +### ErrorCodeEnabled + +You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem. + +Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed. + + +### ImsiAuthenticationToken + +Configure whether MMS messages include the IMSI in the GET and POST header. + +Set **ImsiAuthenticationToken** to the token used as the header for authentication. The string value should match the IMSI provided by the UICC. + +### MaxRetryCount + +You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent. + +Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3. + + +### RcsOptions + +Set options for Rich Communications Services (RCS). + +| Setting | Description | +| --- | --- | +| RcsEnabled | Toggle to enable/disable RCS service. Set to **True** to enable. | +| RcsFileTransferAutoAccept | Set to **True** to auto-accept RCS incoming file transfer if the file size is less than warning file size.| +| RcsSendReadReceipt | Set to **True** to send read receipt to the sender when a message is read. | +| ShowRcsEnabled | Set to **True** to show the toggle for RCS activation. | + + +### RequestDeliveryReport + +Set options related to MMS message notifications. You can specify whether users receive notification that MMS messages could not be delivered, and determine whether users can control this by using the MMS delivery confirmation toggle in **Messaging > settings**. By default, this user setting is visible but turned off. + +| Setting | Description | +| --- | --- | +| RequestDeliveryReport | Set to **True** to set the default value to on. | +| RequestDeliveryReportIsSupported | **True** shows the toggle for MMS delivery confirmation, and **False** hides the toggle. | + + +### TargetVideoFormat + +You can specify the transcoding to use for video files sent as attachments in MMS messages. + +Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages: + +| Value | Description | +| --- | --- | +| 0 or 0x0 | Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS. | +| 1 or 0x1 | Sets the transcoding to H.264 + AAC + 3GP. | +| 2 or 0x2 | Sets the transcoding to H.263 + AMR.NB + 3GP. | +| 3 or 0x3 | Sets the transcoding to MPEG4 + AMR.NB + 3GP. | + + +### UAProf + +You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC. + +There are two ways to correlate a user agent profile with a given phone: +- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified. +- Alternatively, you can directly set the URI of the user agent profile on the phone. + +Set **UAProf** to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`. + + +### UAProfToken + +You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC. + +Optionally, in addition to specifying **UAProf**, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`. + + +### UserAgentString + +Set **UserAgentString** to the new user agent string for MMS in its entirely. + +By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone. + + +### w4 + +| Setting | Description | +| --- | --- | +| ADDR | Specify the absolute MMSC URL. The possible values to configure the ADDR parameter are:

    - A Uniform Resource Identifier (URI)
    - An IPv4 address represented in decimal format with dots as delimiters
    - A fully qualified Internet domain name | +| APPID | Set to `w4` | +| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. | +| NAME | (optional) Enter user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:

    - Character string containing the name
    - no value specified

    If no value is specified, the registry location will default to . If **NAME** is greater than 40 characters, it will be truncated to 40 characters. | +| TONAPID | Specify the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/napdef-csp). | +| TOPROXY | Specify one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. | + + + +### WapPushTechnology + +For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values. + +| Value | Description | +| --- | --- | +| 1 or 0x1 | Enables MMS messages to have some of their content truncated. | +| 0 or 0x0 | Disables MMS messages from being truncated. | + + + +## Related topics + +- [w4 APPLICATION CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/w4-application-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md new file mode 100644 index 0000000000..98bae12f8b --- /dev/null +++ b/windows/configuration/wcd/wcd-modemconfigurations.md @@ -0,0 +1,22 @@ +--- +title: ModemConfiguration (Windows 10) +description: This section describes the ModemConfiguration settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# ModemConfiguration (Windows Configuration Designer reference) + +Documentation not available at this time. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | X | | | | + diff --git a/windows/configuration/wcd/wcd-multivariant.md b/windows/configuration/wcd/wcd-multivariant.md new file mode 100644 index 0000000000..fa8c0d735f --- /dev/null +++ b/windows/configuration/wcd/wcd-multivariant.md @@ -0,0 +1,23 @@ +--- +title: Multivariant (Windows 10) +description: This section describes the Multivariant settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Multivariant (Windows Configuration Designer reference) + +Use to select a default profile for mobile devices that have multivariant configurations. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| DefaultProfile | | X | | | | + +If you will be adding [multivariant settings](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-multivariant) to your provisioning package, you can use the **DefaultProfile** setting to specify which variant should be applied by default if OOBE is skipped. In the **DefaultProfile** field, enter the UINAME from your customizations.xml that you want to use as default. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md new file mode 100644 index 0000000000..3689226767 --- /dev/null +++ b/windows/configuration/wcd/wcd-networkproxy.md @@ -0,0 +1,51 @@ +--- +title: NetworkProxy (Windows 10) +description: This section describes the NetworkProxy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# NetworkProxy (Windows Configuration Designer reference) + +Use for settings related to NetworkProxy. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | | X | | | + + +## AutoDetect + +Automatically detect network proxy settings. + +| Value | Description | +| --- | --- | +| 0 | Disabled. Do not automatically detect settings. | +| 1 | Enabled. Automatically detect settings. | + +## ProxyServer + +Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections. + +| Setting | Description | +| --- | --- | +| ProxyAddress | Address to the proxy server. Specify an address in the format `server:port`. | +| ProxyExceptions | Addresses that should not use the proxy server. The system will not use the proxy server for addresses that begin with the values specified in this node. Use semicolons (;) to separate entries. | +| UseProxyForLocalAddresses | Whether the proxy server should be used for local (intranet) addresses.

    - 0 = Disabled. Do not use the proxy server for local addresses.
    - 1 = Enabled. Use the proxy server for local addresses. | + + +## SetupScriptUrl + +Address to the PAC script you want to use. + + +## Related topics + +- [NetworkProxy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md new file mode 100644 index 0000000000..be9d9f4d69 --- /dev/null +++ b/windows/configuration/wcd/wcd-networkqospolicy.md @@ -0,0 +1,37 @@ +--- +title: NetworkQoSPolicy (Windows 10) +description: This section describes the NetworkQoSPolicy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# NetworkQoSPolicy (Windows Configuration Designer reference) + +Use to create network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | | X | | | + +1. In **Available customizations**, select **NetworkQ0SPolicy**, enter a friendly name for the account, and then click **Add**. +2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. + +| Setting | Description | +| --- | --- | +| AppPathNameMatchCondition | Enter the name of an application to be sued to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. | +| DestinationPortMatchCondition | Specify a port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number], or [port number]. | +| DSCPAction | Enter the differentiated services code point (DSCP) value to apply to match with network traffic. Valid values are 0-63. | +| IPProtocolMatchCondition | Select between **Both TCP and UDP**, **TCP**, and **UDP** to specify the IP protocol used to match the network traffic. | +| PriorityValue8021Action | Specify the IEEE 802.1p value. Valid values are 0 through 7. | +| SourcePortMatchCondition | Specify a single port or range of ports. Valid values are [first port number]-[last port number], or [port number]. | + +## Related topics + +- [NetworkQoSPolicy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-nfc.md b/windows/configuration/wcd/wcd-nfc.md new file mode 100644 index 0000000000..1b56de1940 --- /dev/null +++ b/windows/configuration/wcd/wcd-nfc.md @@ -0,0 +1,29 @@ +--- +title: NFC (Windows 10) +description: This section describes the NFC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# NFC (Windows Configuration Designer reference) + +Use to configure settings related to near field communications (NFC) subsystem. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | X | | | | + +Expand **NFC** > **SEMgr** > **UI**. The following table describes the settings you can configure. + +| Setting | Description | +| --- | --- | +| CardEmulationState | Configure the default state of **Tap to pay**. Select between **OFF**, **When Phone Unlocked**, **When Screen On**, and **Anytime**. | +| DefaultFastCardSetting | Configure the default fast card usage for NFC payments. Select between **When Phone Unlocked**, **When Screen On**, and **Anytime**. | +| HideFastCardsOption | Show or hide the fast cards options drop-down menu in the **NFC** > **Tap to pay** control panel. | \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md new file mode 100644 index 0000000000..e609255e3d --- /dev/null +++ b/windows/configuration/wcd/wcd-oobe.md @@ -0,0 +1,47 @@ +--- +title: OOBE (Windows 10) +description: This section describes the OOBE settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# OOBE (Windows Configuration Designer reference) + +Use to configure settings for the Out Of Box Experience (OOBE). + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [Mobile > EnforceEnterpriseProvisioning](#nforce) | | X | | | | +| [Mobile > HideOobe](#hidem) | | X | | | | +| [Desktop > HideOobe](#hided) | X | | | | | + + +## EnforceEnterpriseProvisioning + +When set to **True**, it forces the OOBE flow into using the enterprise provisioning page without making the user interact with the Windows button. This is the default setting. + +When set to **False**, it does not force the OOBE flow to the enterprise provisioning page. + + +## HideOobe for mobile + +When set to **True**, it hides the interactive OOBE flow for Windows 10 Mobile. + +When set to **False**, the OOBE screens are displayed. + + +## HideOobe for desktop + +When set to **True**, it hides the interactive OOBE flow for Windows 10. + +>[!NOTE] +>You must create a user account if you set the value to true or the device will not be usable. + +When set to **False**, the OOBE screens are displayed. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-otherassets.md b/windows/configuration/wcd/wcd-otherassets.md new file mode 100644 index 0000000000..ff79d72f5f --- /dev/null +++ b/windows/configuration/wcd/wcd-otherassets.md @@ -0,0 +1,27 @@ +--- +title: OtherAssets (Windows 10) +description: This section describes the OtherAssets settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# OtherAssets (Windows Configuration Designer reference) + +Use to configure settings for Map data. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| MapData | | X | | | | + +Use **MapData** to specify the source directory location of the map region you want to include. + +For example, if C:\Path\Maps\Europe contains the downloaded map data that you want to preload, set the value to that directory. + +To add additional maps, add a new MapData setting and set the source to the directory location of the map region you want to include. diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md new file mode 100644 index 0000000000..a5aaee541d --- /dev/null +++ b/windows/configuration/wcd/wcd-personalization.md @@ -0,0 +1,44 @@ +--- +title: Personalization (Windows 10) +description: This section describes the Personalization settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Personalization (Windows Configuration Designer reference) + +Use to configure settings to personalize a PC. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [DeployDesktopImage](#deploydesktopimage) | X | | | | | +| [DeployLockScreenImage](#deploylockscreenimage) | X | | | | | +| [DesktopImageUrl](#desktopimageurl) | X | | | | | +| [LockScreenImageUrl](#lockscreenimageurl) | X | | | | | + +## DeployDesktopImage + +Deploy a jpg, jpeg or png image to the device to be used as desktop image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [DesktopImageUrl](#desktopimageurl). + +When using **DeployDesktopImage** and [DeployLockScreenImageFile](#deploylockscreenimage, the file names need to be different. + +## DeployLockScreenImage + +Deploy a jpg, jpeg or png image to the device to be used as lock screen image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [LockScreenImageUrl](#lockscreenimageurl). + +When using [DeployDesktopImage](#deploydesktopimage) and **DeployLockScreenImageFile**, the file names need to be different. + +## DesktopImageUrl + +Specify a jpg, jpeg or png image to be used as desktop image. This setting can take a http or https url to a remote image to be downloaded or a file url to a local image. If you have a local file and want to embed it into the package being deployed, you also set [DeployDesktopImage](#deploydesktopimage). + +## LockScreenImageUrl + +Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded or a file Url to an existing local image. If you have a local file and want to embed it into the package being deployed, you also set [DeployLockScreenImage](#deploylockscreenimage). \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md new file mode 100644 index 0000000000..f672b70b05 --- /dev/null +++ b/windows/configuration/wcd/wcd-policies.md @@ -0,0 +1,449 @@ +--- +title: Policies (Windows 10) +description: This section describes the Policies settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Policies (Windows Configuration Designer reference) + +This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider). + +## AboveLock + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowActionCenterNotifications](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | X | | | | +| [AllowToasts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | X | X | | | | + +## Accounts + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowAddingNonMicrosoftAccountManually](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | | +| [AllowMicrosoftAccountConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | | | +| [AllowMicrosoftAccountSigninAssistant](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | | +| [DomainNamesForEmailSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | | + + +## ApplicationDefaults + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [DefaultAssociationsConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | | + + +##ApplicationManagement + + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Windows Store apps are allowed | X | X | | | | +| [AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Windows Store is allowed | X | X | | | | +| [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X | +| [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | | +| [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | | +| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device (?) | | X | | | | +| [ApplicationRestrictions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | | +| [RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | | +| [RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | | + + + + +## Authentication + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowFastReconnect](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X | + + +## BitLocker + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [EncryptionMethod](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | X | X | | | | + + +## Bluetooth + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowAdvertising](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X | +| [AllowDiscoverableMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X | +| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X | +| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X | +| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | | | | + +## Browser + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowAddressBarDropdown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | | +| [AllowAutofill](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | | | +| [AllowBrowser](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device. | | X | | | | +| [AllowCookies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | | | +| [AllowDeveloperTools](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | | +| [AllowDoNotTrack](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | | | +| [AllowExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | | +| [AllowFlash](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | | +| [AllowFlashClickToRun](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | | +| [AllowInPrivate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | | | +| [AllowMicrosoftCompatibilityList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | | +| [AllowPasswordManager](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | | | +| [AllowPopups](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | | | +| [AllowSearchEngineCustomization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | | | | | +| [AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | | | +| [AllowSmartScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | | | +| [ClearBrowsingDataOnExit](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | | +| [ConfigureAdditionalSearchEngines](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | | +| [DisableLockdownOfStartPages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | | +| [EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | | +| EnterpriseSiteListServiceUrl | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | | +| [FirstRunURL](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | | X | | | | +| [HomePages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | | +| [PreventAccessToAboutFlagsInMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | | +| [PreventFirstRunPage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | | +| [PreventLiveTileDataCollection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | | +| [PreventSmartScreenPromptOverride](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | | | +| [PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | | | +| [PreventUsingLocalHostIPAddressForWebRTC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | | +| [SendIntranetTraffictoInternetExplorer ](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | | +| [SetDefaultSearchEngine](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | | +| [howMessageWhenOpeningSitesInInternetExplorer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | | +| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | | + + +## Camera + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowCamera](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | | | + + +## Connectivity + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | | | +| [AllowCellularData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | | +| [AllowCellularDataRoaming](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | | +| [AllowConnectedDevices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | | +| [AllowNFC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | X | | | | +| [AllowUSBConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | X | | | | +| [AllowVPNOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X | | | +| [AllowVPNRoamingOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | | | +| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | | +| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | | + +## Cryptography + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowFipsAlgorithmPolicy](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | | | | +| [TLSCiperSuites](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X | | | | + +## Defender + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowArchiveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X | | | | | +| [AllowBehaviorMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | | | | | +| [AllowCloudProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | | | | | +| [AllowEmailScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | X | | | | | +| [AllowFullScanOnMappedNetworkDrives](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X | | | | | +| [AllowFullScanRemovableDriveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | X | | | | | +| [AllowIntrusionPreventionSystem](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | | | | | +| [AllowIOAVProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | X | | | | | +| [AllowOnAccessProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X | | | | | +| [AllowRealtimeMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | | | | | +| [AllowScanningNetworkFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | X | | | | | +| [AllowScriptScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X | | | | | +| [AllowUserUIAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | X | | | | | +| [AvgCPULoadFactor](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | | | | | +| [DaysToRetainCleanedMalware](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | X | | | | | +| [ExcludedExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X | | | | | +| [ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | X | | | | | +| [ExcludedProcesses](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X | | | | | +| [RealTimeScanDirection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | X | | | | | +| [ScanParameter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X | | | | | +| [ScheduleQuickScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | X | | | | | +| [ScheduleScanDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X | | | | | +| [ScheduleScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | X | | | | | +| [SignatureUpdateInterval](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | | | | | +| [SubmitSamplesConsent](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X | | | | | +| [ThreatSeverityDefaultAction](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | X | | | | | + +## DeliveryOptimization + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [DOAbsoluteMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X | | | | | +| [DOAllowVPNPeerCaching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | | | | | +| [DODownloadMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | | | | | +| [DOGroupId](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X | | | | | +| [DOMaxCacheAge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | | | | | +| [DOMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | | | | | +| [DOMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | | | | | +| [DOMaxUploadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | | | | | +| [DOMinBackgroundQos](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | | | | | +| [DOMinBatteryPercentageAllowedToUpload](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | | | | | +| [DOMinDiskSizeAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | | | | | +| [DOMinFileSizeToCache](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X | | | | | +| [DOMinRAMAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X | | | | | +| [DOModifyCacheDrive](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X | | | | | +| [DOMonthlyUploadDataCap](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | | +| [DOPercentageMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | + + +## DeviceLock + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowIdleReturnWithoutPassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | | +| [AllowScreenTimeoutWhileLockedUserConfig](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | | +| [AllowSimpleDevicePassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | | | +|[AlphanumericDevicePasswordRequired](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | | | +| [DevicePasswordEnabled](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | | | +| [DevicePasswordExpiration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | | | +| [DevicePasswordHistory](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | | | +| [MaxDevicePasswordFailedAttempts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | | | +| [MaxInactivityTimeDeviceLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | | | +| [MinDevicePasswordComplexCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | | | +| [MinDevicePasswordLength](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | | | +| [ScreenTimeoutWhileLocked](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | | + + +## DeviceManagement + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | X | | | | | + + + +## Experience + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowCopyPaste](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | | +| [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | | | +| [AllowDeviceDiscovery](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | | +| [AllowFindMyDevice](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | | +| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | | | +| [AllowScreenCapture](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | | +| [AllowSIMErrorDialogPromptWhenNoSIM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | | +| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | | | | | +| [AllowTailoredExperiencesWithDiagnosticData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | | +| [AllowTaskSwitcher](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | | +| [AllowThirdPartySuggestionsInWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | | +| [AllowVoiceRecording](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | | +| [AllowWindowsConsumerFeatures](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | | +| [AllowWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | | +| [AllowWindowsSpotlightOnActionCenter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | | +| [AllowWindowsSpotlightWindowsWelcomeExperience](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | | +| [AllowWindowsTips](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | | +| [ConfigureWindowsSpotlightOnLockScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | | + + +## Games + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowAdvancedGamingServices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | | + + +## Location + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [EnableLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | | + + +## Privacy + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | | +| [AllowInputPersonalization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | | | + + +## Search + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowIndexingEncryptedStoresOrItems](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | | +| [AllowSearchToUseLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | | | +| [AllowUsingDiacritics](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | | +| AllowWindowsIndexer | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.

    - **Off** setting disables Windows indexer
    - **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
    - **Enterprise** setting reduces potential network loads for enterprises
    - **Standard** setting is appropriate for consuemrs | X | X | | | | +| [AlwaysUseAutoLangDetection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | | +| [DisableBackoff](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | | +| [DisableRemovableDriveIndexing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | | +| [PreventIndexingLowDiskSpaceMB](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | | | | +| [PreventRemoteQueries](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X | | | | +| [SafeSearchPermissions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | X | | | | + + + +## Security + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowAddProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | X | X | +| [AllowManualRootCertificateInstallation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | | +| [AllowRemoveProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | X | X | +| [AntiTheftMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | | +| [RequireDeviceEncryption](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X | +| [RequireProvisioningPackageSignature](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | X | X | +| [RequireRetrieveHealthCertificateOnBoot](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | | + +## Settings + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowAutoPlay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | | +| [AllowDataSense](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | | +| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | | | +| [ConfigureTaskbarCalendar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | | + +## Start + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| AllowPinnedFolderDocuments | Control the visibility of the Documents shortcut on the Start menu. | X | | | | | +| AllowPinnedFolderDownloads | Control the visibility of the Downloadds shortcut on the Start menu. | X | | | | | +| AllowPinnedFolderFileExplorer | Control the visibility of the File Explorer shortcut on the Start menu. | X | | | | | +| AllowPinnedFolderHomeGroup | Control the visibility of the Home Group shortcut on the Start menu. | X | | | | | +| AllowPinnedFolderMusic | Control the visibility of the Music shortcut on the Start menu. | X | | | | | +| AllowPinnedFolderNetwork | Control the visibility of the Network shortcut on the Start menu. | X | | | | | +| AllowPinnedFolderPersonalFolder | Control the visibility of the Personal Folder shortcut on the Start menu. | X | | | | | +| AllowPinnedFolderPictures | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | | +| AllowPinnedFolderSettings | Control the visibility of the Settings shortcut on the Start menu. | X | | | | | +| AllowPinnedFolderVideos |Control the visibility of the Videos shortcut on the Start menu. | X | | | | | +| [ForceStartSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | | +| [HideAppList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | | +| [HideChangeAccountSettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | | +| [HideFrequentlyUsedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | | +| [HideHibernate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | | +| [HideLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | | +| [HidePowerButton](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | | +| [HideRecentJumplists](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | | +| [HideRecentlyAddedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | | +| [HideRestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X | | | | | +| [HideShutDown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | X | | | | | +| [HideSignOut](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X | | | | | +| [HideSleep](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X | | | | | +| [HideSwitchAccount](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X | | | | | +| [HideUserTile](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | X | | | | | +| [ImportEdgeAssets](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles). | X | | | | | +| [NoPinningToTaskbar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X | | | | | +| [StartLayout](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd) | X | | | | | + +## System + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowBuildPreview](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | | +| [AllowEmbeddedMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | X | X | +| [AllowExperimentation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | | +| [AllowLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X | +| [AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | X | X | +| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and useage telemetry data. | X | X | | | | +| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | | +| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | | + + +## TextInput + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowIMELogging](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | | | | | +| [AllowIMENetworkAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | | | | | +| [AllowInputPanel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X | | | | | +| [AllowJapaneseIMESurrogatePairCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X | | | | | +| [AllowJapaneseIVSCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | | | | | +| [AllJapaneseNonPublishingStandardGlyph](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X | | | | | +| [AllowJapaneseUserDictionary](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X | | | | | +| [AllowKeyboardTextSuggestions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | | | | | +| [AllowLanguageFeaturesUninstall](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X | | | | | +| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | | +| [ExcludeJapaneseIMEExceptISO208](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | +| [ExcludeJapaneseIMEExceptISO208andEUDC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | +| [ExcludeJapaneseIMEExceptShiftJIS](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | + + +## TimeLanguageSettings + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowSet24HourClock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | X | | | | + + +## Update + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X | +| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | X | X | +| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X | +| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | +| [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X | +| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | X | X | +| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. | X | X | X | X | X | +| AutoRestartDeadlinePeriodInDays | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | X | +| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | X | X | +| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | X | X | +| [BranchReadinessLevel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X | +| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | X | X | +| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | X | X | +| [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X | +| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | X | X | +| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | X | X | +| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | X | X | +| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | X | X | +| PhoneUpdateRestrictions | Deprecated | | X | | | | +| [RequireDeferUpgrade](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X | +| [ScheduledInstallDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X | +| [ScheduledInstallTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X | +| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | X | X || +| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | X | X | +| [SetAutoRestartNotificationDisable](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | X | X | +| [SetEDURestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | X | X | +| [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X | +| [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X | + + +## WiFi + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowAutoConnectToWiFiSenseHotspots](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | | | | +| [AllowInternetSharing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | | +| [AllowManualWiFiConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | | +| [AllowWiFi](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | | +| [WLANScanMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X | + +## WindowsInkWorkspace + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowSuggestedAppsInWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X | | | | | +| [AllowWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X | | | | | + + +## WindowsLogon + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [HideFastUserSwitching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X | | | | | + +## WirelessDisplay + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | | \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md new file mode 100644 index 0000000000..7ab3bd2e35 --- /dev/null +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -0,0 +1,27 @@ +--- +title: ProvisioningCommands (Windows 10) +description: This section describes the ProvisioningCommands settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# ProvisioningCommands (Windows Configuration Designer reference) + +Use ProvisioningCommands settings to install Classic Windows apps using a provisioning package. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | | | | | + +For instructions on adding apps to provisioning packages, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md). + + + + diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md new file mode 100644 index 0000000000..744e0acd11 --- /dev/null +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -0,0 +1,61 @@ +--- +title: SharedPC (Windows 10) +description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# SharedPC (Windows Configuration Designer reference) + +Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | | | | | + +## AccountManagement + +Use these settings to configure settings for accounts allowed on the shared PC. + +| Setting | Value | Description | +| --- | --- | --- | +| AccountModel | - Only guest
    - Domain-joined only
    - Domain-joined and guest | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC.

    - Only guest allows anyone to use the PC as a local standard (non-admin) account.
    - Domain-joined only allows users to sign in with an Active Directory or Azure AD account.
    - Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account. | +| DeletionPolicy | - Delete immediately
    - Delete at disk space threshold
    - Delete at disk space threshold and inactive threshold | - Delete immediately will delete the account on sign-out.
    - Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for DiskLevelDeletion, and it will stop deleting accounts when the available disk space reaches the threshold you set for DiskLevelCaching. Accounts are deleted in order of oldest accessed to most recently accessed.
    - Delete at disk space threshold and inactive threshold will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by InactiveThreshold | +| DiskLevelCaching | A number between 0 and 100 | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. | +| DiskLevelDeletion | A number between 0 and 100 | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. | +| EnableAccountManager | True or false | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. | +| InactiveThreshold | Number | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. | +| KioskModeAUMID | String | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](https://msdn.microsoft.com/library/dn449300.aspx) | +| KioskModeUserTileDisplayText | String | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. | + + +## EnableSharedPCMode + +Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings). + +Some of the remaining settings in SharedPC are optional, but we strongly recommend that you also set **EnableAccountManager** to **True**. + +## PolicyCustomization + +Use these settings to configure policies for shared PC mode. + +| Setting | Value | Description | +| --- | --- | --- | +| MaintenanceStartTime | A number between 0 and 1440 | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. | +| MaxPageFileSizeMB | A number between 1024 and 2048 | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. | +| RestrictLocalStorage | True or false | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) | +| SetEduPolicies | True or false | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](https://docs.microsoft.com/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) | +| SetPowerPolicies | True or false | When set as **True**:

    - Prevents users from changing power settings
    - Turns off hibernate
    - Overrides all power state transitions to sleep (e.g. lid close) | +| SignInOnResume | True or false | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | +| SleepTimeout | Number | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | + +## Related topics + +- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-shell.md b/windows/configuration/wcd/wcd-shell.md new file mode 100644 index 0000000000..a0b581cb04 --- /dev/null +++ b/windows/configuration/wcd/wcd-shell.md @@ -0,0 +1,23 @@ +--- +title: Shell (Windows 10) +description: This section describes the Shell settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Shell (Windows Configuration Designer reference) + +Do not use. Use [Start > StartLayout](wcd-start.md#startlayout) + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | X | | | | + + diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md new file mode 100644 index 0000000000..df459903c7 --- /dev/null +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -0,0 +1,107 @@ +--- +title: SMISettings (Windows 10) +description: This section describes the SMISettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# SMISettings (Windows Configuration Designer reference) + +Use SMISettings settings to customize the device with custom shell, suppress Windows UI during boot and sign-in, and block or allow specific keys. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | | | | | + +## All settings in SMISettings + +The following table describes the settings in SMISettings. Some settings have additional details in sections after the table. + +| Setting | Value | Description | +| --- | --- | --- | +| AutoLogon | Enable
    Domain name
    Password
    UserName | Allows automatic sign-in at startup so that the user does not need to enter a user name and password. | +| BrandingNeutral | See [BrandingNeutral values](#brandingneutral-values) | Specifies which UI elements display on the Welcome screen. | +| CrashDumpEnabled | See [CrashDumpEnabled values](#crashdumpenabled-values) | Specifies the type of information to be saved in the event of a crash. | +| DisableBootMenu | True or false | Disables the F8 and F10 keys during startup to prevent access to the **Advanced Startup Options** menu. | +| DisplayDisabled | True or false | Configures the device to display a blank screen when the OS encounters an error that it cannot recover from. | +| HideAllBootUI | True or false | Suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | +| HideAutologonUI | True or false | Hides the Welcome screen when automatic sign-in (AutoLogon) is enabled. | +| HideBootLogo | True or false | Suppresses the default Windows logo that displays during the OS loading phase. | +| HideBootStatusIndicator | True or false | Suppresses the status indicator that displays during the OS loading phase. | +| HideBootStatusMessages | True or false | Suppresses the startup status text that displays during the OS loading phase. | +| HideFirstLogonAnimation | True or false | Disable the animation during the first sign-in. | +| KeyboardFilter | See [KeyboardFilter settings](#keyboardfilter-settings) | Use these settings to configure devices to suppress key presses or key combinations. | +| NoLockScreen | True or false | Disables the lock screen functionality and UI elements | +| ShellLauncher | See [ShellLauncher settings](#shelllauncher-settings) | Settings used to specify the application or executable to use as the default custom shell. | +| UIVerbosityLevel | Suppress or do not suppress | Disables the Windows status messages during device startup, sign-in, and shut down. | + +## BrandingNeutral values + +The following table shows the possible values. You can combine these values using bitwise exclusive-OR logic to disable multiple Welcome screen UI elements. + +The default value is **17**, which disables all Welcome screen UI elements and the Switch user button. + +| Value | Description | +| --- | --- | +| 1 | Disables all Welcome screen UI elements | +| 2 | Disables the Power button | +| 4 | Disables the Language button | +| 8 | Disables the Ease of access button | +| 16 | Disables the Switch user button | +| 32 | Disables the blocked shutdown resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any applications that are blocking system shut down. No UI is displayed and users are not given a chance to cancel the shutdown process. This can result in a loss of data if any open applications have unsaved data. | + +## CrashDumpEnabled values + +Contains an integer that specifies the type of information to capture in a dump (.dmp) file that is generated when the system stops unexpectedly. + +The .dmp file is typically saved in %SystemRoot% as Memory.dmp. + +Set CrashDumpEnabled to one of the following values: + +| Value | Description | +| --- | --- | +| 1 | Records all the contents of system memory. This dump file may contain data from processes that were running when the information was collected. | +| 2 | Records only the kernel memory. This dump file includes only memory that is allocated to the kernel, kernel-mode drivers, and other kernel-mode programs. It does not include unallocated memory or any memory that is allocated to user-mode programs.

    For most purposes, this kind of dump file is the most useful because it is significantly smaller than the complete memory dump file, but it contains information that is most likely to have been involved in the issue.

    If a second problem occurs, the dump file is overwritten with new information. | +| 3 | Records the smallest amount of useful information that may help identify why the device stopped unexpectedly. This type of dump file includes the following information:

    - A list of loaded drivers

    - The processor context (PRCB) for the processor that stopped

    - The process information and kernel context (EPROCESS) for the process that stopped

    - The process information and kernel context (ETHREAD) for the thread that stopped

    - The kernel-mode call stack for the thread that stopped


    This kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by analyzing this file.

    The date is encoded in the file name. If a second problem occurs, the previous file is preserved and the new file is given a distinct name. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. | +| 4 | Records the smallest amount of useful information. This value produces the same results as entering a value of 3. | +| 7 | Records only the kernel memory. This value produces the same results as entering a value of 2. This is the default value. | +| Any other value | Disables crash dump and does not record anything. | + +## KeyboardFilter settings + +You can use KeyboardFilter to suppress undesirable key presses or key combinations. KeyboardFilter works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard. + +When you **enable** KeyboardFilter, a number of other settings become available for configuration. + +| Setting | Value | Description | +| --- | --- | --- | +| CustomKeyFilters | Allow or block | Add your own key filters to meet any special requirements that you may have that are not included in the predefined key filters.

    Enter a custom key combination in **CustomKeyFilter**, and then select it to allow or block it. The format to add custom filter combinations is "Alt+F9." This also appears as the CustomKey name, which is specified without "+". For more information, see [WEKF_CustomKey](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-customkey). | +| CustomScancodeFilters | Allow or block | Blocks the list of custom scan codes. When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout.

    Enter a custom scancode in **CustomScancodeFilter**, and then select it to allow or block it. For more information, see [WEKF_Scancode](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-scancode). | +| DisableKeyboardFilterForAdministrators | True or false | Disables the keyboard filter for administrators. | +| ForceOffAccessibility | True or false | Disables all Ease of Access features and prevents users from enabling them. | +| PredefinedKeyFilters | Allow or block | Specifies the list of predefined keys. For each key, the value will default to **Allow**. Specifying **Block** will suppress the key combination. | + +[Learn more about using keyboard filters.](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) + +## ShellLauncher settings + +Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). + +You can also configure ShellLauncher to launch different shell applications for different users or user groups. + +>[!IMPORTANT] +>You may specify any executable file to be the default shell except C:\Windows\System32\Eshell.exe. Using Eshell.exe as the default shell will result in a blank screen after a user signs in. +> +>You cannot use ShellLauncher to launch a Windows app as a custom shell. However, you can use Windows 10 application launcher to launch a Windows app at startup. + +ShellLauncher processes the Run and RunOnce registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications or services. ShellLauncher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior does not meet your needs. + +>[!IMPORTANT] +>A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights cannot. If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for ShellLauncher to launch the shell application. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md new file mode 100644 index 0000000000..3256dea604 --- /dev/null +++ b/windows/configuration/wcd/wcd-start.md @@ -0,0 +1,35 @@ +--- +title: Start (Windows 10) +description: This section describes the Start settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Start (Windows Configuration Designer reference) + +Use Start settings to apply a customized Start screen to devices. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| StartLayout | X | X | | | | +| StartLayoutFilePath | | X | | | | + +>[!IMPORTANT] +>The StartLayout setting is available in the advanced provisioning for Windows 10 desktop editions, but should only be used to apply a layout to Windows 10 Mobile devices. For desktop editions, use [Policies > StartLayout](wcd-policies.md#start). + +## StartLayout + +Use StartLayout to select the LayoutModification.xml file that applies a customized Start screen to a device. + +For more information, see [Start layout XML for mobile editions of Windows 10 ](../mobile-devices/lockdown-xml.md)). + +## StartLayoutFilePath + +Do not use. diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md new file mode 100644 index 0000000000..3e9d1ca9b2 --- /dev/null +++ b/windows/configuration/wcd/wcd-startupapp.md @@ -0,0 +1,23 @@ +--- +title: StartupApp (Windows 10) +description: This section describes the StartupApp settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# StartupApp (Windows Configuration Designer reference) + +Use StartupApp settings to configure the default app that will run on start for Windows 10 IoT Core (IoT Core) devices. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| Default | | | | | X | + +Enter the [Application User Model ID (AUMID)](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the default app. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md new file mode 100644 index 0000000000..2e5c3fa161 --- /dev/null +++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md @@ -0,0 +1,22 @@ +--- +title: StartupBackgroundTasks (Windows 10) +description: This section describes the StartupBackgroundTasks settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# StartupBackgroundTasks (Windows Configuration Designer reference) + +Documentation not available at this time. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | | | | X | + diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md new file mode 100644 index 0000000000..4a6dbb3dd3 --- /dev/null +++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md @@ -0,0 +1,35 @@ +--- +title: SurfaceHubManagement (Windows 10) +description: This section describes the SurfaceHubManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# SurfaceHubManagement (Windows Configuration Designer reference) + +Use SurfaceHubManagement settings to set the administrator group that will manage a Surface Hub that is joined to the domain. + +>[!IMPORTANT] +>These settings should be used only in provisioning packages that are applied during OOBE. + + + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | | X | | | + + +## GroupName + +Enter the group name for the administrators group in Active Directory. + +## GroupSid + +Enter the SID or the administrators group in Active Directory. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md new file mode 100644 index 0000000000..5f454d89bb --- /dev/null +++ b/windows/configuration/wcd/wcd-tabletmode.md @@ -0,0 +1,29 @@ +--- +title: TabletMode (Windows 10) +description: This section describes the TabletMode settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# TabletMode (Windows Configuration Designer reference) + +Use TabletMode to configure settings related to tablet mode. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | X | X | X | X | + +## ConvertibleSlateModePromptPreference + +Set the default for hardware-based prompts. + +## SignInMode + +Specify whether users switch to table mode by default after signing in. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md new file mode 100644 index 0000000000..c498ffd865 --- /dev/null +++ b/windows/configuration/wcd/wcd-takeatest.md @@ -0,0 +1,48 @@ +--- +title: TakeATest (Windows 10) +description: This section describes the TakeATest settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# TakeATest (Windows Configuration Designer reference) + +Use TakeATest to configure the Take A Test app, a secure browser for test-taking. Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. For more information, see [Take tests in Windows 10](https://docs.microsoft.com/education/windows/take-tests-in-windows-10). + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | | | | | + +## AllowScreenMonitoring + +When set to True, students are able to record and take screen captures in the Take A Test app. + +## AllowTextSuggestions + +When set to True, students can see autofill suggestions from onscreen keyboards when typing in the Take A Test app. + +## LaunchURI + +Enter a link to an assessment that will be automatically loaded when the Take A Test app is opened. + +## RequirePrinting + +When set to True, students can print in the Take A Test app. + +## TesterAccount + +Enter the account to use when taking a test. + +To specify a domain account, enter **domain\user**. To specify an AAD account, enter **username@tenant.com**. To specify a local account, enter the username. + + +## Related topics + +- [SecureAssessment configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/secureassessment-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-theme.md b/windows/configuration/wcd/wcd-theme.md new file mode 100644 index 0000000000..bc5710c264 --- /dev/null +++ b/windows/configuration/wcd/wcd-theme.md @@ -0,0 +1,35 @@ +--- +title: Theme (Windows 10) +description: This section describes the Theme settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Theme (reference) + +Use Theme to configure accent and background colors on Windows 10 Mobile. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | X | | | | + +## DefaultAccentColor + +In the dropdown menu for DefaultAccentColor, select from the list of colors. The accent color is used for the background of the start tiles, some text, the progress indicator, the user’s My Phone web site, and so on. + + +## DefaultBackgroundColor + +Select between **Light** and **Dark** for theme. + + +## Related topics + +- [Themes and accent colors](https://msdn.microsoft.com/library/windows/hardware/dn772323(v=vs.85).aspx) diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md new file mode 100644 index 0000000000..5ba21b01a3 --- /dev/null +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -0,0 +1,65 @@ +--- +title: UnifiedWriteFilter (Windows 10) +description: This section describes the UnifiedWriteFilter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# UnifiedWriteFilter (reference) + + +Use UnifiedWriteFilter to configure settings for the Unified Write Filter (UWF) in your device to help protect your physical storage media, including most standard writable storage types that are supported by the OS, such as physical hard disks, solidate-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writeable volume. + +>[!IMPORTANT] +>You cannot use UWF to protect external USB devices or flash drives. + +UWF intercepts all write attempts to a protected volume and redirects those write attempts to a virtual overlay. This improves the reliability and stability of your device and reduces the wear on write-sensitive media, such as flash memory media like solid-state drives. + +The overlay does not mirror the entire volume, but dynamically grows to keep track of redirected writes. Generally the overlay is stored in system memory, although you can cache a portion of the overlay on a physical volume. + +>[!NOTE] +>UWF fully supports the NTFS system; however, during device startup, NTFS file system journal files can write to a protected volume before UWF has loaded and started protecting the volume. + +[Learn more about the Unified Write Filter feature.](https://docs.microsoft.com/windows-hardware/customize/enterprise/unified-write-filter) + + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | | | | X | + +## FilterEnabled + +Set to **True** to enable UWF. + +## OverlaySize + +Enter the maximum overlay size, in megabytes (MB), for the UWF overlay. The minimum value for maximum overlay size is 1024. + +>[!NOTE] +>UnifiedWriteFilter must be enabled for this setting to work. + +## OverlayType + +OverlayType specifies where the overlay is stored. Select between **RAM** (default) and **Disk** (pre-allocated file on the system volume). + +## RegistryExclusions + +You can add or remove registry entries that will be excluded from UWF filtering. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering and are written directly to the registry and persist after the device restarts. + +Use **Add** to add a registry entry to the exclusion list after you restart the device. + +Use **Remove** to remove a registry entry from the exclusion list after you restart the device. + +## Volumes + +Enter a drive letter for a volume to be protected by UWF. + +>[!NOTE] +>In the current OS release, Windows Configuration Designer contains a validation bug. To work around this issue, you must include a ":" after the drive letter when specifying the value for the setting. For example, if you are specifying the C drive, you must set DriveLetter to "C:" instead of just "C". \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md new file mode 100644 index 0000000000..50f88c2fdc --- /dev/null +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -0,0 +1,79 @@ +--- +title: UniversalAppInstall (Windows 10) +description: This section describes the UniversalAppInstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# UniversalAppInstall (reference) + + +Use UniversalAppInstall settings to install Windows apps from the Microsoft Store or a hosted location. + +>[!NOTE] +>You can only use the Windows provisioning settings and provisioning packages for apps where you have the available installation files, namely with sideloaded apps that have an offline license. [Learn more about offline app distribution.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps) + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [DeviceContextApp](#devicecontextapp) | X | | X | | | +| [DeviceContextAppLicense](#devicecontextapplicense) | X | | X | | | +| [UserContextApp](#usercontextapp) | X | X | X | X | X | +| [UserContextAppLicense](#usercontextapplicense) | X | X | X | X | X | + +## DeviceContextApp + +Enter an app package family name to install an app for all users of the device. You can use the [Get-AppxPackage cmdlet](https://technet.microsoft.com/itpro/powershell/windows/appx/get-appxpackage) to get the package family name for an installed app. + +>[!NOTE] +>For XAP files, enter the product ID. + +For each app that you add to the package, configure the settings in the following table. + +| Setting | Value | Description | +| --- | --- | --- | +| ApplicationFile | .appx or .appxbundle | Set the value to the app file that you want to install on the device. In addition, you must also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. | +| DependencyAppxFiles | any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. | +| DeploymentOptions | - None
    -Force application shutdown: If this package, or any package that depends on this package, is currently in use, the processes associated with the package are shut down forcibly so that registration can continue
    - Development mode: do not use
    - Install all resources: When you set ths option, the app is instructed to skip resource applicability checks.
    - Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. | +| LaunchAppAtLogin | - Do not launch app
    - Launch app | Set the value for app behavior when a user signs in. | +| OptionalPackageFiles | additional files required by the package | Browse to, select, and add the optional package files. | + +For more information on deployment options, see [DeploymentOptions Enum](https://docs.microsoft.com/uwp/api/windows.management.deployment.deploymentoptions). + +## DeviceContextAppLicense + +Use to specify the license file for the provisioned app. + +1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**. + +2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file. + + +## UserContextApp + +Use to add a new user context app. + +1. Specify a **PackageFamilyName** for the app, and then click **Add**. +2. Select the PackageFamilyName in the Available Customizations pane, and then configure the following settings. + +Setting | Value | Description +--- | --- | --- +ApplicationFile | app file | Browse to, select, and add the application file, +DependencyAppxFiles | additional files required by the app | Browse to, select, and add dependency files. +DeploymentOptions | - None

    - Force application shutdown

    - Development mode

    - Install all resources

    - Force target application shutdown | Select a deployment option. +LaunchAppAtLogin | - Do not launch app

    - Launch app | Select whether the app should be started when a user signs in. + + +## UserContextAppLicense + +Use to specify the license file for the user context app. + +1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**. + +2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md new file mode 100644 index 0000000000..70cd723052 --- /dev/null +++ b/windows/configuration/wcd/wcd-universalappuninstall.md @@ -0,0 +1,40 @@ +--- +title: UniversalAppUninstall (Windows 10) +description: This section describes the UniversalAppUninstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# UniversalAppUninstall (reference) + + +Use UniversalAppUninstall settings to uninstall or remove Windows apps. + + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [RemoveProvisionedApp](#removeprovisionedapp) | X | | | | | +| [Uninstall](#uninstall) | X | X | X | X | X | + +## RemoveProvisionedApp + +Universal apps can be *provisioned*, which means that they are available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user. + +Use **RemoveProvisionedApp** to remove app packages that are available on the device. Any instances of the app that have already been installed by a user are not uninstalled. To uninstall provisioned apps that have been installed by a user, use the [Uninstall](#uninstall) setting. + +1. Enter the PackageFamilyName for the app package, and then click **Add**. +2. Select the PackageFamilyName in the Available Customizations pane, and then select **RemoveProvisionedApp**. + +## Uninstall + +Use **Uninstall** to remove provisioned apps that have been installed by a user. + +1. Enter the PackageFamilyName for the app package, and then click **Add**. +2. Select the PackageFamilyName in the Available Customizations pane, and then select **Uninstall**. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md new file mode 100644 index 0000000000..31685f534d --- /dev/null +++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md @@ -0,0 +1,27 @@ +--- +title: UsbErrorsOEMOverride (Windows 10) +description: This section describes the UsbErrorsOEMOverride settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# UsbErrorsOEMOverride (reference) + + +Use UsbErrorsOEMOverride settings to . + + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | X | X | X | X | | + +## HideUsbErrorNotifyOptionUI + + diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md new file mode 100644 index 0000000000..92f8844d81 --- /dev/null +++ b/windows/configuration/wcd/wcd-weakcharger.md @@ -0,0 +1,43 @@ +--- +title: WeakCharger (Windows 10) +description: This section describes the WeakCharger settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# WeakCharger (reference) + + +Use WeakCharger settings to configure the charger notification UI. + + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | X | X | X | X | | +| [NotifyOnWeakCharger](#notifyonweakcharger) | X | X | X | X | | + + +## HideWeakChargerNotifyOptionUI + +This setting determines whether the user sees the dialog that's displayed when the user connects the device to an incompatible charging source. By default, the OS shows the weak charger notification option UI. + +Select between **Show Weak Charger Notifications UI** and **Hide Weak Charger Notifications UI**. + +## NotifyOnWeakCharger + +This setting displays a warning when the user connects the device to an incompatible charging source. This warning is intended to notify users that their device may take longer to charge or may not charge at all with the current charging source. + +An incompatible charging source is one that does not behave like one of the following port types as defined by the USB Battery Charging Specification, Revision 1.2, available on the USB.org website: +- Charging downstream port +- Standard downstream port +- Dedicated charging port + +Select between **Disable Weak Charger Notifications UI** and **Enable Weak Charger Notifications UI**. + diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md new file mode 100644 index 0000000000..26c23a84ce --- /dev/null +++ b/windows/configuration/wcd/wcd-windowsteamsettings.md @@ -0,0 +1,103 @@ +--- +title: WindowsTeamSettings (Windows 10) +description: This section describes the WindowsTeamSettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# WindowsTeamSettings (reference) + + +Use WindowsTeamSettings settings to configure Surface Hub. + + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | | X | | | + +## Connect + +| Setting | Value | Description | +| --- | --- | --- | +| AutoLaunch | True or false | Open the Connect app automatically when someone projects. | +| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)
    - 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)
    - 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). | +| Enabled | True or false | Enables wireless projection to the device. | +| PINRequired | True or false | Requires presenters to enter a PIN to connect wirelessly to the device. | + +## DeviceAccount + +A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. + +| Setting | Value | Description | +| --- | --- | --- | +| CalendarSyncEnabled | True or false | Specifies whether calendar sync and other Exchange Server services are enabled. | +| DomainName | Domain of the device account when you are using Active Directory | To use a device account from Active Directory, you should specify both **DomainName** and **UserName** for the device account. | +| Email | Email address | Email address of the device account. | +| ExchangeServer | Exchange Server | Normally, the device will try to automatically discover the Exchange server. This field is only required if automatic discovery fails. | +| Password | Password | Password for the device account. | +| PasswordRotationEnabled | 0 = enabled
    1 = disabled | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD. | +| SipAddress | Session Initiation Protocol (SIP) address | Normally, the device will try to automatically discover the SIP. This field is only required if automatic discovery fails. | +| UserName | User name | Username of the device account when you are using Active Directory. | +| UserPrincipalName | User principal name (UPN) | To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. | +| ValidateAndCommit | Any text | Validates the data provided and then commits the changes. This process occurs automatically after the other DeviceAccount settings are applied. The text you enter for the ValidateAndCommit setting doesn't matter. | + + +## FriendlyName + +Enter the name that users will see when they want to project wirelessly to the device. + +## MaintenanceHours + +Maintenance hours are the period of time during which automatic maintenance tasks are performed. + +| Setting | Value | Description | +| --- | --- | --- | +| Duration | Duration in minutes. For example, to set a 3-hour duration, set this value to 180. | The amount of time the device will be in maintenance, when the device will continue to download or install updates. | +| StartTime | Start time in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120 | Start time for when device is allowed to start downloading and installing updates. | + +## OMSAgent + +Configures the Operations Management Suite workspace. + +| Setting | Value | Description | +| --- | --- | --- | +| WorkspaceID | GUID | GUID identifying the Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. | +| WorkspaceKey | Key | Primary key for authenticating with the workspace. | + +## Properties + +| Setting | Value | Description | +| --- | --- | --- | +| AllowAutoProxyAuth | True or false | Specifies if the Surface Hub can use the device account to authenticate into proxy servers requiring authentication. | +| AllowSessionResume | True or false | Specifies if users are allowed to resume their session after session timeout. | +| DefaultVolume | Numeric value between 0 and 100 | Default speaker volume. Speaker volume will be set to this value at every session startup. | +| DisableSigninSuggestions | True or false | Specifies if the Surface Hub will not show suggestions when users try to sign in to see their meetings and files. | +| DoNotShowMyMeetingsAndFiles | True or false | Specifies if users can sign in and have full access to personal meetings and most recently used documents. | +| ScreenTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will turn off its screen. | +| SessionTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will time out the current session and return to the welcome screen. | +| SleepTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will go into a sleep state. | + +## SkypeForBusiness + +| Setting | Value | Description | +| --- | --- | --- | +| DomainName | Domain name | Specifies the domain name of the target server when the Skype for Business server is in a domain that's different from the device account. | + +## Welcome + +| Setting | Value | Description | +| --- | --- | --- | +| AutoWakeScreen | True or false | Specifies whether to automatically turn on the screen using motion sensors. | +| CurrentBackgroundPath | Https URL to a PNG file | Background image for the welcome screen. | +| MeetingInfoOption | 0 = organizer and time only
    1 = organizer, time, and subject (subject is hidden for private meetings) | Specifies whether meeting information is displayed on the welcome screen. | + +## Related topics + +- [SurfaceHub configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/surfacehub-csp) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md new file mode 100644 index 0000000000..80bbb26cf5 --- /dev/null +++ b/windows/configuration/wcd/wcd-wlan.md @@ -0,0 +1,24 @@ +--- +title: WLAN (Windows 10) +description: This section describes the WLAN settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# WLAN (reference) + + +Do not use at this time. Instead, use [ConnectivityProfiles > WLAN](wcd-connectivityprofiles.md#wlan) + + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | | | X | | + diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md new file mode 100644 index 0000000000..8db1aa11a4 --- /dev/null +++ b/windows/configuration/wcd/wcd-workplace.md @@ -0,0 +1,38 @@ +--- +title: Workplace (Windows 10) +description: This section describes the Workplace settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Workplace (reference) + + +Use Workplace settings to configure bulk user enrollment to a mobile device management (MDM) service. For more information, see [Bulk enrollment step-by-step](https://docs.microsoft.com/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool). + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [Enrollments](#enrollments) | X | X | X | X | X | + +## Enrollments + +Select **Enrollments**, enter a UPN, and then click **Add** to configure the settings for the enrollment. The UPN is a unique identifier for enrollment. For bulk enrollment, this must a service account that is allowed to enroll multiple users. Example, "generic-device@contoso.com" + +| Settings | Value | Description | +| --- | --- | --- | +| AuthPolicy | - OnPremise
    - Certificate | The authentication policy used by the MDM service | +| DiscoveryServiceFullUrl | URL | The full URL for the discovery service | +| EnrollmentServiceFullUrl | URL | The full URL for the enrollment service | +| PolicyServiceFullUrl | URL | The full URL for the policy service | +| Secret | - Password string for on-premise authentication enrollment
    - Federated security token for federated enrollment
    - Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy | + +## Related topics + +- [Provisioning configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/provisioning-csp) diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md new file mode 100644 index 0000000000..080f9e469f --- /dev/null +++ b/windows/configuration/wcd/wcd.md @@ -0,0 +1,77 @@ +--- +title: Windows Configuration Designer provisioning settings (Windows 10) +description: This section describes the settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.date: 08/21/2017 +--- + +# Windows Configuration Designer provisioning settings (reference) + +This section describes the settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. + +## Edition that each group of settings applies to + +| Setting group | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [Accounts](wcd-accounts.md) | X | X | X | X | X | +| [ADMXIngestion](wcd-admxingestion.md) | X | | | | | +| [ApplicationManagement](wcd-applicationmanagement.md) | X | X | X | X | X | +| [AssignedAccess](wcd-assignedaccess.md) | X | X | | X | | +| [AutomaticTime](wcd-automatictime.md) | | X | | | | +| [Browser](wcd-browser.md) | X | X | X | X | | +| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | | +| [Cellular](wcd-cellular.md) | X | | | | | +| [Certificates](wcd-certificates.md) | X | X | X | X | X | +| [CleanPC](wcd-cleanpc.md) | X | | | | | +| [Connections](wcd-connections.md) | X | X | X | X | | +| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | X | +| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | X | | +| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | | +| [DeveloperSetup](wcd-developersetup.md) | | | | X | | +| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | X | | +| [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | | +| [DMClient](wcd-dmclient.md) | X | X | X | X | X | +| [EditionUpgrade](wcd-editionupgrade.md) | X | X | X | X | | +| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | X | | | | +| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X | +| [FirstExperience](wcd-firstexperience.md) | | | | X | | +| [Folders](wcd-folders.md) |X | X | X | X | | +| [InitialSetup](wcd-initialsetup.md) | | X | | | | +| [InternetExplorer](wcd-internetexplorer.md) | | X | | | | +| [Licensing](wcd-licensing.md) | X | | | | | +| [Maps](wcd-maps.md) |X | X | X | X | | +| [Messaging](wcd-messaging.md) | | X | | | | +| [ModemConfigurations](wcd-modemconfigurations.md) | | X | | | | +| [Multivariant](wcd-multivariant.md) | | X | | | | +| [NetworkProxy](wcd-networkproxy.md) | | | X | | | +| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | | X | | | +| [NFC](wcd-nfc.md) | | X | | | | +| [OOBE](wcd-oobe.md) | X | X | | | | +| [OtherAssets](wcd-otherassets.md) | | X | | | | +| [Personalization](wcd-personalization.md) | X | | | | | +| [Policies](wcd-policies.md) | X | X | X | X | X | +| [ProvisioningCommands](wcd-provisioningcommands.md) | X | | | | | +| [SharedPC](wcd-sharedpc.md) | X | | | | | +| [Shell](wcd-shell.md) | | X | | | | +| [SMISettings](wcd-smisettings.md) | X | | | | | +| [Start](wcd-start.md) | X | X | | | | +| [StartupApp](wcd-startupapp.md) | | | | | X | +| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | | X | +| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | | +| [TabletMode](wcd-tabletmode.md) |X | X | X | X | | +| [TakeATest](wcd-takeatest.md) | X | | | | | +| [Theme](wcd-theme.md) | | X | | | | +| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | | +| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X | +| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | X | X | +| [WeakCharger](wcd-weakcharger.md) |X | X | X | X | | +| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | | X | | | +| [WLAN](wcd-wlan.md) | | | | X | | +| [Workplace](wcd-workplace.md) |X | X | X | X | X | + + diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 9a9b601234..f786f2f6ad 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -67,10 +67,6 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. ->[!WARNING] -> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release. -> -> In Windows 10, version 1703, the **Force a specific default lock screen image** policy setting applies only intermittently and may not produce expected results. This behavior will be corrected in a future release. ![lockscreen policy details](images/lockscreenpolicy.png) diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 9881348c83..b070057f1d 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -14,19 +14,6 @@ ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) -### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) -#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md) -#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md) -#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md) -##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md) -#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) -##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) -##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md) -##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md) -##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) -##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md) -#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md) - ### [Windows 10 deployment test lab](windows-10-poc.md) #### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) #### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) @@ -218,9 +205,6 @@ ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) -### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) -#### [Get started with Update Compliance](update/update-compliance-get-started.md) -#### [Use Update Compliance](update/update-compliance-using.md) ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) @@ -237,6 +221,9 @@ ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) #### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md) #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md) +#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md) +##### [Keep your current Windows 10 edition](update/olympia/enrollment-keep-current-edition.md) +##### [Upgrade your Windows 10 edition from Pro to Enterprise](update/olympia/enrollment-upgrade-to-enterprise.md) ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md) ## Windows Analytics diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md new file mode 100644 index 0000000000..941c15911e --- /dev/null +++ b/windows/deployment/Windows-AutoPilot-EULA-note.md @@ -0,0 +1,20 @@ +--- +title: Windows Autopilot EULA dismissal – important information +description: A notice about EULA dismissal through Windows AutoPilot +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +ms.localizationpriority: high +ms.author: mayam +ms.date: 08/22/2017 +ROBOTS: noindex,nofollow +--- +# Windows Autopilot EULA dismissal – important information + +>[!IMPORTANT] +>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience). + +Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen. + +By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors. \ No newline at end of file diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 6881363aa1..472e7ccf66 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt +ms.date: 08/23/2017 author: greg-lindsay --- @@ -14,8 +15,18 @@ author: greg-lindsay This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). ->Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. ->Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +>Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
    +>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
    + +## Enabling Subscription Activation with an existing EA + +If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: + +1. Work with your reseller to place an order for $0 SKU. There are two SKUs available, depending on their current Windows Enterprise SA license:
    + a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
    + b. **AAA-51068*** - Win10UsrOLSActv Alng MonthlySub Addon E5
    +2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. +3. The admin can now assign subscription licenses to users. Also in this article: - [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses. @@ -91,6 +102,9 @@ Now the device is Azure AD joined to the company’s subscription. **To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up** +>[!IMPORTANT] +>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account. + 1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**. Connect to work or school configuration @@ -191,5 +205,4 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct A popup window will display the Windows 10 version number and detailed OS build information. - If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. - + If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. \ No newline at end of file diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index fddacf3a05..e11c92867c 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,6 +7,7 @@ ms.localizationpriority: high ms.prod: w10 ms.sitesec: library ms.pagetype: deploy +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index c6d38e7d4d..e5e8d59bf7 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -329,7 +329,7 @@ The steps below walk you through the process of editing the Windows 10 referenc   5. State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings: 1. Name: Install - Microsoft NET Framework 3.5.1 - 2. Select the operating system for which roles are to be installed: Windows 8.1 + 2. Select the operating system for which roles are to be installed: Windows 10 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) **Important**   @@ -471,7 +471,7 @@ In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except ### Update the deployment share -After the deployment share has been configured, it needs to be updated. This is the process when the Windows Windows PE boot images are created. +After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created. 1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**. 2. Use the default options for the Update Deployment Share Wizard. @@ -566,7 +566,7 @@ SkipFinalSummary=YES The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.   - **JoinWorkgroup.** Configures Windows to join a workgroup. -- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 8.1 deployments in which the deployment wizard will otherwise appear behind the tiles. +- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. - **FinishAction.** Instructs MDT what to do when the task sequence is complete. - **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image. - **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index aa4243f2cf..d493765134 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: high +ms.date: 09/05/2017 author: greg-lindsay --- diff --git a/windows/deployment/images/ua-step2-blades.png b/windows/deployment/images/ua-step2-blades.png new file mode 100644 index 0000000000..c86f7a4338 Binary files /dev/null and b/windows/deployment/images/ua-step2-blades.png differ diff --git a/windows/deployment/images/ua-step2-low-risk.png b/windows/deployment/images/ua-step2-low-risk.png new file mode 100644 index 0000000000..6e9daf0233 Binary files /dev/null and b/windows/deployment/images/ua-step2-low-risk.png differ diff --git a/windows/deployment/index.md b/windows/deployment/index.md index 7d139ec69e..6841274b4c 100644 --- a/windows/deployment/index.md +++ b/windows/deployment/index.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: high +ms.date: 09/05/2017 author: greg-lindsay --- diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index c87802238e..f828bce6a8 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay +ms.date: 09/05/2017 ms.localizationpriority: high --- @@ -17,28 +18,41 @@ ms.localizationpriority: high ## Summary -**MBR2GPT.EXE** converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. -MBR2GPT.EXE is located in the **Windows\\System32** directory on a Windows 10 computer running Windows 10 version 1703 or later. +See the following video for a detailed description and demonstration of MBR2GPT. -You can use MBR2GPT to perform the following: + -- \[Within the Windows PE environment\]: Convert any attached MBR-formatted system disk to the GPT partition format. -- \[From within the currently running OS\]: Convert any attached MBR-formatted system disk to the GPT partition format. - ->MBR2GPT is available in Windows 10 version 1703, also known as Windows 10 Creator's Update, and later versions. +>MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. >The tool is available in both the full OS environment and Windows PE. -You can use MBR2GPT to convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. +You can use MBR2GPT to: -The MBR2GPT tool can convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. +- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT. +- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. +- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion. >[!IMPORTANT] >After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
    Make sure that your device supports UEFI before attempting to convert the disk. - +## Prerequisites + +Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: +- The disk is currently using MBR +- There is enough space not occupied by partitions to store the primary and secondary GPTs: + - 16KB + 2 sectors at the front of the disk + - 16KB + 1 sector at the end of the disk +- There are at most 3 primary partitions in the MBR partition table +- One of the partitions is set as active and is the system partition +- The disk does not have any extended/logical partition +- The BCD store on the system partition contains a default OS entry pointing to an OS partition +- The volume IDs can be retrieved for each volume which has a drive letter assigned +- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option + +If any of these checks fails, the conversion will not proceed and an error will be returned. ## Syntax @@ -217,22 +231,6 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr 5. The boot configuration data (BCD) store is updated. 6. Drive letter assignments are restored. -### Disk validation - -Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: -- The disk is currently using MBR -- There is enough space not occupied by partitions to store the primary and secondary GPTs: - - 16KB + 2 sectors at the front of the disk - - 16KB + 1 sector at the end of the disk -- There are at most 3 primary partitions in the MBR partition table -- One of the partitions is set as active and is the system partition -- The disk does not have any extended/logical partition -- The BCD store on the system partition contains a default OS entry pointing to an OS partition -- The volume IDs can be retrieved for each volume which has a drive letter assigned -- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option - -If any of these checks fails, the conversion will not proceed and an error will be returned. - ### Creating an EFI system partition For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index 69ba2f2170..ac8ae9af63 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -1,7 +1,7 @@ --- title: Windows 10 Enterprise FAQ for IT pros (Windows 10) description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. -keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing branches, deployment tools +keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing channels, deployment tools ms.prod: w10 ms.mktglfcycl: plan ms.localizationpriority: high @@ -80,9 +80,9 @@ The Windows 10 operating system introduces a new way to build, deploy, and servi Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. -### What are the servicing branches? +### What are the servicing channels? -To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each branch, see [servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches). +To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels). ### What tools can I use to manage Windows as a service updates? @@ -92,13 +92,13 @@ There are many tools are available. You can choose from these: - Windows Server Update Services - System Center Configuration Manager -For more information on pros and cons for these tools, see [Servicing Tools](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches). +For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools). ## User experience ### Where can I find information about new features and changes in Windows 10 Enterprise? -For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library. +For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index eaf38c75d5..9df4b51c9b 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -39,37 +39,37 @@ Online Crash Analysis | oca.telemetry.microsoft.com Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). -**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. +**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. **If you are not yet using OMS**, use the following steps to subscribe to OMS Device Health: 1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. - [![](images/uc-02a.png)](images/uc-02.png) + [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png) 2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. - [![](images/uc-03a.png)](images/uc-03.png) + [![OMS Sign-in dialog box for account name and password](images/uc-03a.png)](images/uc-03.png) 3. Create a new OMS workspace. - [![](images/uc-04a.png)](images/uc-04.png) + [![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png)](images/uc-04.png) 4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**. - [![](images/uc-05a.png)](images/uc-05.png) + [![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png) 5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace. - [![](images/uc-06a.png)](images/uc-06.png) + [![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)](images/uc-06.png) -6. To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. +6. To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. - [![](images/uc-08a.png)](images/uc-08.png) + [![Windows Analytics details page in Solutions Gallery](images/solution-bundle.png)](images/solution-bundle.png) -7. Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens. +7. Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added. - [![](images/uc-09a.png)](images/uc-09.png) + [![OMS Settings Dashboard showing Device Health and Upgrade Readiness tiles](images/OMS-after-adding-solution.jpg)](images/OMS-after-adding-solution.jpg) @@ -89,7 +89,7 @@ In order for your devices to show up in Windows Analytics: Device Health, they m 3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.

    - Using Microsoft Mobile Device Management (MDM)

    -Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).   +Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. You can find more information on deployment using MDM at the [DMClient Configuration Service Provider topic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).   ## Perform checks to ensure and verify successful deployment diff --git a/windows/deployment/update/images/OMS-after-adding-solution.jpg b/windows/deployment/update/images/OMS-after-adding-solution.jpg new file mode 100644 index 0000000000..d06a896f6e Binary files /dev/null and b/windows/deployment/update/images/OMS-after-adding-solution.jpg differ diff --git a/windows/deployment/update/images/solution-bundle.png b/windows/deployment/update/images/solution-bundle.png new file mode 100644 index 0000000000..70cec8d8f4 Binary files /dev/null and b/windows/deployment/update/images/solution-bundle.png differ diff --git a/windows/deployment/update/olympia/enrollment-keep-current-edition.md b/windows/deployment/update/olympia/enrollment-keep-current-edition.md new file mode 100644 index 0000000000..b0016c44ee --- /dev/null +++ b/windows/deployment/update/olympia/enrollment-keep-current-edition.md @@ -0,0 +1,44 @@ +--- +title: Keep your current Windows 10 edition +description: Olympia Corp enrollment - Keep your current Windows 10 edition +ms.author: nibr +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 09/01/2017 +--- + +# Olympia Corp enrollment + +## Keep your current Windows 10 edition + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/1-3.png) + +4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/1-4.png) + +5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. + +6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details. + +7. Create a PIN for signing into your Olympia corporate account. + +8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. diff --git a/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md b/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md new file mode 100644 index 0000000000..6643971428 --- /dev/null +++ b/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md @@ -0,0 +1,57 @@ +--- +title: Upgrade your Windows 10 edition from Pro to Enterprise +description: Olympia Corp enrollment - Upgrade your Windows 10 edition from Pro to Enterprise +ms.author: nibr +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 09/01/2017 +--- + +# Olympia Corp enrollment + +## Upgrade your Windows 10 edition from Pro to Enterprise + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect**, then click **Join this device to Azure Active Directory**. + + ![Update your password](images/2-3.png) + +4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/2-4.png) + +5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/2-5.png) + +6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details. + +8. Create a PIN for signing into your Olympia corporate account. + +9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +10. Restart your PC. + +11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*. + +12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + +\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia. + diff --git a/windows/deployment/update/olympia/images/1-1.png b/windows/deployment/update/olympia/images/1-1.png new file mode 100644 index 0000000000..ee06527529 Binary files /dev/null and b/windows/deployment/update/olympia/images/1-1.png differ diff --git a/windows/deployment/update/olympia/images/1-3.png b/windows/deployment/update/olympia/images/1-3.png new file mode 100644 index 0000000000..807e895aa5 Binary files /dev/null and b/windows/deployment/update/olympia/images/1-3.png differ diff --git a/windows/deployment/update/olympia/images/1-4.png b/windows/deployment/update/olympia/images/1-4.png new file mode 100644 index 0000000000..3e63d1c078 Binary files /dev/null and b/windows/deployment/update/olympia/images/1-4.png differ diff --git a/windows/deployment/update/olympia/images/2-3.png b/windows/deployment/update/olympia/images/2-3.png new file mode 100644 index 0000000000..7006da4179 Binary files /dev/null and b/windows/deployment/update/olympia/images/2-3.png differ diff --git a/windows/deployment/update/olympia/images/2-4.png b/windows/deployment/update/olympia/images/2-4.png new file mode 100644 index 0000000000..677679a000 Binary files /dev/null and b/windows/deployment/update/olympia/images/2-4.png differ diff --git a/windows/deployment/update/olympia/images/2-5.png b/windows/deployment/update/olympia/images/2-5.png new file mode 100644 index 0000000000..cfec6f7ce0 Binary files /dev/null and b/windows/deployment/update/olympia/images/2-5.png differ diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md new file mode 100644 index 0000000000..17b87bd7b0 --- /dev/null +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -0,0 +1,22 @@ +--- +title: Olympia Corp enrollment guidelines +description: Olympia Corp enrollment guidelines +ms.author: nibr +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 09/01/2017 +--- + +# Olympia Corp enrollment guidelines + +Welcome to Olympia Corp. Here are the steps to add your account to your PC. + +As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. + +Choose one of the following two enrollment options: + +1. [Keep your current Windows 10 edition](./enrollment-keep-current-edition.md) + +2. [Upgrade your Windows 10 edition from Pro to Enterprise](./enrollment-upgrade-to-enterprise.md) diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 822dbf7bd1..5e3c80f9c4 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: greg-lindsay +author: jaimeo --- # Get started with Update Compliance @@ -39,61 +39,61 @@ Online Crash Analysis | oca.telemetry.microsoft.com Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). -If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace. +If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance: 1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. - [![](images/uc-02a.png)](images/uc-02.png) + [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png) 2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. - [![](images/uc-03a.png)](images/uc-03.png) + [![OMS Sign-in dialog box for account name and password](images/uc-03a.png)](images/uc-03.png) 3. Create a new OMS workspace. - [![](images/uc-04a.png)](images/uc-04.png) + [![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png)](images/uc-04.png) 4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**. - [![](images/uc-05a.png)](images/uc-05.png) + [![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png) 5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace. - [![](images/uc-06a.png)](images/uc-06.png) + [![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)](images/uc-06.png) -6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. +6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. - [![](images/uc-07a.png)](images/uc-07.png) + [![OMS workspace with Solutions Gallery tile highlighted](images/uc-07a.png)](images/uc-07.png) 7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace. - [![](images/uc-08a.png)](images/uc-08.png) + [![Workspace showing Solutions Gallery](images/uc-08a.png)](images/uc-08.png) 8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens. - [![](images/uc-09a.png)](images/uc-09.png) + [![OMS workspace with new Update Compliance tile on the right side highlighted](images/uc-09a.png)](images/uc-09.png) 9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below. - [![](images/uc-10a.png)](images/uc-10.png) + [![Series of blades showing Connected Sources, Windows Telemetry, and Upgrade Analytics solution with Subscribe button](images/uc-10a.png)](images/uc-10.png) After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 1be2149594..2619584ebd 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -33,6 +33,8 @@ See the following topics in this guide for detailed information about configurin - [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. - [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. + + An overview of the processes used by the Update Compliance solution is provided below. ## Update Compliance architecture diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index dd5cbaf8b7..cddacc1917 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -181,12 +181,12 @@ During the life of a device, it may be necessary or desirable to switch between Use media to upgrade to the latest Windows Insider Program build. -Long-Term Servicing Channel (Targeted) -Use media to upgrade to a later Long-Term Servicing Channel build. (Note that the Long-Term Servicing Channel build must be a later build.) +Semi-Annual Channel (Targeted) +Use media to upgrade. Note that the Semi-Annual Channel build must be a later build. -Long-Term Servicing Channel -Use media to upgrade to a later Long-Term Servicing Channel for Business build (Long-Term Servicing Channel build plus fixes). Note that it must be a later build. +Semi-Annual Channel +Use media to upgrade. Note that the Semi-Annual Channel build must be a later build. diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 937be3b7e3..29a27310e4 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: greg-lindsay +author: jaimeo --- # Get started with Upgrade Readiness @@ -43,7 +43,7 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen >[!IMPORTANT] >Upgrade Readiness is a free solution. When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure. Upgrade Readiness data **do not** count toward OMS daily upload limits. -If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. +If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. If you are not using OMS: @@ -54,9 +54,9 @@ If you are not using OMS: > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens. -1. To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness. +5. To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness. -2. Click the **Upgrade Readiness** tile to configure the solution. The **Settings Dashboard** opens. +6. Click the **Upgrade Readiness** tile to configure the solution. The **Settings Dashboard** opens. ### Generate your commercial ID key @@ -64,7 +64,7 @@ Microsoft uses a unique commercial ID to map information from user computers to 1. On the Settings Dashboard, navigate to the **Windows telemetry** panel. - ![upgrade-readiness-telemetry](../images/upgrade-analytics-telemetry.png) + ![Windows Telemetry dialog showing button for "how to enable telemetry," the current commercial ID key, and a Subsribe button](../images/upgrade-analytics-telemetry.png) 2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be deployed to user computers. @@ -138,7 +138,7 @@ To ensure that user computers are receiving the most up to date data from Micros - Schedule the Upgrade Readiness deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. - Schedule monthly user computer scans to view monthly active computer and usage information. ->When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the **Windows Compat Appraiser** task. Deltas are invoked via the nightly scheduled task. It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on. +>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas is created when the update package is installed. For Windows 10 devices, it's already part of the OS. A full scan averages about 2 MB, but the delta scans are very small. The scheduled task is named **Windows Compatibility Appraiser** and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Deltas are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on. ### Distribute the deployment script at scale diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index 9ca055c5f5..731feea00e 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -2,7 +2,7 @@ title: Upgrade Readiness - Resolve application and driver issues (Windows 10) description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness. ms.prod: w10 -author: greg-lindsay +author: jaimeo --- # Upgrade Readiness - Step 2: Resolve app and driver issues @@ -14,8 +14,8 @@ This section of the Upgrade Readiness workflow reports application and driver in The blades in the **Step 2: Resolve issues** section are: - [Review applications with known issues](#review-applications-with-known-issues) -- [Review applications with no known issues](#review-applications-with-no-known-issues) - [Review known driver issues](#review-known-driver-issues) +- [Review low-risk apps and drivers](#review-low-risk-apps-and-drivers) - [Prioritize app and driver testing](#prioritize-app-and-driver-testing) >You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list. @@ -48,7 +48,7 @@ To change an application's upgrade decision: 4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list. 5. Click **Save** when finished. -IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information. +IMPORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information. For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible. @@ -107,26 +107,6 @@ The following table lists possible values for **ReadyForWindows** and what they |Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.| | Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A | -## Review applications with no known issues - -Applications with no issues known to Microsoft are listed, grouped by upgrade decision. - -![Review applications with no known issues](../images/upgrade-analytics-apps-no-known-issues.png) - -Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**. - -Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates. - -To change an application's upgrade decision: - -1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table. - -2. Select **User changes** to change the upgrade decision for each application. - -3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list. - -4. Click **Save** when finished. - ## Review drivers with known issues Drivers that won’t migrate to the new operating system are listed, grouped by availability. @@ -152,9 +132,30 @@ To change a driver’s upgrade decision: 4. Click **Save** when finished. +## Review low-risk apps and drivers + +Applications and drivers that are meet certain criteria to be considered low risk are displayed on this blade. + +![Blade showing low-risk apps](../images/ua-step2-low-risk.png) + +The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system. + +The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in telemetry. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well. + +Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**.  This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app. + +You can customize the criteria further by using the Log Search query language. For example, if a ReadyForWindows status of "Adopted" is not sufficient by itself for you to be confident in an app's compatibility, you can add additional filters. To do this, click the row labeled **Apps that are 'Adopted'**.  Then, modify the resulting query to fit your company's risk tolerance. If, for example, you prefer that an app must be "Adopted" and have fewer than 1,000 installations, then add *TotalInstalls < 1000* to the end of the Log Search query. Similarly, you can append additional criteria by using other attributes such as monthly active users or app importance. + +>[!NOTE] +>Apps that you have designated as *Mission critical* or *Business critical* are automatically **excluded** from the counts on this blade. If an app is critical, you should always validate it manually it prior to upgrading. + + At the bottom of the blade, the **OTHER APPS AND DRIVERS IN NEED OF REVIEW** section allows you to quickly access apps you have designated as **Mission critical** or **Business critical**, your remaining apps that still need to be reviewed, and your remaining drivers that need to be reviewed. + + + ## Prioritize app and driver testing -Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan. +Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan. ### Proposed action plan diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md index bbbb2a155d..860f86c5bb 100644 --- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md +++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md @@ -9,7 +9,7 @@ author: greg-lindsay The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases. -The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md). +The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version). The following color-coded status changes are reflected on the upgrade overview blade: @@ -32,7 +32,7 @@ The following color-coded status changes are reflected on the upgrade overview b - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber. - If the current value is a deprecated OS version, the version is displayed in red. -Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs. +Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](upgrade-readiness-get-started.md#deploy-the-compatibility-update-and-related-kbs) for information on required KBs. In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version: @@ -65,4 +65,4 @@ Select **Total applications** for a list of applications discovered on user comp - Percentage of computers in your total computer inventory that opened the application in the past 30 days - Issues detected, if any - Upgrade assessment based on analysis of application data -- Rollup level \ No newline at end of file +- Rollup level diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index 85acab5a0a..e074aad404 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -2,7 +2,7 @@ title: Use Upgrade Readiness to manage Windows upgrades (Windows 10) description: Describes how to use Upgrade Readiness to manage Windows upgrades. ms.prod: w10 -author: greg-lindsay +author: jaimeo --- # Use Upgrade Readiness to manage Windows upgrades @@ -14,7 +14,7 @@ You can use Upgrade Readiness to prioritize and work through application and dri When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks. -![Workflow](../images/ua-cg-15.png) +![Series of blades showing Upgrade Overview, Step 1: Identify Important Apps, Prioritize Applications, Step 2: Resolve issues, and Review applications with known issues](../images/ua-cg-15.png) Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step. @@ -35,20 +35,20 @@ Also see the following topic for information about additional items that can be The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example: -![Target version](../images/ur-target-version.png) +![Upgrade overview showing target version](../images/ur-target-version.png) As mentioned previously, the default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version. -You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1607. +You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, and Windows 10 version 1703. To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution: -![Target version](../images/ua-cg-08.png) +![Upgrade Readiness dialog showing gear labeled Solution Settings](../images/ua-cg-08.png) >You must be signed in to Upgrade Readiness as an administrator to view settings. On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace. -![Target version](../images/ur-settings.png) +![Upgrade Readiness Settings dialog showing gear labeled Save and arrow labeled Cancel](../images/ur-settings.png) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 4eead9a058..fc38a3df22 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -7,12 +7,18 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt +ms.date: 09/05/2017 author: greg-lindsay --- # Configure VDA for Windows 10 Subscription Activation -This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license. +This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. + +Deployment instructions are provided for the following scenarios: +1. [Active Directory-joined VMs](#active-directory-joined-vms) +2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms) +3. [Azure Gallery VMs](#azure-gallery-vms) ## Requirements @@ -63,7 +69,35 @@ For Azure AD-joined VMs, follow the same instructions (above) as for [Active Dir - In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. - In step 12, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials. - In step 17, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**) -- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below. +- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rpd-settings-for-azure). + +## Azure Gallery VMs + +1. (Optional) To disable network level authentication, type the following at an elevated command prompt: + + ``` + REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + ``` + +2. At an elevated command prompt, type **sysdm.cpl** and press ENTER. +3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. +4. Click **Add**, type **Authenticated users**, and then click **OK** three times. +(https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd). +5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). +6. Open Windows Configuration Designer and click **Provison desktop services**. +7. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. + - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step. +8. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. +9. On the Set up network page, choose **Off**. +10. On the Account Management page, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. +11. On the Add applications page, add applications if desired. This step is optional. +12. On the Add certificates page, add certificates if desired. This step is optional. +13. On the Finish page, click **Create**. +14. Copy the .ppkg file to the remote Virtual machine. Double click to initiate the provisioning package install. This will reboot the system. + +- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described [below](#create-custom-rpd-settings-for-azure). + +## Create custom RDP settings for Azure To create custom RDP settings for Azure: diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index f76208ce9c..5f663ae222 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: mdt +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index 8e9912ed68..c767d18075 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index d9870313ca..f7f79e2f18 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -7,6 +7,7 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, mdt ms.localizationpriority: high +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 63e2727b2a..dc842b3f38 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -7,6 +7,7 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, sccm ms.localizationpriority: high +ms.date: 08/23/2017 author: greg-lindsay --- @@ -238,8 +239,8 @@ This section contains several procedures to support Zero Touch installation with 1. Type the following commands at a Windows PowerShell prompt on SRV1: ``` - New-Item -ItemType Directory -Path "C:Sources\OSD\Boot" - New-Item -ItemType Directory -Path "C:Sources\OSD\OS" + New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot" + New-Item -ItemType Directory -Path "C:\Sources\OSD\OS" New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings" New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding" New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT" @@ -559,7 +560,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi 1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: ``` - New-Item -ItemType Directory -Path "C:Sources\OSD\OS\Windows 10 Enterprise x64" + New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" ``` diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 621de876bd..5a67eebb9e 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -7,6 +7,7 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, mdt, sccm ms.localizationpriority: high +ms.date: 08/23/2017 author: greg-lindsay --- @@ -771,6 +772,27 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Add-DnsServerForwarder -IPAddress 192.168.0.2 + **Configure service and user accounts** + + Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. + + >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + + On DC1, open an elevated Windows PowerShell prompt and type the following commands: + + 

    +    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+    Set-ADUser -Identity user1 -PasswordNeverExpires $true
+    Set-ADUser -Identity administrator -PasswordNeverExpires $true
+    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+
    + 12. Minimize the DC1 VM window but **do not stop** the VM. Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. @@ -984,27 +1006,6 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Restart-Computer -### Configure service and user accounts - -Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. - ->To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -On DC1, open an elevated Windows PowerShell prompt and type the following commands: - -
    -New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
-Set-ADUser -Identity user1 -PasswordNeverExpires $true
-Set-ADUser -Identity administrator -PasswordNeverExpires $true
-Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
-Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
-Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-
    - This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. ## Appendix A: Verify the configuration diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md index ddd4bb48f1..0ac76da289 100644 --- a/windows/device-security/TOC.md +++ b/windows/device-security/TOC.md @@ -89,11 +89,12 @@ #### [AppLocker Settings](applocker\applocker-settings.md) ## [BitLocker](bitlocker\bitlocker-overview.md) -### [Overview of BitLocker and device encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md) +### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md) ### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md) ### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md) ### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md) ### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md) +### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md) ### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md) ### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) ### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md) diff --git a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md index db72ab90ec..2fc47e4258 100644 --- a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -1,6 +1,6 @@ --- -title: Overview of BitLocker and device encryption in Windows 10 -description: This topic provides an overview of how BitLocker and device encryption can help protect data on devices running Windows 10. +title: Overview of BitLocker Device Encryption in Windows 10 +description: This topic provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows 10. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,13 +8,13 @@ ms.pagetype: security author: Justinha --- -# Overview of BitLocker and device encryption in Windows 10 +# Overview of BitLocker Device Encryption in Windows 10 **Applies to** - Windows 10 -This topic explains how BitLocker and device encryption can help protect data on devices running Windows 10. -For an architectural overview about how device encryption works with Secure Boot, see [Secure boot and device encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview). +This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10. +For an architectural overview about how BitLocker Device Encryption works with Secure Boot, see [Secure boot and BitLocker Device Encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview). For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies. @@ -25,14 +25,14 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi | Windows 7 | Windows 10 | |---|---| -| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

    Network Unlock allows PCs to start automatically when connected to the internal network. | -| Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.

    Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. | +| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

    Network Unlock allows PCs to start automatically when connected to the internal network. | + | Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.

    Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. | | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. | | There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. | | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. | | Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds. | | BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. | -| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | +| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | The sections that follow describe these improvements in more detail. Also see: @@ -60,23 +60,23 @@ Microsoft includes instrumentation in Windows 10 that enables the operating sys BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker. With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 10. -## Device encryption +## BitLocker Device Encryption -Beginning in Windows 8.1, Windows automatically enables BitLocker device encryption on devices that support InstantGo. With Windows 10, Microsoft offers device encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes device encryption pervasive across modern Windows devices. Device encryption further protects the system by transparently implementing device-wide data encryption. +Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support InstantGo. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption. -Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: +Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: -* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). +* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points. * If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials. * If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. * Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. -Microsoft recommends that device encryption be enabled on any systems that support it, but the automatic device encryption process can be prevented by changing the following registry setting: +Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting: - **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker - **Value**: PreventDeviceEncryption equal to True (1) - **Type**: REG\_DWORD -Administrators can manage domain-joined devices that have device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. +Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. ## Used Disk Space Only encryption diff --git a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md index 68cc89fe05..af3bab22cc 100644 --- a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +localizationpriority: high author: brianlic-msft --- @@ -189,6 +189,12 @@ You can use the Manage-bde.exe command-line tool to replace your TPM-only authen `manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>` + +### When should an additional method of authentication be considered? + +New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. +For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. + ### If I lose my recovery information, will the BitLocker-protected data be unrecoverable? BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. @@ -395,6 +401,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. +### Can I use BitLocker with virtual machines (VMs)? + +Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. + + ## More information - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) diff --git a/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md new file mode 100644 index 0000000000..2315455956 --- /dev/null +++ b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md @@ -0,0 +1,185 @@ +--- +title: BitLocker Management Recommendations for Enterprises (Windows 10) +description: This topic explains recommendations for managing BitLocker. +ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# BitLocker Management Recommendations for Enterprises + +This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices. + +## Forward-looking recommendations for managing BitLocker + +The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. + +Therefore, we recommend that you upgrade your hardware so that your devices comply with InstantGo or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD). + +Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for: + + - [Domain-joined computers](#dom_join) + + - [Devices joined to Azure Active Directory (Azure AD)](#azure_ad) + + - [Workplace-joined PCs and Phones](#work_join) + + - [Servers](#servers) + + - [Scripts](#powershell) + +
    + +## BitLocker management at a glance + +| | PC – Old Hardware | PC – New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone +|---|---|----|---|---| +|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A| +|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS| + +
    +*PC hardware that supports InstantGo or HSTI + +
    +
    + + +## Recommendations for domain-joined computers + +Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support InstantGo beginning with Windows 8.1. For more information, see [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption). + +Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). + +For older client computers with BitLocker that are domain joined on-premises, Microsoft BitLocker Administration and Management[1] (MBAM) remains the best way to manage BitLocker. MBAM continues to be maintained and receives security patches. Using MBAM provides the following functionality: + +- Encrypts device with BitLocker using MBAM +- Stores BitLocker Recovery keys in MBAM Server +- Provides Recovery key access to end-user, helpdesk and advanced helpdesk +- Provides Reporting on Compliance and Recovery key access audit + + +[1]The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1). + +
    + + +## Recommendations for devices joined to Azure Active Directory + + + +Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. + +Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones. + +For hardware that is compliant with InstantGo and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. + + + +## Workplace-joined PCs and phones + +For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, and similarly for Azure AD domain join. + + + +## Recommendations for servers + +Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. + +The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/). + +If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience) is the easiest path because you can avoid performing the steps to add a GUI to Server Core. + + Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + + For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles). +  + + +## PowerShell examples + +For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory. + +*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker* +``` +PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector + +PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:” + +PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId +``` +For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). + +*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker* +``` +PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector + +PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:” + +PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId + ``` + +Subsequently, you can use PowerShell to enable BitLocker. + +*Example: Use PowerShell to enable BitLocker with a TPM protector* + ``` +PS C:\>Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector + ``` +*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456* + ``` +PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force + +PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector + ``` + + + +## Related Articles + +[BitLocker: FAQs](bitlocker-frequently-asked-questions.md) + +[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx) + +[Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) + +[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)* + +[Enable BitLocker task sequence](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker) + +[BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx) + +[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) +*(Overview)* + +[Configuration Settings Providers](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) +*(Policy CSP: See [Security-RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-policies))* + +[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) + +
    + +**Windows Server setup tools** + +[Windows Server Installation Options](https://technet.microsoft.com/library/hh831786(v=ws.11).aspx) + +[How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/) + +[How to add or remove optional components on Server Core](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) *(Features on Demand)* + +[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md) + +[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) + +[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/) + +
    + + +**Powershell** + +[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell) + +[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs) \ No newline at end of file diff --git a/windows/device-security/bitlocker/bitlocker-overview.md b/windows/device-security/bitlocker/bitlocker-overview.md index b9308ded1b..6a94dab8c8 100644 --- a/windows/device-security/bitlocker/bitlocker-overview.md +++ b/windows/device-security/bitlocker/bitlocker-overview.md @@ -67,7 +67,7 @@ When installing the BitLocker optional component on a server you will also need | Topic | Description | | - | - | -| [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker and device encryption can help protect data on devices running Windows 10. | +| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10. | | [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| | [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. | | [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. | diff --git a/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md b/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md index 557719c15c..5ffc817153 100644 --- a/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md @@ -44,7 +44,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use either BitLocker or Device Encryption, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On PCs that use BitLocker, or on devices such as tablets or phones that use Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. - Failing to boot from a network drive before booting from the hard drive. @@ -250,9 +250,9 @@ If you have lost the USB flash drive that contains the startup key, then you mus This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. -## Windows RE and BitLocker +## Windows RE and BitLocker Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker or by Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. ## Using additional recovery information diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md index b87d0626c3..cb46edf710 100644 --- a/windows/device-security/change-history-for-device-security.md +++ b/windows/device-security/change-history-for-device-security.md @@ -11,10 +11,17 @@ author: brianlic-msft # Change history for device security This topic lists new and updated topics in the [Device security](index.md) documentation. +## August 2017 +|New or changed topic |Description | +|---------------------|------------| +| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. | +| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description | + + ## July 2017 |New or changed topic |Description | |---------------------|------------| - | [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. | +| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. | ## May 2017 diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md index 905dcc1550..0e2e0995b9 100644 --- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md +++ b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md @@ -1,6 +1,6 @@ --- title: Deploy catalog files to support code integrity policies (Windows 10) -description: This article describes how to deploy catalog files to support code integrity policies, one of the main features that are part of Device Guard in Windows 10. +description: This article describes how to deploy catalog files to support code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -16,7 +16,7 @@ author: brianlic-msft Catalog files can be important in your deployment of code integrity polices if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create code integrity policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run. -For more description of catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files) in "Requirements and deployment planning guidelines for Device Guard." +For more description of catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files) in "Requirements and deployment planning guidelines for Windows Defender Device Guard." ## Create catalog files @@ -30,7 +30,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must Package Inspector does not always detect installation files that have been removed from the computer during the installation process. To ensure that these binaries are also trusted, deploy a code integrity policy in audit mode. You can use the code integrity policy that you created and audited in [Create a code integrity policy from a golden computer](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-from-a-golden-computer) and [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies). - > **Note**  This process should **not** be performed on a system with an enforced Device Guard policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application. + > **Note**  This process should **not** be performed on a system with an enforced Windows Defender Device Guard policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application. 2. Start Package Inspector, and then start scanning a local drive, for example, drive C: @@ -150,7 +150,7 @@ To simplify the management of catalog files, you can use Group Policy preference 2. Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 2. - > **Note**  You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). + > **Note**  You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). ![Group Policy Management, create a GPO](images/dg-fig13-createnewgpo.png) @@ -318,9 +318,9 @@ At the time of the next software inventory cycle, when the targeted clients rece ## Related topics -- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) +- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) -- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) +- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) -- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md index ab8015ffad..71f007b12c 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md @@ -1,6 +1,6 @@ --- title: Deploy code integrity policies - policy rules and file rules (Windows 10) -description: This article provides information about two elements in code integrity policies, called policy rules and file rules. Code integrity policies are part of Device Guard in Windows 10. +description: This article provides information about two elements in code integrity policies, called policy rules and file rules. Code integrity policies are part of Windows Defender Device Guard in Windows 10. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -15,8 +15,8 @@ author: brianlic-msft - Windows Server 2016 Code integrity policies provide control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of code integrity, see: -- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies." -- [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard." +- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats) in "Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies." +- [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Windows Defender Device Guard." If you already understand the basics of code integrity policy and want procedures for creating, auditing, and merging code integrity policies, see [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md). @@ -29,7 +29,7 @@ This topic includes the following sections: ## Overview of the process of creating code integrity policies -A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). +A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). > **Note**  Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **<EFI System Partition>\\Microsoft\\Boot**. Keep this in mind when you create your code integrity policies. @@ -47,7 +47,7 @@ To modify the policy rule options of an existing code integrity policy, use the ` Set-RuleOption -FilePath -Option 0` - Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option. + Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Windows Defender Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option. - To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command: @@ -80,7 +80,7 @@ RuleOption -Help** in a Windows PowerShell session. Table 2 describes each rule File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as fine-tuned as the hash of each binary or as general as a CA certificate. You specify file rule levels both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules, so that any application that would be allowed by either of the original policies will be allowed by the combined policy. -Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario. +Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Windows Defender Device Guard deployment scenario. Table 3. Code integrity policy - file rule levels @@ -113,5 +113,5 @@ They could also choose to create a catalog that captures information about the u ## Related topics -- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) +- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats) - [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 6b3f009321..9f7bef9162 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -1,6 +1,6 @@ --- title: Deploy code integrity policies - steps (Windows 10) -description: This article describes how to deploy code integrity policies, one of the main features that are part of Device Guard in Windows 10. +description: This article describes how to deploy code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -For an overview of the process described in the following procedures, see [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of code integrity policies fits with other steps in the Device Guard deployment process, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). +For an overview of the process described in the following procedures, see [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of code integrity policies fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). ## Create a code integrity policy from a golden computer @@ -26,11 +26,11 @@ The process for creating a golden code integrity policy from a reference system ### Scripting and applications Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts. -You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). +You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Windows Defender Device Guard in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). -Members of the security community\* continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Device Guard code integrity policies. +Members of the security community\* continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Device Guard code integrity policies. -Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Device Guard: +Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Windows Defender Device Guard: - bash.exe - bginfo.exe[1] @@ -70,9 +70,9 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you >[!Note] >This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. -Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions. +Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Windows Defender Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions. -Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. +Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Windows Defender Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: @@ -248,7 +248,7 @@ To create a code integrity policy, copy each of the following commands into an e > [!Notes] - > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” @@ -260,7 +260,7 @@ To create a code integrity policy, copy each of the following commands into an e ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` -After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security. +After you complete these steps, the Windows Defender Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security. > [!Note] > We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies). @@ -286,7 +286,7 @@ When code integrity policies are run in audit mode, it allows administrators to > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor. -3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. +3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. > [!Note] @@ -339,7 +339,7 @@ Use the following procedure after you have been running a computer with a code i > [!Note] > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. -4. Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following: +4. Find and review the Windows Defender Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following: - Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file. @@ -584,7 +584,7 @@ There may be a time when signed code integrity policies cause a boot failure. Be ## Deploy and manage code integrity policies with Group Policy -Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. +Code integrity policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. > [!Note] > This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic. @@ -598,7 +598,7 @@ To deploy and manage a code integrity policy with Group Policy: 2. Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 3. - > **Note**  You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). + > **Note**  You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). ![Group Policy Management, create a GPO](images/dg-fig24-creategpo.png) @@ -608,7 +608,7 @@ To deploy and manage a code integrity policy with Group Policy: 4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. -5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Code Integrity Policy** and then click **Edit**. +5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard. Right-click **Deploy Code Integrity Policy** and then click **Edit**. ![Edit the group policy for code integrity](images/dg-fig25-editcode.png) @@ -632,7 +632,7 @@ To deploy and manage a code integrity policy with Group Policy: ## Related topics -[Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) +[Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) -[Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) +[Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) diff --git a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md index 012a60e785..886d093664 100644 --- a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md +++ b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md @@ -1,6 +1,6 @@ --- -title: Deploy Device Guard - deploy code integrity policies (Windows 10) -description: This article, and the articles it links to, describe how to create code integrity policies, one of the main features that are part of Device Guard in Windows 10. +title: Deploy Windows Defender Device Guard - deploy code integrity policies (Windows 10) +description: This article, and the articles it links to, describe how to create code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -8,7 +8,7 @@ ms.localizationpriority: high author: brianlic-msft --- -# Deploy Device Guard: deploy code integrity policies +# Deploy Windows Defender Device Guard: deploy code integrity policies **Applies to** - Windows 10 @@ -20,13 +20,13 @@ This section includes the following topics: - [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md) - [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) - [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) -- [Deploy Managed Installer for Device Guard](deploy-managed-installer-for-device-guard.md) +- [Deploy Managed Installer for Windows Defender Device Guard](deploy-managed-installer-for-device-guard.md) To increase the protection for devices that meet certain hardware requirements, you can use virtualization-based security (VBS) with your code integrity policies. -- For requirements, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard) in "Requirements and deployment planning guidelines for Device Guard." -- For steps, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md). +- For requirements, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard) in "Requirements and deployment planning guidelines for Windows Defender Device Guard." +- For steps, see [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md). ## Related topics -[Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) +[Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) diff --git a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md index 45c3ca1f45..7f3deced86 100644 --- a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md @@ -1,6 +1,6 @@ --- -title: Deploy Device Guard - enable virtualization-based security (Windows 10) -description: This article describes how to enable virtualization-based security, one of the main features that are part of Device Guard in Windows 10. +title: Deploy Windows Defender Device Guard - enable virtualization-based security (Windows 10) +description: This article describes how to enable virtualization-based security, one of the main features that are part of Windows Defender Device Guard in Windows 10. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -8,27 +8,27 @@ ms.localizationpriority: high author: brianlic-msft --- -# Deploy Device Guard: enable virtualization-based security +# Deploy Windows Defender Device Guard: enable virtualization-based security **Applies to** - Windows 10 - Windows Server 2016 -Hardware-based security features, also called virtualization-based security or VBS, make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are a few steps to configure hardware-based security features in Device Guard: +Hardware-based security features, also called virtualization-based security or VBS, make up a large part of Windows Defender Device Guard security offerings. VBS reinforces the most important feature of Windows Defender Device Guard: configurable code integrity. There are a few steps to configure hardware-based security features in Windows Defender Device Guard: -1. **Decide whether to use the procedures in this topic, or to use the Device Guard readiness tool**. To enable VBS, you can download and use [the hardware readiness tool on the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or follow the procedures in this topic. +1. **Decide whether to use the procedures in this topic, or to use the Windows Defender Device Guard readiness tool**. To enable VBS, you can download and use [the hardware readiness tool on the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or follow the procedures in this topic. -2. **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). +2. **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). -3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard). +3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard). -4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic. +4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic. -For information about enabling Credential Guard, see [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard). +For information about enabling Windows Defender Credential Guard, see [Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard). -## Windows feature requirements for virtualization-based security and Device Guard +## Windows feature requirements for virtualization-based security and Windows Defender Device Guard -In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS: +In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS: - Beginning with Windows 10, version 1607 or Windows Server 2016:
    Hyper-V Hypervisor, which is enabled automatically. No further action is needed. @@ -42,17 +42,17 @@ Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). **Figure 1. Enable operating system features for VBS, Windows 10, version 1511** -## Enable Virtualization Based Security (VBS) and Device Guard +## Enable Virtualization Based Security (VBS) and Windows Defender Device Guard -There are multiple ways to configure VBS features for Device Guard: +There are multiple ways to configure VBS features for Windows Defender Device Guard: - You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic. - You can use Group Policy, as described in the procedure that follows. -- You can configure VBS manually, as described in [Use registry keys to enable VBS and Device Guard](#use-registry-keys-to-enable-vbs-and-device-guard), later in this topic. +- You can configure VBS manually, as described in [Use registry keys to enable VBS and Windows Defender Device Guard](#use-registry-keys-to-enable-vbs-and-device-guard), later in this topic. > **Note**  We recommend that you test-enable these features on a group of test computers before you enable them on users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail. -### Use Group Policy to enable VBS and Device Guard +### Use Group Policy to enable VBS and Windows Defender Device Guard 1. To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**. @@ -64,7 +64,7 @@ There are multiple ways to configure VBS features for Device Guard: 3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. -4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. +4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Defender Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. ![Edit the group policy for Virtualization Based Security](images/dg-fig3-enablevbs.png) @@ -76,7 +76,7 @@ There are multiple ways to configure VBS features for Device Guard: Figure 4. Configure VBS, Secure Boot setting (in Windows 10, version 1607) - > **Important**  These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
    In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.
    For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). + > **Important**  These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
    In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.
    For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). 6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option. @@ -95,15 +95,15 @@ There are multiple ways to configure VBS features for Device Guard: 7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. The settings will take effect upon restart. -8. Check the test computer’s event log for Device Guard GPOs. +8. Check the test computer’s event log for Windows Defender Device Guard GPOs. - Processed Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy. + Processed Windows Defender Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy. ->**Note**  Events will be logged in this event channel only when Group Policy is used to enable Device Guard features, not through other methods. If other methods such as registry keys are used, Device Guard features will be enabled but the events won’t be logged in this event channel. +>**Note**  Events will be logged in this event channel only when Group Policy is used to enable Windows Defender Device Guard features, not through other methods. If other methods such as registry keys are used, Windows Defender Device Guard features will be enabled but the events won’t be logged in this event channel. -### Use registry keys to enable VBS and Device Guard +### Use registry keys to enable VBS and Windows Defender Device Guard -Set the following registry keys to enable VBS and Device Guard. This provides exactly the same set of configuration options provided by Group Policy. +Set the following registry keys to enable VBS and Windows Defender Device Guard. This provides exactly the same set of configuration options provided by Group Policy. > [!WARNING] > Virtualization-based protection of code integrity (controlled through the registry key **HypervisorEnforcedCodeIntegrity**) may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). @@ -111,7 +111,7 @@ Set the following registry keys to enable VBS and Device Guard. This provides ex > **Important**   -> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
    In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled.
    For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
    +> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
    In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled.
    For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
    > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. #### For Windows 1607 and above @@ -210,9 +210,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` -### Validate enabled Device Guard hardware-based security features +### Validate enabled Windows Defender Device Guard hardware-based security features -Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: +Windows 10 and Windows Server 2016 and later have a WMI class for Windows Defender Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: ` Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard` @@ -238,7 +238,7 @@ Table 1. Win32\_DeviceGuard properties AvailableSecurityProperties -This field helps to enumerate and report state on the relevant security properties for Device Guard. +This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.

    • 0. If present, no relevant properties exist on the device.

    • 1. If present, hypervisor support is available.

      • @@ -273,19 +273,19 @@ Table 1. Win32\_DeviceGuard properties SecurityServicesConfigured -This field indicates whether the Credential Guard or HVCI service has been configured. +This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.

      • 0. No services configured.

        • -

      • 1. If present, Credential Guard is configured.

        • +

      • 1. If present, Windows Defender Credential Guard is configured.

      • 2. If present, HVCI is configured.

      SecurityServicesRunning -This field indicates whether the Credential Guard or HVCI service is running. +This field indicates whether the Windows Defender Credential Guard or HVCI service is running.

      • 0. No services running.

        • -

      • 1. If present, Credential Guard is running.

        • +

      • 1. If present, Windows Defender Credential Guard is running.

      • 2. If present, HVCI is running.

      @@ -311,14 +311,14 @@ Table 1. Win32\_DeviceGuard properties -Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 6. +Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 6. -![Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png) +![Windows Defender Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png) -Figure 6. Device Guard properties in the System Summary +Figure 6. Windows Defender Device Guard properties in the System Summary ## Related topics -- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) +- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) -- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md index fcd0f46670..53d92d3c77 100644 --- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md +++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md @@ -1,5 +1,5 @@ --- -title: Deploy Managed Installer for Device Guard (Windows 10) +title: Deploy Managed Installer for Windows Defender Device Guard (Windows 10) description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. keywords: virtualization, security, malware ms.prod: w10 @@ -8,9 +8,9 @@ ms.localizationpriority: high author: mdsakibMSFT --- -# Deploy Managed Installer for Device Guard +# Deploy Managed Installer for Windows Defender Device Guard -Creating and maintaining application execution control policies has always been challenging and options for addressing this has been a frequently cited request for customers of AppLocker and Device Guard’s [configurable code integrity (CI)](device-guard-deployment-guide.md). +Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Device Guard [configurable code integrity (CI)](device-guard-deployment-guide.md). This is especially true for enterprises with large, ever changing software catalogs. Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. @@ -21,14 +21,14 @@ A managed installer helps an IT admin balance security and manageability require A managed installer uses a new rule collection in AppLocker to specify one or more executables that are trusted by the organization as an authorized source for application deployment. Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority. -Once the IT administrator adds the Allow: Managed Installer option to a configurable CI policy for Device Guard, the configurable CI component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. +Once the IT administrator adds the Allow: Managed Installer option to a configurable CI policy for Windows Defender Device Guard, the configurable CI component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the managed installer origin information. > [!NOTE] > Admins needs to ensure that there is a CI policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer. > > Examples of CI policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps. -> Admins can reference and customize them as needed for their Device Guard deployment. +> Admins can reference and customize them as needed for their Windows Defender Device Guard deployment. ## Configuring a managed installer with AppLocker and configurable code integrity policy @@ -151,8 +151,8 @@ An example of the managed installer option being set in policy is shown below. Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. -Users with administrator privileges on the system may be able to circumvent the intent of Device Guard configurable CI when the managed installer option is allowed. -If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users may be able to circumvent the intent of Device Guard configurable CI policy. +Users with administrator privileges on the system may be able to circumvent the intent of Windows Defender Device Guard configurable CI when the managed installer option is allowed. +If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users may be able to circumvent the intent of Windows Defender Device Guard configurable CI policy. In some cases, the heuristic tracking and authorizing applications may be active on the first execution of an application that is laid down from a designated managed installer. Typically, this would occur if the managed installer executes the application directly as part of the installation process. To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation. diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md index da932fc370..2b460c583b 100644 --- a/windows/device-security/device-guard/device-guard-deployment-guide.md +++ b/windows/device-security/device-guard/device-guard-deployment-guide.md @@ -1,6 +1,6 @@ --- -title: Device Guard deployment guide (Windows 10) -description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. +title: Windows Defender Device Guard deployment guide (Windows 10) +description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486 keywords: virtualization, security, malware ms.prod: w10 @@ -9,23 +9,23 @@ ms.localizationpriority: high author: brianlic-msft --- -# Device Guard deployment guide +# Windows Defender Device Guard deployment guide **Applies to** - Windows 10 - Windows Server 2016 -Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. +Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Windows Defender Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. -This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them. It includes: +This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes: -- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) +- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) -- [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) +- [Requirements and deployment planning guidelines for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) -- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) +- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) -- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) - [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) @@ -35,7 +35,7 @@ This guide explores the individual features in Device Guard as well as how to pl - [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) -- [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) +- [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) ## Related topics @@ -45,10 +45,10 @@ This guide explores the individual features in Device Guard as well as how to pl [Code integrity](https://technet.microsoft.com/library/dd348642.aspx) -[Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) +[Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard) -[Driver compatibility with Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10) +[Driver compatibility with Windows Defender Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10) -[Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336) +[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336) diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md index 8c995bb3fe..e5593fe7b8 100644 --- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md +++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md @@ -1,6 +1,6 @@ --- -title: Introduction to Device Guard - virtualization-based security and code integrity policies (Windows 10) -description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. +title: Introduction to Windows Defender Device Guard - virtualization-based security and code integrity policies (Windows 10) +description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -8,47 +8,47 @@ ms.localizationpriority: high author: brianlic-msft --- -# Introduction to Device Guard: virtualization-based security and code integrity policies +# Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies **Applies to** - Windows 10 - Windows Server 2016 -With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*. +With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*. Like the operating system, code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been available in previous versions of the Windows operating system, and protects the kernel mode from running unsigned drivers. In Windows 10 and Windows Server 2016, UMCI is also available, to help protect against viruses and malware. -To increase the security level offered by code integrity policies, Device Guard can leverage advanced hardware features on hardware that supports them. These features include CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT). In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container. The following table provides more information about how Device Guard and these hardware features can help protect against various threats. +To increase the security level offered by code integrity policies, Windows Defender Device Guard can leverage advanced hardware features on hardware that supports them. These features include CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT). In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container. The following table provides more information about how Windows Defender Device Guard and these hardware features can help protect against various threats. -For an overview of the process of deploying Device Guard features, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). +For an overview of the process of deploying Windows Defender Device Guard features, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). -## How Device Guard features help protect against threats +## How Windows Defender Device Guard features help protect against threats -The following table lists security threats and describes the corresponding Device Guard features: +The following table lists security threats and describes the corresponding Windows Defender Device Guard features: -| Security threat in the enterprise | How a Device Guard feature helps protect against the threat | +| Security threat in the enterprise | How a Windows Defender Device Guard feature helps protect against the threat | | --------------------------------- | ----------------------------------------------------------- | | **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:  You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.
      Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.

      **Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. | | **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**:  Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.

      **Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. | -| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:  This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
      With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.

      **Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | +| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:  This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
      With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.

      **Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). | | **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:  With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.

      **Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. | -| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:   Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.

      **Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | +| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:   Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Windows Defender Device Guard security.

      **Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). | -In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview). +In this guide, you learn about the individual features found within Windows Defender Device Guard as well as how to plan for, configure, and deploy them. Windows Defender Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview). ## New and changed functionality As of Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a code integrity policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins). -## Tools for managing Device Guard features +## Tools for managing Windows Defender Device Guard features -You can easily manage Device Guard features by using familiar enterprise and client-management tools that IT pros use every day: +You can easily manage Windows Defender Device Guard features by using familiar enterprise and client-management tools that IT pros use every day: -- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files. +- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Windows Defender Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files. - - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Device Guard features help protect against threats](#how-device-guard-features-help-protect-against-threats), earlier in this topic. + - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Windows Defender Device Guard features help protect against threats](#how-windows-defender-device-guard-features-help-protect-against-threats), earlier in this topic. - For information about using Group Policy as a deployment tool, see:
      [Deploy catalog files with Group Policy](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-group-policy)
      [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy) - **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-system-center-configuration-manager). @@ -59,25 +59,25 @@ You can easily manage Device Guard features by using familiar enterprise and cli These options provide the same experience you're used to in order to manage your existing enterprise management solutions. -For more information about the deployment of Device Guard features, see: -- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) -- [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) +For more information about the deployment of Windows Defender Device Guard features, see: +- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +- [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) -## Other features that relate to Device Guard +## Other features that relate to Windows Defender Device Guard -### Device Guard with AppLocker +### Windows Defender Device Guard with AppLocker -Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. +Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. -> **Note**  One example of how Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule. +> **Note**  One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule. -AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. +AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. -### Device Guard with Credential Guard +### Windows Defender Device Guard with Windows Defender Credential Guard -Another Windows 10 feature that employs VBS is [Credential Guard](/windows/access-protection/credential-guard/credential-guard). Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Credential Guard (which is not a feature within Device Guard), see [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard). +Another Windows 10 feature that employs VBS is [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard). Windows Defender Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Windows Defender Credential Guard (which is not a feature within Windows Defender Device Guard), see [Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard). -Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. +Windows Defender Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Windows Defender Credential Guard, organizations can gain additional protection against such threats. diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md index 32732cc6a1..dbd9304e45 100644 --- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md +++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md @@ -1,6 +1,6 @@ --- title: Optional - Create a code signing certificate for code integrity policies (Windows 10) -description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Device Guard in Windows 10. +description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -As you deploy code integrity policies (part of Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). +As you deploy code integrity policies (part of Windows Defender Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate: @@ -96,7 +96,7 @@ When the certificate has been exported, import it into the personal store for th ## Related topics -- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) +- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) -- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md index c822167621..3cff963c28 100644 --- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -1,6 +1,6 @@ --- -title: Planning and getting started on the Device Guard deployment process (Windows 10) -description: To help you plan and begin the initial test stages of a deployment of Microsoft Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. +title: Planning and getting started on the Windows Defender Device Guard deployment process (Windows 10) +description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -8,19 +8,20 @@ ms.localizationpriority: high author: brianlic-msft --- -# Planning and getting started on the Device Guard deployment process +# Planning and getting started on the Windows Defender Device Guard deployment process **Applies to** - Windows 10 - Windows Server 2016 -This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you. +This topic provides a roadmap for planning and getting started on the Windows Defender Device Guard deployment process, with links to topics that provide additional detail. Planning for Windows Defender Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you. ## Planning -1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). +1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard(requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-hardware-firmware-and-software-requirements-for- +windows-defender-device-guard). -2. **Group devices by degree of control needed**. Group devices according to the table in [Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
      Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment. +2. **Group devices by degree of control needed**. Group devices according to the table in [Windows Defender Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
      Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment. 3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create: - How standardized is the hardware?
      This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. @@ -32,20 +33,20 @@ This topic provides a roadmap for planning and getting started on the Device Gua - Is there already a list of accepted applications?
      A list of accepted applications can be used to help create a baseline code integrity policy.
      As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? - In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). + In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Device Guard code integrity policies. You can also fine-tune your control by using Windows Defender Device Guard in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies. For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your code integrity policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used. - Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps). + Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps). -4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files). +4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files). ## Getting started on the deployment process @@ -67,11 +68,11 @@ This topic provides a roadmap for planning and getting started on the Device Gua - [Enforce code integrity policies](deploy-code-integrity-policies-steps.md#enforce-code-integrity-policies) - [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
      -8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). +8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). > [!WARNING] > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). - For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md). + For information about enabling VBS features, see [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
      \ No newline at end of file diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md index 9b22432875..ec2f600b51 100644 --- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -1,6 +1,6 @@ --- -title: Requirements and deployment planning guidelines for Device Guard (Windows 10) -description: To help you plan a deployment of Microsoft Device Guard, this article describes hardware requirements for Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. +title: Requirements and deployment planning guidelines for Windows Defender Device Guard (Windows 10) +description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -8,31 +8,31 @@ ms.localizationpriority: high author: brianlic-msft --- -# Requirements and deployment planning guidelines for Device Guard +# Requirements and deployment planning guidelines for Windows Defender Device Guard **Applies to** - Windows 10 - Windows Server 2016 -The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). +The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). ->**Note**  If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx). +>**Note**  If you are an OEM, see the requirements information at [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx). -## Hardware, firmware, and software requirements for Device Guard +## Hardware, firmware, and software requirements for Windows Defender Device Guard -To deploy Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy code integrity policies—the difference is that those computers will not be as hardened against certain threats. +To deploy Windows Defender Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy code integrity policies—the difference is that those computers will not be as hardened against certain threats. -For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Device Guard, see [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). +For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Windows Defender Device Guard, see [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). -You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. +You can deploy Windows Defender Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. > [!WARNING] > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). -The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. +The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > **Notes**
      -> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
      +> • To understand the requirements in the following tables, you will need to be familiar with the main features in Windows Defender Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
      > • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. ## Baseline protections @@ -44,9 +44,9 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

      Important:
      Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.

      | Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

      Important:
      Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.

      | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | -> **Important**  The following tables list additional qualifications for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Device Guard can provide. +> **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. ## Additional qualifications for improved security @@ -80,32 +80,32 @@ The following tables describe additional hardware and firmware qualifications, a | Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
      • UEFI runtime service must meet these requirements:
          • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
          • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
          • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
              • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
              • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

      Notes:
      • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
      • This protection is applied by VBS on OS page tables.


      Please also note the following:
      • Do not use sections that are both writeable and exceutable
      • Do not attempt to directly modify executable system memory
      • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
      • Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
      • Reduces the attack surface to VBS from system firmware.
      • Blocks additional security attacks against SMM. | -## Device Guard deployment in different scenarios: types of devices +## Windows Defender Device Guard deployment in different scenarios: types of devices -Typically, deployment of Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Device Guard in your organization. +Typically, deployment of Windows Defender Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Windows Defender Device Guard in your organization. -| **Type of device** | **How Device Guard relates to this type of device** | **Device Guard components that you can use to protect this kind of device** | +| **Type of device** | **How Windows Defender Device Guard relates to this type of device** | **Windows Defender Device Guard components that you can use to protect this kind of device** | |------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------| -| **Fixed-workload devices**: Perform same tasks every day.
      Lists of approved applications rarely change.
      Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
      After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.

      • Code integrity policies in enforced mode, with UMCI enabled. | +| **Fixed-workload devices**: Perform same tasks every day.
      Lists of approved applications rarely change.
      Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
      After Windows Defender Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.

      • Code integrity policies in enforced mode, with UMCI enabled. | | **Fully managed devices**: Allowed software is restricted by IT department.
      Users can request additional software, or install from a list of applications provided by IT department.
      Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
      Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.

      • Code integrity policies in enforced mode, with UMCI enabled. | -| **Lightly managed devices**: Company-owned, but users are free to install software.
      Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.

      • Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | -| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | +| **Lightly managed devices**: Company-owned, but users are free to install software.
      Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.

      • Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | +| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Windows Defender Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | -## Device Guard deployment in virtual machines +## Windows Defender Device Guard deployment in virtual machines -Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Device Guard are the same from within the virtual machine. +Windows Defender Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Device Guard are the same from within the virtual machine. -Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Device Guard for a virtual machine: +Windows Defender Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Windows Defender Device Guard for a virtual machine: ` Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true` -### Requirements for running Device Guard in Hyper-V virtual machines +### Requirements for running Windows Defender Device Guard in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - - Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. - - Virtual Fibre Channel adapters are not compatible with Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity. - - The AllowFullSCSICommandSet option for pass-through disks is not compatible with Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity. + - Windows Defender Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. + - Virtual Fibre Channel adapters are not compatible with Windows Defender Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity. + - The AllowFullSCSICommandSet option for pass-through disks is not compatible with Windows Defender Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity. ## Reviewing your applications: application signing and catalog files @@ -124,9 +124,9 @@ To obtain signed applications or embed signatures in your in-house applications, To use catalog signing, you can choose from the following options: -- Use the Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal). +- Use the Windows Defender Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Windows Defender Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal). -- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). +- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). ### Catalog files @@ -136,9 +136,9 @@ Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered After you have created and signed your catalog files, you can configure your code integrity policies to trust the signer or signing certificate of those files. -> **Note**  Package Inspector only works on operating systems that support Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT. +> **Note**  Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT. -For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md). +For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md). ## Code integrity policy formats and signing @@ -150,7 +150,7 @@ When the code integrity policy is deployed, it restricts the software that can r ## Related topics -- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) -- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) +- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) diff --git a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md index cc479c5bc2..b2a0c2025c 100644 --- a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md @@ -18,11 +18,13 @@ Describes the best practices, location, values, management, and security conside ## Reference -This policy setting prevents users from adding new Microsoft accounts on a device. +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. -If you click the **Users can’t add Microsoft accounts** setting option, users will not be able to switch a local account to a Microsoft account, or connect a domain account to a Microsoft account to drive sync, roaming, or other background services. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. Users will still be able to add app-specific Microsoft accounts for use with consumer apps. To block this use, turn off the ability to install consumer apps or the Store. +There are two options if this setting is enabled: -If you click the **Users can’t add or log on with Microsoft accounts** setting option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator to log on to a computer and manage the system. +- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). + +- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. @@ -36,7 +38,7 @@ By default, this setting is not defined on domain controllers and disabled on st ### Best practices - By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users. -- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. +- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts. ### Location diff --git a/windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png b/windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png new file mode 100644 index 0000000000..52acafba66 Binary files /dev/null and b/windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png differ diff --git a/windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png b/windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png new file mode 100644 index 0000000000..858be4e70e Binary files /dev/null and b/windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png differ diff --git a/windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png b/windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png new file mode 100644 index 0000000000..2efa6877c8 Binary files /dev/null and b/windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png differ diff --git a/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md index d51142a117..29f724e680 100644 --- a/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md @@ -30,7 +30,9 @@ The **Passwords must meet complexity requirements** policy setting determines wh - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters) - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) - Base 10 digits (0 through 9) - - Non-alphanumeric characters (special characters) (for example, !, $, \#, %) + - Non-alphanumeric characters (special characters): + (~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/) + Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting. - Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. Complexity requirements are enforced when passwords are changed or created. diff --git a/windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index 2d68063ec7..18de1ae022 100644 --- a/windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft +ms.date: 08/29/2017 --- # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing @@ -32,7 +33,7 @@ For the EFS service, this policy setting supports the 3DES and Advanced Encrypti **Remote Desktop Services (RDS)** -For encrypting Remote Desktop Services network communication, this policy setting supports only the Triple DES encryption algorithm. +If you're using Remote Desktop Services, this policy setting should only be enabled if the 3DES encryption algorithm is supported. **BitLocker** diff --git a/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index e0e41611ad..b452b3c093 100644 --- a/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -18,9 +18,10 @@ Describes the best practices, location, values, policy management and security c ## Reference This policy setting determines the behavior of Admin Approval Mode for the built-in administrator account. -When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. By default, this setting is set to **Disabled**. +When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges. By default, Admin Approval Mode is set to **Disabled**. ->**Note:**  If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled. +> [!NOTE] +> If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.   ### Possible values @@ -30,11 +31,16 @@ When the Admin Approval Mode is enabled, the local administrator account functio - Disabled - The built-in administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. + If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges ### Best practices -- Do not enable the built-in administrator account on the client computer, but use the standard user account and User Account Control (UAC). +- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. See [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) + + To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK. + +> [!NOTE] +> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt. ### Location @@ -67,10 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -One of the risks of the User Account Control (UAC) feature is that it is intended to mitigate malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the administrator account because that user account was created for all installations of the Windows. To address this risk, the built-in administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the administrator account is enabled, and the password must be changed the first time the Administrator logs on. In a default installation of a computer running at least Windows Vista, accounts with administrative control over the computer are initially set up in one of two ways: - -- If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -- If the computer is joined to a domain, no local administrator accounts are created. The enterprise or domain administrator must log on to the computer and create a local administrator account if one is warranted. +One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the Administrator account because that user account was created for all installations of Windows. To address this risk, the built-in Administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the Administrator account is enabled, and the password must be changed the first time the administrator logs on. In a default installation of a computer running at least Windows Vista, if the computer is not joined to a domain, the first user account you create has the equivalent permissions of a local administrator. ### Countermeasure diff --git a/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index cbc598ba9f..bd001552c4 100644 --- a/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -25,7 +25,8 @@ This policy setting determines the behavior of the elevation prompt for accounts - **Elevate without prompting** Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required. - >**Note:**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. + + **Note**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.   - **Prompt for credentials on the secure desktop** @@ -33,7 +34,7 @@ This policy setting determines the behavior of the elevation prompt for accounts - **Prompt for consent on the secure desktop** - When an operation requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. + When an operation requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.* - **Prompt for credential**s @@ -47,10 +48,17 @@ This policy setting determines the behavior of the elevation prompt for accounts This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. +\*If you have enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**. + +> [!NOTE] +> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt. + ### Best practices - Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. +- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. For further information, see [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) + ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options @@ -58,7 +66,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec ### Default values -| Server type or GPO Default value | +| Server type or GPO | Default value | | - | - | | Default Domain Policy | Not defined| | Default Domain Controller Policy | Not defined | diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md index 7c44d3803e..8dcde29788 100644 --- a/windows/device-security/tpm/tpm-recommendations.md +++ b/windows/device-security/tpm/tpm-recommendations.md @@ -105,7 +105,6 @@ The following table defines which Windows features require TPM support. | Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. | | Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. | | Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. | -| Device Guard / Configurable Code Integrity | Not Applicable | Required | Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. | | Credential Guard | Required | Required | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. | | Device Health Attestation | Required | Required | | | Windows Hello / Windows Hello for Business | Not Required | Recommended | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected) | diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md index 8203714148..a666d3e71e 100644 --- a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md @@ -1,6 +1,6 @@ --- title: TPM Group Policy settings (Windows 10) -description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. +description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd ms.prod: w10 ms.mktglfcycl: deploy @@ -15,22 +15,15 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. +This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. -The TPM Services Group Policy settings are located at: +The Group Policy settings for TPM services are located at: **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** -### Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 +The following Group Policy settings were introduced in Window 10: -Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if: a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607, and b) the System has a TPM 2.0. - -Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to: -a) disable it from group policy and b) clear the TPM on the system. - -**The following Group Policy settings were introduced in Window 10:** - -### Configure the list of blocked TPM commands +## Configure the list of blocked TPM commands This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows. @@ -48,7 +41,7 @@ For information how to enforce or ignore the default and local lists of blocked - [Ignore the local list of blocked TPM commands](#ignore-the-local-list-of-blocked-tpm-commands) -### Ignore the default list of blocked TPM commands +## Ignore the default list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. @@ -58,7 +51,7 @@ If you enable this policy setting, the Windows operating system will ignore the If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands. -### Ignore the local list of blocked TPM commands +## Ignore the local list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. @@ -68,7 +61,7 @@ If you enable this policy setting, the Windows operating system will ignore the If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands. -### Configure the level of TPM owner authorization information available to the operating system +## Configure the level of TPM owner authorization information available to the operating system This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password. @@ -106,7 +99,7 @@ If you enable this policy setting, the Windows operating system will store the T If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. -### Standard User Lockout Duration +## Standard User Lockout Duration This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require authorization to the TPM. @@ -125,7 +118,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used. -### Standard User Individual Lockout Threshold +## Standard User Individual Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM). @@ -137,7 +130,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure. -### Standard User Total Lockout Threshold +## Standard User Total Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM). @@ -156,6 +149,21 @@ If you enable this policy setting, TPM owner information will be automatically a If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS. +## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 + +Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. + +> [!IMPORTANT] +> Setting this policy will take effect only if: +- The TPM was originally prepared using a version of Windows after Windows 10 Version 1607 +- The system has a TPM 2.0. + +> [!NOTE] +> Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only ways for the disabled setting of this policy to take effect on a system where it was once enabled are to either: +> - Disable it from group policy +> - Clear the TPM on the system + + ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md index 8ed1a52f71..56c4ddc65a 100644 --- a/windows/hub/TOC.md +++ b/windows/hub/TOC.md @@ -6,4 +6,5 @@ ## [Application management](/windows/application-management) ## [Access protection](/windows/access-protection) ## [Device security](/windows/device-security) -## [Threat protection](/windows/threat-protection) \ No newline at end of file +## [Threat protection](/windows/threat-protection) +## [Troubleshooting](/windows/client-management/windows-10-support-solutions) \ No newline at end of file diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index fd9171827c..c3b5a294aa 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -6,17 +6,20 @@ ### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md) ### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) ### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) -#### [Configure endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) +#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints using System Security Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) -#### [Configure proxy and Internet settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) +##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) +#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) ### [Use the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) -#### [View the Dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md) +#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md) +#### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md) #### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md) #### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md) ##### [Alert process tree](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) @@ -27,17 +30,22 @@ #### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md) #### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) #### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md) -##### [Search for specific alerts](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) -##### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) -##### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) -##### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) +##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) +##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) +###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) +###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) +###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) +###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) #### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md) #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md) #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md) ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md) +###### [Manage machine group and tags](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) +###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) +###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) +###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restict-app-execution) ###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) ###### [Undo machine isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) -###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) ###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) ##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md) ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) @@ -63,6 +71,46 @@ #### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md) #### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md) #### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md) +#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md) +##### Actor +###### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md) +###### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +##### Alerts +###### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md) +###### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +###### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +###### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +###### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +###### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +###### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +##### Domain +###### [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +###### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md) +###### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md) +###### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) +##### File +###### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md) +###### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md) +###### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md) +###### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md) +##### IP +###### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +###### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md) +###### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md) +###### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md) +##### Machines +###### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md) +###### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md) +###### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +###### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +##### User +###### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +###### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md) +###### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md) +###### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md) +### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) ### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) #### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) @@ -74,12 +122,12 @@ #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) #### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) +#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) ### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) ### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) - ## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) @@ -143,10 +191,47 @@ #### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md) #### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md) + + +## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md) +### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md) +#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md) +#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md) + +### [Exploit Protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md) +#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md) +#### [Evaluate Exploit Protection](windows-defender-exploit-guard\evaluate-exploit-protection.md) +#### [Enable Exploit Protection](windows-defender-exploit-guard\enable-exploit-protection.md) +#### [Customize Exploit Protection](windows-defender-exploit-guard\customize-exploit-protection.md) +##### [Import, export, and deploy Exploit Protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md) +### [Attack Surface Reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md) +#### [Evaluate Attack Surface Reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md) +#### [Enable Attack Surface Reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md) +#### [Customize Attack Surface Reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md) +### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md) +#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md) +#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md) +### [Controlled Folder Access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md) +#### [Evaluate Controlled Folder Access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md) +#### [Enable Controlled Folder Access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md) +#### [Customize Controlled Folder Access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md) + + + + + + ## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md) ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md) ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md) +##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md) +###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md) +###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md) +###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md) +###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md) +###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md) + ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md) #### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md index e854d43efb..ebec2a5082 100644 --- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -8,10 +8,13 @@ ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library author: eross-msft +ms.author: lizross +ms.date: 08/14/2017 ms.localizationpriority: high --- # Block untrusted fonts in an enterprise + **Applies to:** - Windows 10 @@ -46,19 +49,44 @@ After you turn this feature on, your employees might experience reduced function - Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office. ## Turn on and use the Blocking Untrusted Fonts feature +Use Group Policy or the registry to turn this feature on, off, or to use audit mode. + +**To turn on and use the Blocking Untrusted Fonts feature through Group Policy** +1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. + +2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**: + + - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. + + - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log. + + - **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts. + +3. Click **OK**. + +**To turn on and use the Blocking Untrusted Fonts feature through the registry** To turn this feature on, off, or to use audit mode: 1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`. 2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**. -3. Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below: +3. Right click on the **MitigationOptions** key, and then click **Modify**. + + The **Edit QWORD (64-bit) Value** box opens. + +4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below: - **To turn this feature on.** Type **1000000000000**. - - **To turn this feature off.** Type **2000000000000**. - - **To audit with this feature.** Type **3000000000000**.

      **Important**
      Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.  -4. Restart your computer. + - **To turn this feature off.** Type **2000000000000**. + + - **To audit with this feature.** Type **3000000000000**. + + >[!Important] + >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.  + +4. Restart your computer. ## View the event log After you turn this feature on, or start using Audit mode, you can look at your event logs for details. @@ -68,27 +96,33 @@ After you turn this feature on, or start using Audit mode, you can look at your 1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**. 2. Scroll down to **EventID: 260** and review the relevant events. -

      -**Event Example 1 - MS Word**
      -WINWORD.EXE attempted loading a font that is restricted by font loading policy.
      -FontType: Memory
      -FontPath:
      -Blocked: true

      -**Note**
      Because the **FontType** is *Memory*, there’s no associated **FontPath.** -

      -**Event Example 2 - Winlogon**
      -Winlogon.exe attempted loading a font that is restricted by font loading policy.
      -FontType: File
      -FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
      -Blocked: true

      -**Note**
      Because the **FontType** is *File*, there’s also an associated **FontPath.** -

      -**Event Example 3 - Internet Explorer running in Audit mode**
      -Iexplore.exe attempted loading a font that is restricted by font loading policy.
      -FontType: Memory
      -FontPath:
      -Blocked: false

      -**Note**
      In Audit mode, the problem is recorded, but the font isn’t blocked. + + **Event Example 1 - MS Word**
      + WINWORD.EXE attempted loading a font that is restricted by font-loading policy.
      + FontType: Memory
      + FontPath:
      + Blocked: true + + >[!NOTE] + >Because the **FontType** is *Memory*, there’s no associated **FontPath**. + + **Event Example 2 - Winlogon**
      + Winlogon.exe attempted loading a font that is restricted by font-loading policy.
      + FontType: File
      + FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
      + Blocked: true + + >[!NOTE] + >Because the **FontType** is *File*, there’s also an associated **FontPath**. + + **Event Example 3 - Internet Explorer running in Audit mode**
      + Iexplore.exe attempted loading a font that is restricted by font-loading policy.
      + FontType: Memory
      + FontPath:
      + Blocked: false + + >[!NOTE] + >In Audit mode, the problem is recorded, but the font isn’t blocked. ## Fix apps having problems because of blocked fonts Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems. @@ -101,12 +135,14 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa **To fix your apps by excluding processes** -1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. +1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`.

      For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature). +2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.   +## Related content +- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)   diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md index 885e4d9279..a98bb34278 100644 --- a/windows/threat-protection/index.md +++ b/windows/threat-protection/index.md @@ -17,6 +17,7 @@ Learn more about how to help protect against threats in Windows 10 and Windows |[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.| |[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| |[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.| +|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.| |[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.| |[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.| |[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.| diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 2bde953608..7e6a5244b8 100644 --- a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- diff --git a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index 66f292c972..7c7eed2793 100644 --- a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Reference topics for management and configuration tools diff --git a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index 28d95b5f7c..bc92d0c50e 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -10,6 +10,9 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 + --- # Configure scanning options in Windows Defender AV diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 51e4da766a..5b30a1d8e3 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- @@ -43,12 +45,11 @@ You can also [specify how long the file should be prevented from running](config ## How it works -When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. The following video describes how this feature works. +When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. -The Block at first sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file. +The Block at First Sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. - + If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe. diff --git a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md index 9db9a1a011..ffae20dfe9 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Configure the cloud block timeout period diff --git a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md index 6483bcb53a..6843c1e01d 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Configure end-user interaction with Windows Defender Antivirus diff --git a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index 4b7b42f001..885b929ee5 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Prevent or allow users to locally modify Windows Defender AV policy settings diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 1d44078c65..cc04c936e3 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Configure and validate network connections for Windows Defender Antivirus diff --git a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 8cce4e1f03..92cb4eab33 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Configure the notifications that appear on endpoints diff --git a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md index c1996876ef..882fec2cbe 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Configure behavioral, heuristic, and real-time protection diff --git a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index 34adf05d43..2f73f17890 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- diff --git a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 2ae2cc1683..3c3d477567 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- diff --git a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index 1e58b44fb0..315e1bc411 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Configure Windows Defender Antivirus features diff --git a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index 6eb5d98e2e..98b3c9615d 100644 --- a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Customize, initiate, and review the results of Windows Defender AV scans and remediation diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index 447437331e..02fb05242b 100644 --- a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Deploy, manage, and report on Windows Defender Antivirus diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md index 8424255df1..adf719ad5b 100644 --- a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Deploy and enable Windows Defender Antivirus diff --git a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index c1f14fe426..e33ddf160c 100644 --- a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment diff --git a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 256b81f90d..c0f1e340b7 100644 --- a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Detect and block Potentially Unwanted Applications diff --git a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 755d7bb810..a997f2b43b 100644 --- a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Enable cloud-delivered protection in Windows Defender AV diff --git a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md index 15297f3b96..ebc5c3cbc4 100644 --- a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Evaluate Windows Defender Antivirus protection diff --git a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 123057dc01..201de035c2 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Manage event-based forced updates diff --git a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index 18e242a4f0..bf8666ecc1 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Manage updates and scans for endpoints that are out of date @@ -92,7 +94,7 @@ See the following for more information and allowed parameters: ## Set the number of days before protection is reported as out-of-date -You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)). +You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. **Use Group Policy to specify the number of days before protection is considered out-of-date:** diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index d5838972b1..06ac450ee6 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Manage the schedule for when protection updates should be downloaded and applied diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index d87bb53800..554e426b6d 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Manage the sources for Windows Defender Antivirus protection updates @@ -63,7 +65,11 @@ The older the updates on an endpoint, the larger the download. However, you must Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This ensures the best protection, but may increase network bandwidth. -The WSUS, Configuration Manager and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger). +The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger). + +> [!IMPORTANT] +> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services). +> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table: @@ -73,7 +79,7 @@ WSUS | You are using WSUS to manage updates for your network. Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates. File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments. Configuration Manager | You are using System Center Configuration Manager to update your endpoints. -MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. +MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for [a specified number of days](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI. diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 374162b001..77c6833644 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Manage Windows Defender Antivirus updates and apply baselines diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md index efcdb994fa..638419e42b 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Manage updates for mobile devices and virtual machines (VMs) diff --git a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index 1da8e5b737..0c2af7f269 100644 --- a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Prevent users from seeing or interacting with the Windows Defender AV user interface diff --git a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index 2082f44329..ba5043b800 100644 --- a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Report on Windows Defender Antivirus protection diff --git a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index 3307e84851..90bc57e8a3 100644 --- a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Review Windows Defender AV scan results diff --git a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 0fb07edd90..e4f58850f2 100644 --- a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- diff --git a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index f9ad88746b..deb05534d1 100644 --- a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- diff --git a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index 8e3ea5d3bf..8a1f3a3a08 100644 --- a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Specify the cloud-delivered protection level diff --git a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index 79abd8d757..55a97e770f 100644 --- a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Use Group Policy settings to configure and manage Windows Defender AV @@ -82,7 +84,7 @@ Reporting | Configure time out for detections in non-critical failed state | Not Reporting | Configure time out for detections in recently remediated state | Not used Reporting | Configure time out for detections requiring additional action | Not used Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -Root | Turn off Windows Defender Antivirus | Not used +Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly) Root | Define addresses to bypass proxy server | Not used Root | Define proxy auto-config (.pac) for connecting to the network | Not used Root | Define proxy server for connecting to the network | Not used diff --git a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index 49226c4cf3..914d50f8b3 100644 --- a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV diff --git a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 91fc5c207e..6a3cb8e8bd 100644 --- a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Use PowerShell cmdlets to configure and manage Windows Defender AV diff --git a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md index 306bf240d2..e009932162 100644 --- a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV diff --git a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index 49d63c897a..6a6267b89a 100644 --- a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus @@ -31,6 +33,11 @@ Cloud-delivered protection for Windows Defender Antivirus, also referred to as M Enabling cloud-delivered protection helps detect and block new malware - even if the malware has never been seen before - without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver, while our cloud service can deliver updated protection in seconds. +The following video describes how it works: + + + Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies. The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager. diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index 8b27b216a4..2f90715cf9 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Windows Defender Antivirus in Windows 10 and Windows Server 2016 diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index f15f7b81a6..91520bc734 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md index 4672b5eff4..3168581911 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- # Run and review the results of a Windows Defender Offline scan diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index 107ae34521..dc8b0b0597 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- diff --git a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md new file mode 100644 index 0000000000..0018059252 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -0,0 +1,45 @@ +--- +title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10) +description: Learn about the available Group Policy settings for Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +--- + +# Configure Windows Defender Application Guard policy settings + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. + +Application Guard uses both network isolation and application-specific settings. + +### Network isolation settings +These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. + +>[!NOTE] +>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. + + +|Policy name|Supported versions|Description| +|-----------|------------------|-----------| +|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| + +### Application-specific settings +These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. + +|Name|Supported versions|Description|Options| +|-----------|------------------|-----------|-------| +|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:

      • Disable the clipboard functionality completely when Virtualization Security is enabled.
      • Enable copying of certain content from Application Guard into Microsoft Edge.
      • Enable copying of certain content from Microsoft Edge into Application Guard.

        **Important**
        Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
      **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
      • Enable Application Guard to print into the XPS format.
      • Enable Application Guard to print into the PDF format.
      • Enable Application Guard to print to locally attached printers.
      • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
      **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

      **Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

      **Disabled or not configured.** All user data within Application Guard is reset between sessions.

      **Note**
      If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
      **To reset the container:**
      1. Open a command-line program and navigate to Windows/System32.
      2. Type `wdagtool.exe cleanup`.
        The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
        The container environment is reset, including discarding all employee-generated data.
      | +|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

      **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| + diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md new file mode 100644 index 0000000000..d5206df9fb --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -0,0 +1,43 @@ +--- +title: Frequently asked questions - Windows Defender Application Guard (Windows 10) +description: Learn about the commonly asked questions and answers for Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +--- + +# Frequently asked questions - Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. + +## Frequently Asked Questions + +| | | +|---|----------------------------| +|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| +|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.| +
      + +| | | +|---|----------------------------| +|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?| +|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.| +
      + +| | | +|---|----------------------------| +|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?| +|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.| +
      + +| | | +|---|----------------------------| +|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?| +|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.| diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png new file mode 100644 index 0000000000..6f2bb5afcf Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png new file mode 100644 index 0000000000..f1391f862c Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png new file mode 100644 index 0000000000..e0bedcd7cd Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png new file mode 100644 index 0000000000..357be9c65b Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png new file mode 100644 index 0000000000..25c22912a5 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png new file mode 100644 index 0000000000..48aa702feb Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png new file mode 100644 index 0000000000..56acb4be53 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png new file mode 100644 index 0000000000..c5e7982909 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png new file mode 100644 index 0000000000..01f4eb6359 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png new file mode 100644 index 0000000000..3fe617b8ed Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png new file mode 100644 index 0000000000..a946325c66 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png new file mode 100644 index 0000000000..877b707030 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png new file mode 100644 index 0000000000..5172022256 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md new file mode 100644 index 0000000000..0504f9f546 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -0,0 +1,55 @@ +--- +title: Prepare and install Windows Defender Application Guard (Windows 10) +description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +--- + +# Prepare and install Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +## Prepare to install Windows Defender Application Guard +Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. + +- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario. + +- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container. + +The following diagram shows the flow between the host PC and the isolated container. +![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) + +## Install Application Guard +Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. + +**To install by using the Control Panel** +1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. + + ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png) + +2. Select the check box next to **Windows Defender Application Guard** and then click **OK**. + + Application Guard and its underlying dependencies are all installed. + +**To install by using PowerShell** +1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. + +2. Right-click **Windows PowerShell**, and then click **Run as administrator**. + + Windows PowerShell opens with administrator credentials. + +3. Type the following command: + + ``` + Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard + ``` +4. Restart the device. + + Application Guard and its underlying dependencies are all installed. + diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md new file mode 100644 index 0000000000..15b33475fa --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -0,0 +1,38 @@ +--- +title: System requirements for Windows Defender Application Guard (Windows 10) +description: Learn about the system requirements for installing and running Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +--- + +# System requirements for Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. + +## Hardware requirements +Your environment needs the following hardware to run Application Guard. + +|Hardware|Description| +|--------|-----------| +|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| +|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

      **-AND-**

      One of the following virtualization extensions for VBS:

      VT-x (Intel)

      **-OR-**

      AMD-V| +|Hardware memory|8 GB minimum, 16 GB recommended| +|Hard disk|5 GB free space, solid state disk (SSD) recommended| +|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended| + +## Software requirements +Your environment needs the following hardware to run Application Guard. + +|Software|Description| +|--------|-----------| +|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)| +|Browser|Microsoft Edge and Internet Explorer| +|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)

      **-OR-**

      [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)

      **-OR-**

      [Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)

      **-OR-**

      Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| diff --git a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md new file mode 100644 index 0000000000..b7cb312c08 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -0,0 +1,158 @@ +--- +title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10) +description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +--- + +# Testing scenarios using Windows Defender Application Guard in your business or organization + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization. + +## Application Guard in standalone mode +You can see how an employee would use standalone mode with Application Guard. + +**To test Application Guard in Standalone mode** + +1. Download the latest Windows Insider Program build (15257 or later). + +2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. + +3. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. + + ![New Application Guard window setting option](images/appguard-new-window.png) + +4. Wait for Application Guard to set up the isolated environment. + + >[!NOTE] + >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. + +5. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues. + + ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + +## Application Guard in Enterprise-managed mode +How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode. + +### Install, set up, and turn on Application Guard +Before you can use Application Guard in enterprise mode, you must install a version of Windows 10 that includes the functionality. Then, you must use Group Policy to set up the required settings. + +1. Download the latest Windows Insider Program build (15257 or later). + +2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. + +3. Restart the device and then start Microsoft Edge. + +4. Set up the Network Isolation settings in Group Policy: + + a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**. + + b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. + + c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box. + + ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png) + + d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. + + e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box. + + ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) + +5. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn On/Off Windows Defender Application Guard (WDAG)** setting. + +6. Click **Enabled**. + + ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) + + >[!NOTE] + >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. + +7. Start Microsoft Edge and type _www.microsoft.com_. + + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard. + + ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) + +8. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. + + After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. + + ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + +### Customize Application Guard +Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees. + +Application Guard provides the following default behavior for your employees: + +- No copying and pasting between the host PC and the isolated container. + +- No printing from the isolated container. + +- No data persistence from one isolated container to another isolated container. + +You have the option to change each of these settings to work with your enterprise from within Group Policy. + +**To change the copy and paste options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. + +2. Click **Enabled**. + + ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) + +3. Choose how the clipboard works: + + - Copy and paste from the isolated session to the host PC + + - Copy and paste from the host PC to the isolated session + + - Copy and paste both directions + +4. Choose what can be copied: + + - **1.** Only text can be copied between the host PC and the isolated container. + + - **2.** Only images can be copied between the host PC and the isolated container. + + - **3.** Both text and images can be copied between the host PC and the isolated container. + +5. Click **OK**. + +**To change the print options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. + +2. Click **Enabled**. + + ![Group Policy editor Print options](images/appguard-gp-print.png) + +3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing. + +4. Click **OK**. + +**To change the data persistence options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. + +2. Click **Enabled**. + + ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) + +3. Open Microsoft Edge and browse to an untrusted, but safe URL. + + The website opens in the isolated session. + +4. Add the site to your **Favorites** list and then close the isolated session. + +5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + + The previously added site should still appear in your **Favorites** list. + + >[!NOTE] + >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

      If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

      **To reset the container:**
      1. Open a command-line program and navigate to Windows/System32.
      2. Type `wdagtool.exe cleanup`.
        The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
        The container environment is reset, including discarding all employee-generated data.
      diff --git a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md new file mode 100644 index 0000000000..df475ea509 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -0,0 +1,46 @@ +--- +title: Windows Defender Application Guard (Windows 10) +description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +--- + +# Windows Defender Application Guard overview + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. + +Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. + + +## What is Application Guard and how does it work? +Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. + +If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. + +![Hardware isolation diagram](images/appguard-hardware-isolation.png) + +### What types of devices should use Application Guard? +Application Guard has been created to target 3 types of enterprise systems: + +- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. + +- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. + +- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. + +## In this section +|Topic |Description | +|------|------------| +|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard. | +|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization. | +|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.| +|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.| +|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.| \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index 3e2f82bcdc..1c0e90fab7 100644 --- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -10,7 +10,9 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- + # Turn on advanced features in Windows Defender ATP **Applies to:** @@ -21,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with. Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: @@ -32,7 +36,7 @@ If your organization satisfies these conditions, the feature is enabled by defau ## Show user details When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views: -- Dashboard +- Security operations dashboard - Alert queue - Machine details page @@ -57,3 +61,4 @@ When you enable this feature, you'll be able to incorporate data from Office 365 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index c56729bba8..5b05198ca9 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # View and organize the Windows Defender Advanced Threat Protection Alerts queue @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on. Alerts are organized in queues by their workflow status or assignment: @@ -30,6 +33,7 @@ Alerts are organized in queues by their workflow status or assignment: - **In progress** - **Resolved** - **Assigned to me** +- **Suppression rules** To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane. @@ -112,13 +116,14 @@ Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together ![Alerts queue bulk edit](images/alerts-q-bulk.png) ## Related topics -- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index bec8ac80d7..2d146c99a0 100644 --- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Windows Defender ATP alert API fields @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. @@ -273,7 +276,7 @@ Field numbers match the numbers in the images below. ![Image of alert details pane with numbers](images/atp-siem-mapping13.png) -![Image of alert timeline with numbers](images/atp-siem-mapping3.png) +![Image of artifact timeline with numbers](images/atp-siem-mapping3.png) ![Image of alert timeline with numbers](images/atp-siem-mapping4.png) diff --git a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 8084be4e84..3f9933916f 100644 --- a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Assign user access to the Windows Defender ATP portal @@ -23,6 +24,8 @@ ms.localizationpriority: high - Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles. ## Assign user access using Azure PowerShell diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index ff45bb42eb..723ff75a42 100644 --- a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Check the health state of the sensor in Windows Defender ATP description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data. -keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communication, communication +keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Check sensor health state in Windows Defender ATP @@ -22,6 +23,7 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues. @@ -49,7 +51,7 @@ You can filter the health state list by the following status: - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service. - **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues: - **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine. - - **Impaired communication** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work. + - **Impaired communications** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work. You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon. diff --git a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index df4b70e28a..beff40e45f 100644 --- a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Configure HP ArcSight to pull Windows Defender ATP alerts @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts. ## Before you begin diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 97bfb2b0af..59f69d831e 100644 --- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Configure email notifications in Windows Defender ATP @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. > [!NOTE] @@ -74,3 +77,4 @@ This section lists various issues that you may encounter when using email notifi - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index dd813aefb9..2d17ac8b25 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Configure endpoints using Group Policy @@ -23,13 +24,16 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + > [!NOTE] > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. ## Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint management** on the **Navigation pane**. + a. Click **Endpoint management** > **Clients** on the **Navigation pane**. b. Select **Group Policy**, click **Download package** and save the .zip file. @@ -49,6 +53,7 @@ ms.localizationpriority: high 9. Click **OK** and close any open GPMC windows. + ## Additional Windows Defender ATP configuration settings For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. @@ -150,4 +155,5 @@ With Group Policy there isn’t an option to monitor deployment of policies on t - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index a1a712f714..a1f1d75d60 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Configure endpoints using Mobile Device Management tools @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). @@ -106,7 +109,7 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Select **Endpoint management** > **Client management** on the **Navigation pane**. + a. Select **Endpoint management** > **Clients** on the **Navigation pane**. b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. @@ -124,30 +127,44 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V ![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png) -4. Type a name, description and choose **Windows 10 and later** as the Platform and **Windows Defender ATP (Windows 10 Desktop)** as the Profile type. +6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type. - ![Image of naming a policy](images/atp-azure-intune-create-policy-configure.png) + ![Image of naming a policy](images/atp-intune-custom.png) 7. Click **Settings** > **Configure**. - ![Image of settings](images/atp-azure-intune-settings-configure.png) + ![Image of settings](images/atp-intune-configure.png) -8. Click the folder icon and select the WindowsDefenderATP.onboarding file you extracted earlier. Configure whether you want to allow sample collection from endpoints for [Deep Analysis](investigate-files-windows-defender-advanced-threat-protection.md) by choosing **All**, or disable this feature by choosing **None**. When complete, click **OK**. +8. Under Custom OMA-URI Settings, click **Add**. - ![Image of configuration settings](images/atp-azure-intune-configure.png) + ![Image of configuration settings](images/atp-custom-oma-uri.png) -9. Click **Create**. +9. Enter the following values, then click **OK**. - ![Image of profile creation](images/atp-azure-intune-create.png) + ![Image of profile creation](images/atp-oma-uri-values.png) -10. Search for and select the Group you want to apply the Configuration Policy to, then click **Select**. + - **Name**: Type a name for the setting. + - **Description**: Type a description for the setting. + - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_ + - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded. - ![Image of select groups to apply configuration policy](images/atp-azure-intune-select-group.png) +10. Save the settings by clicking **OK**. + +11. Click **Create**. -11. Click **Save** to finish deploying the Configuration Policy. + ![Image of the policy being created](images/atp-intune-create-policy.png) - ![Image of the policy being saved](images/atp-azure-intune-save-policy.png) +12. To deploy the Profile, click **Assignments**. + ![Image of groups](images/atp-intune-assignments.png) + +13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**. + + ![Image of groups](images/atp-intune-group.png) + +14. Click **Save** to finish deploying the Configuration Profile. + + ![Image of deployment](images/atp-intune-save-deployment.png) ### Offboard and monitor endpoints @@ -189,4 +206,5 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 59794d532f..89b06fa326 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Configure endpoints using System Center Configuration Manager @@ -23,6 +24,8 @@ ms.localizationpriority: high - Windows Defender Advanced Threat Protection (Windows Defender ATP) - System Center 2012 Configuration Manager or later versions +[!include[Prerelease information](prerelease.md)] + ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682). @@ -169,4 +172,5 @@ For more information about System Center Configuration Manager Compliance see [C - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 0f47beb693..e2993d8ccb 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Configure endpoints using a local script @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. > [!NOTE] @@ -121,4 +124,5 @@ Monitoring can also be done directly on the portal, or by using the different de - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..8d28359a61 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -0,0 +1,82 @@ +--- +title: Configure non-persistent virtual desktop infrastructure (VDI) machines +description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service. +keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Configure non-persistent virtual desktop infrastructure (VDI) machines + +**Applies to:** +- Virtual desktop infrastructure (VDI) machines + +[!include[Prerelease information](prerelease.md)] + +## Onboard non-persistent virtual desktop infrastructure (VDI) machines + +Windows Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: + + +- Instant early onboarding of a short living session + - A session should be onboarded to Windows Defender ATP prior to the actual provisioning. + +- Machine name persistence + - The machine names are typically reused for new sessions. One may ask to have them as a single machine entry while others may prefer to have multiple entries per machine name. + +You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries. + +1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint management** > **Clients** on the **Navigation pane**. + + b. Select **VDI onboarding scripts for non-persistent endpoints** then click **Download package** and save the .zip file. + +2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`. + + >[!NOTE] + >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer. + +3. The following step is only applicable if you're implementing a single entry for each machine:
      + **For single entry for each machine**:
      + a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
      + + >[!NOTE] + >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer. + +4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**. + +5. Depending on the method you'd like to implement, follow the appropriate steps:
      + **For single entry for each machine**:
      + Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.

      + **For multiple entries for each machine**:
      + Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. + +6. Test your solution: + + a. Create a pool with one machine. + b. Logon to machine. + c. Logoff from machine. + d. Logon to machine with another user. + e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.
      + **For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal. + +7. Click **Machines list** on the Navigation pane. + +8. Use the search function by entering the machine name and select **Machine** as search type. + +## Related topics +- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) + + diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index f0e8bcee5c..8b9d4a256a 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure Windows Defender ATP endpoints -description: Configure endpoints so that they can send sensor data to the Windows Defender ATP sensor. -keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +title: Configure Windows Defender ATP client endpoints +description: Configure client endpoints so that they can send sensor data to the Windows Defender ATP sensor. +keywords: configure client endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,9 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- -# Configure Windows Defender ATP endpoints +# Configure Windows Defender ATP client endpoints **Applies to:** @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization. Windows Defender ATP supports the following deployment tools and methods: @@ -38,3 +41,4 @@ Topic | Description [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints. [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints. [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints. +[Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines. diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 1a162b7913..1363cca541 100644 --- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- @@ -23,6 +24,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service. @@ -80,10 +83,10 @@ For example: netsh winhttp set proxy 10.0.0.6:8080 ## Enable access to Windows Defender ATP service URLs in the proxy server If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443: -Primary Domain Controller | .Microsoft.com DNS record +Service location | .Microsoft.com DNS record :---|:--- - US |```*.blob.core.windows.net```
      ```crl.microsoft.com```
      ```us.vortex-win.data.microsoft.com```
      ```winatp-gw-cus.microsoft.com```
      ```winatp-gw-eus.microsoft.com``` -Europe |```*.blob.core.windows.net```
      ```crl.microsoft.com```
      ```eu.vortex-win.data.microsoft.com```
      ```winatp-gw-neu.microsoft.com```
      ```winatp-gw-weu.microsoft.com```
      + US |```*.blob.core.windows.net```
      ```crl.microsoft.com```
      ```ctldl.windowsupdate.com```
      ```us.vortex-win.data.microsoft.com```
      ```winatp-gw-cus.microsoft.com```
      ```winatp-gw-eus.microsoft.com``` +Europe |```*.blob.core.windows.net```
      ```crl.microsoft.com```
      ```ctldl.windowsupdate.com```
      ```eu.vortex-win.data.microsoft.com```
      ```winatp-gw-neu.microsoft.com```
      ```winatp-gw-weu.microsoft.com```
      If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..f359c9d10b --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -0,0 +1,87 @@ +--- +title: Configure Windows Defender ATP server endpoints +description: Configure server endpoints so that they can send sensor data to the Windows Defender ATP sensor. +keywords: configure server endpoints, server, server onboarding, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +ms.date: 09/05/2017 +--- + +# Configure Windows Defender ATP server endpoints + +**Applies to:** + +- Windows Server 2012 R2 +- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console. + +Windows Defender ATP supports the onboarding of the following servers: +- Windows Server 2012 R2 +- Windows Server 2016 + +## Onboard server endpoints + +To onboard your servers to Windows Defender ATP, you’ll need to: + +- Turn on server monitoring from the Windows Defender Security Center portal. +- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. + + +### Turn on Server monitoring from the Windows Defender Security Center portal + +1. In the navigation pane, select **Endpoint management** > **Server management**. + +2. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. + + ![Image of server onboarding](images/atp-server-onboarding.png) + + +### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP + +1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). + +2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server: + - [Manually install the agent using setup](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
      + On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. + - [Install the agent using the command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + +3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings). + +Once completed, you should see onboarded servers in the portal within an hour. + +### Configure server endpoint proxy and Internet connectivity settings +- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway). +- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: + +| Agent Resource | Ports | +|------------------------------------|-------------| +| *.oms.opinsights.azure.com | 443 | +| *.blob.core.windows.net | 443 | +| *.azure-automation.net | 443 | +| *.ods.opinsights.azure.com | 443 | +| winatp-gw-cus.microsoft.com | 443 | +| winatp-gw-eus.microsoft.com | 443 | +| winatp-gw-neu.microsoft.com | 443 | +| winatp-gw-weu.microsoft.com | 443 | + + +### Offboard server endpoints +To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP. +For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). + +>[!NOTE] +>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months. + +## Related topics +- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) +- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index 7b1168f940..c90b025275 100644 --- a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Pull alerts to your SIEM tools @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + ## Pull alerts using supported security information and events management (SIEM) tools Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. diff --git a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index f698a6aeb3..701451367b 100644 --- a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Configure Splunk to pull Windows Defender ATP alerts @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + You'll need to configure Splunk so that it can pull Windows Defender ATP alerts. ## Before you begin diff --git a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 9a12691b2c..48810c5ae3 100644 --- a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Create custom alerts using the threat intelligence (TI) application program interface (API) @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization. ## Before you begin diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md index 6c6ffef9ba..333d2f5e83 100644 --- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: View the Windows Defender Advanced Threat Protection Dashboard +title: Windows Defender Advanced Threat Protection Security operations dashboard description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh @@ -10,9 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- -# View the Windows Defender Advanced Threat Protection Dashboard +# View the Windows Defender Advanced Threat Protection Security operations dashboard **Applies to:** @@ -22,7 +23,9 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The **Dashboard** displays a snapshot of: +[!include[Prerelease information](prerelease.md)] + +The **Security operations dashboard** displays a snapshot of: - The latest active alerts on your network - Daily machines reporting @@ -34,7 +37,7 @@ The **Dashboard** displays a snapshot of: You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in. -From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators. +From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators. It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview. diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 740f5bfac2..c482403b20 100644 --- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Windows Defender ATP data storage and privacy @@ -22,6 +23,7 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP. > [!NOTE] @@ -71,5 +73,9 @@ Your data will be kept for a period of at least 90 days, during which it will be ## Can Microsoft help us maintain regulatory compliance? -Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards. -By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service. +Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications. + + +By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. + +For more information on the Windows Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001). diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index 4a0d314348..e3a3b4ae51 100644 --- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Windows Defender compatibility @@ -23,6 +24,8 @@ ms.localizationpriority: high - Windows Defender - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning. If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. diff --git a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index 000296d697..32ba05c13a 100644 --- a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Enable the custom threat intelligence API in Windows Defender ATP @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal. 1. In the navigation pane, select **Preference Setup** > **Threat intel API**. diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index 13f4d9520a..26467de977 100644 --- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Enable SIEM integration in Windows Defender ATP @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API. 1. In the navigation pane, select **Preferences setup** > **SIEM integration**. diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index cea3a9d683..4200e50e85 100644 --- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -7,9 +7,10 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: iawilt -author: iaanw +ms.author: macapara +author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- @@ -24,6 +25,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints. For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps. diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index ebd6f01e25..d5eb939076 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Experiment with custom threat intelligence (TI) alerts @@ -22,6 +23,7 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization. diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..239c463a13 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -0,0 +1,100 @@ +--- +title: Use the Windows Defender Advanced Threat Protection exposed APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Use the Windows Defender ATP exposed APIs + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Run queries on the graph API + +### Before you begin +Before using the APIs, you’ll need to create an app that you’ll use to authenticate against the graph. You’ll need to create a native app to use for the adhoc queries. + +## Create an app + +1. Log on to [Azure](https://portal.azure.com). + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + +3. In the Create window, enter the following information then click **Create**. + + ![Image of Create application window](images/atp-azure-create.png) + + - **Name:** WinATPGraph + - **Application type:** Native + - **Redirect URI:** `https://localhost` + + +4. Navigate and select the newly created application. + ![Image of new app in Azure](images/atp-azure-atp-app.png) + +5. Click **All settings** > **Required permissions** > **Add**. + + ![Image of All settings, then required permissions](images/atp-azure-required-permissions.png) + +6. Click **Select an API** > **Microsoft Graph**, then click **Select**. + + ![Image of API access and API selection](images/atp-azure-api-access.png) + + +7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**. + + ![Image of select permissions](images/atp-azure-select-permissions.png) + +You can now use the code snippets in the following sections to query the API using the created app ID. + +## Get an access token +1. Get the Client ID from the application you created. + +2. Use the **Client ID**. For example: + ``` + private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + private const string resourceId = "https://graph.microsoft.com"; + private const string clientId = "{YOUR CLIENT ID/APP ID HERE}"; + private const string redirect = "https://localhost"; + HttpClient client = new HttpClient(); + AuthenticationContext auth = new AuthenticationContext(authority); + var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result; + client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken); + ``` + +## Query the graph +Once the bearer token is retrieved, you can easily invoke the graph APIs. For example: + +``` +client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); +// sample endpoint +string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5"; +HttpResponseMessage response = client.GetAsync(ep).Result; +string resp = response.Content.ReadAsStringAsync().Result; +Console.WriteLine($"response for: {ep} \r\n {resp}"); +``` + + +## Related topics +- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..cd1e27c74b --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Find machine information by interal IP API +description: Use this API to create calls related to finding a machine entry around a specific timestamp by FQDN or interal IP. +keywords: apis, graph api, supported apis, find machine, machine information, IP +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Find machine information by interal IP +Find a machine entity around a specific timestamp by FQDN or internal IP. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machines/find(timestamp={time},key={IP/FQDN}) +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK. +If no machine found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp={time},key={IP/FQDN}) +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb", + "computerDnsName": "", + "firstSeen": "2017-07-06T01:25:04.9480498Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index ec792a86dc..89ede3edae 100644 --- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Fix unhealthy sensors in Windows Defender ATP description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine. -keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communication, communication +keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Fix unhealthy sensors in Windows Defender ATP @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured. ## Inactive machines @@ -41,13 +44,13 @@ Do you expect a machine to be in ‘Active’ status? [Open a support ticket tic ## Misconfigured machines Misconfigured machines can further be classified to: - - Impaired communication + - Impaired communications - No sensor data -### Impaired communication +### Impaired communications This status indicates that there's limited communication between the machine and the service. -The following suggested actions can help fix issues related to a misconfigured machine with impaired communication: +The following suggested actions can help fix issues related to a misconfigured machine with impaired communications: - [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
      The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. diff --git a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md index 4e1390a814..db7f9796a9 100644 --- a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Update general Windows Defender ATP settings @@ -21,6 +22,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu. 1. In the navigation pane, select **Preferences setup** > **General**. @@ -39,3 +42,4 @@ During the onboarding process, a wizard takes you through the general settings o - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..b5745d86a0 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md @@ -0,0 +1,67 @@ +--- +title: Get actor information API +description: Retrieves an actor information report. +keywords: apis, graph api, supported apis, get, actor, information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get actor information +Retrieves an actor information report. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/actor/{id}/ +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and actor exists - 200 OK. +If actor does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/actors/zinc +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity", + "id": "zinc", + "linkToReport": "link-to-pdf" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..d22c9702da --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,77 @@ +--- +title: Get actor related alerts API +description: Retrieves all alerts related to a given actor. +keywords: apis, graph api, supported apis, get, actor, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get actor related alerts +Retrieves all alerts related to a given actor. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/actor/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert exists - 200 OK. +If actor does not exist or no related alerts - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 3, + "value": [ + { + "id": "636390437845006321_-1646055784", + "severity": "Medium", + "status": "Resolved", + "description": "Malware associated with ZINC has been detected.", + "recommendedAction": "1.\tContact your incident response team.", + "alertCreationTime": "2017-08-23T00:09:43.9057955Z", + "category": "Malware", + "title": "Malware associated with the activity group ZINC was discovered", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..5a3baedc8a --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Get alert information by ID API +description: Retrieves an alert by its ID. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get alert information by ID +Retrieves an alert by its ID. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id} +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert exists - 200 OK. +If alert not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts/$entity", + "id": "636396039176847743_89954699", + "severity": "Informational", + "status": "New", + "description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs", + "recommendedAction": "Collect artifacts and determine scope.", + "alertCreationTime": "2017-08-29T11:45:17.5754165Z", +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..8727105bd0 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,69 @@ +--- +title: Get alert related actor information API +description: Retrieves the actor information related to the specific alert. +keywords: apis, graph api, supported apis, get, alert, actor, information, related +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get alert related actor information +Retrieves the actor information related to the specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/actor +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and actor exist - 200 OK. +If alert not found or actor not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/actor +Content-type: application/json + +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity", + "id": "zinc", + "linkToReport": "link-to-pdf" +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..d22d6043a1 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,71 @@ +--- +title: Get alert related domain information +description: Retrieves all domains related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related domain +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get alert related domain information +Retrieves all domains related to a specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/domains +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and domain exist - 200 OK. +If alert not found or domain not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains", + "value": [ + { + "host": "www.example.com" + } + ] +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..7020f3ddb1 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Get alert related files information +description: Retrieves all files related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related files +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get alert related files information +Retrieves all files related to a specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/files +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and files exist - 200 OK. +If alert not found or files not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files", + "value": [ + { + "sha1": "121c7060dada38275d7082a4b9dc62641b255c36", + "sha256": "c815e0abb8273ba4ea6ca92d430d9e4d065dbb52877a9ce6a8371e5881bd7a94", + "md5": "776c970dfd92397b3c7d74401c85cd40", + "globalPrevalence": null, + "globalFirstObserved": null, +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..83ff265f9a --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Get alert related IP information +description: Retrieves all IPs related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related ip +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get alert related IP information +Retrieves all IPs related to a specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/ips +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and an IP exist - 200 OK. +If alert not found or IPs not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips", +"value": [ + { + "id": "104.80.104.128" + }, + { + "id": "23.203.232.228 +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..1051f8e032 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,68 @@ +--- +title: Get alert related machine information +description: Retrieves all machines related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get alert related machine information +Retrieves all machines related to a specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/machine +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and machine exist - 200 OK. +If alert not found or machine not found - 404 Not Found. + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity", + "id": "207575116e44741d2b22b6a81429b3ca4fd34608", + "computerDnsName": "machine1-corp.contoso.com", + "firstSeen": "2015-12-01T11:31:53.7016691Z", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..008f657eb7 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,71 @@ +--- +title: Get alert related user information +description: Retrieves the user associated to a specific alert. +keywords: apis, graph api, supported apis, get, alert, information, related, user +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get alert related user information +Retrieves the user associated to a specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/user +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and a user exists - 200 OK. +If alert not found or user not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity", + "id": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4\\DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868", + "accountSid": null, + "accountName": "DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868", + "accountDomainName": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4", +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..27cbaabe0a --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,75 @@ +--- +title: Get alerts API +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get alerts +Retrieves top recent alerts. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alerts exists - 200 OK. +If no recent alerts found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 5000, + "@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/alerts?$skip=5000", + "value": [ + { + "id": "636396039176847743_89954699", + "severity": "Informational", + "status": "New", + "description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs", + "recommendedAction": "Collect artifacts and determine scope", + "alertCreationTime": "2017-08-29T11:45:17.5754165Z", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..4ade44c5d8 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,74 @@ +--- +title: Get domain related alerts API +description: Retrieves a collection of alerts related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get domain related alerts +Retrieves a collection of alerts related to a given domain address. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/domains/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and domain and alert exists - 200 OK. +If domain or alert does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 9, + "value": [ + { + "id": "636396023170943366_-36088267", + "severity": "Medium", + "status": "New", + "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.", + "recommendedAction": "Update AV signatures and run a full scan.", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..630af76023 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Get domain related machines API +description: Retrieves a collection of machines related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get domain related machines +Retrieves a collection of machines related to a given domain address. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/domains/{id}/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and domain and machine exists - 200 OK. +If domain or machines do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "0a3250e0693a109f1affc9217be9459028aa8426", + "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631", + "firstSeen": "2017-07-05T08:21:00.0572159Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..168ba45b95 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md @@ -0,0 +1,69 @@ +--- +title: Get domain statistics API +description: Retrieves the prevalence for the given domain. +keywords: apis, graph api, supported apis, get, domain, domain related machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get domain statistics +Retrieves the prevalence for the given domain. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/domains/{id}/stats +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK. +If domain does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.graph.InOrgDomainStats", + "host": "example.com", + "orgPrevalence": "4070", + "orgFirstSeen": "2017-07-30T13:23:48Z", + "orgLastSeen": "2017-08-29T13:09:05Z" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..bf5224ea2c --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md @@ -0,0 +1,70 @@ +--- +title: Get file information API +description: Retrieves a file by identifier Sha1, Sha256, or MD5. +keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get file information +Retrieves a file by identifier Sha1, Sha256, or MD5. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/files/{id}/ +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK. +If file does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/files/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files/$entity", + "sha1": "adae3732709d2178c8895c9be39c445b5e76d587", + "sha256": "34fcb083cd01b1bd89fc467fd3c2cd292de92f915a5cb43a36edaed39ce2689a", + "md5": "d387a06cd4bf5fcc1b50c3882f41a44e", + "globalPrevalence": 40790196, +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..0bc15888fe --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,74 @@ +--- +title: Get file related alerts API +description: Retrieves a collection of alerts related to a given file hash. +keywords: apis, graph api, supported apis, get, file, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get file related alerts +Retrieves a collection of alerts related to a given file hash. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/files/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and file and alert exists - 200 OK. +If file or alerts do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 9, + "value": [ + { + "id": "636396023170943366_-36088267", + "severity": "Medium", + "status": "New", + "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.", + "recommendedAction": "Update AV signatures and run a full scan.", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..0dd8cbb37e --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Get file related machines API +description: Retrieves a collection of machines related to a given file hash. +keywords: apis, graph api, supported apis, get, machines, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get file related machines +Retrieves a collection of machines related to a given file hash. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/files/{id}/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and file and machines exists - 200 OK. +If file or machines do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "0a3250e0693a109f1affc9217be9459028aa8426", + "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631", + "firstSeen": "2017-07-05T08:21:00.0572159Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..cf4bdfb5bb --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Get file statistics API +description: Retrieves the prevalence for the given file. +keywords: apis, graph api, supported apis, get, file, statistics +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get file statistics +Retrieves the prevalence for the given file. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/files/{id}/stats +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK. +If file do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", + "sha1": "adae3732709d2178c8895c9be39c445b5e76d587", + "orgPrevalence": "106398", + "orgFirstSeen": "2017-07-30T13:29:50Z", + "orgLastSeen": "2017-08-29T13:29:31Z", + "topFileNames": [ + "chrome.exe", + "old_chrome.exe" + ] +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..cc3eaf628c --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,74 @@ +--- +title: Get IP related alerts API +description: Retrieves a collection of alerts related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get IP related alerts +Retrieves a collection of alerts related to a given IP address. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/ips/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and IP and alert exists - 200 OK. +If IP and alerts do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 9, + "value": [ + { + "id": "636396023170943366_-36088267", + "severity": "Medium", + "status": "New", + "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.", + "recommendedAction": "Update AV signatures and run a full scan.", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..5a3164c261 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Get IP related machines API +description: Retrieves a collection of machines related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get IP related machines +Retrieves a collection of alerts related to a given IP address. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/ips/{id}/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and IP and machines exists - 200 OK. +If IP or machines do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "0a3250e0693a109f1affc9217be9459028aa8426", + "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631", + "firstSeen": "2017-07-05T08:21:00.0572159Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..077f8220bb --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md @@ -0,0 +1,69 @@ +--- +title: Get IP statistics API +description: Retrieves the prevalence for the given IP. +keywords: apis, graph api, supported apis, get, ip, statistics, prevalence +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get IP statistics +Retrieves the prevalence for the given IP. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/ips/{id}/stats +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and IP and domain exists - 200 OK. +If domain does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", + "ipAddress": "192.168.1.1", + "orgPrevalence": "63515", + "orgFirstSeen": "2017-07-30T13:36:06Z", + "orgLastSeen": "2017-08-29T13:32:59Z" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..eefe82c97b --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Get machine by ID API +description: Retrieves a machine entity by ID. +keywords: apis, graph api, supported apis, get, machines, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get machine by ID +Retrieves a machine entity by ID. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machines/{id} +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK. +If no machine found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity", + "id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9", + "computerDnsName": "", + "firstSeen": "2015-03-15T00:18:20.6588778Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..837fece398 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md @@ -0,0 +1,71 @@ +--- +title: Get machine log on users API +description: Retrieves a collection of logged on users. +keywords: apis, graph api, supported apis, get, machine, log on, users +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get machine log on users +Retrieves a collection of logged on users. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machines/{id}/logonusers +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and machine and user exist - 200 OK. +If no machine found or no users found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users", + "value": [ + { + "id": "m", + "accountSid": null, + "accountName": "", + "accountDomainName": "northamerica", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..0afb16bf58 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Get machine related alerts API +description: Retrieves a collection of alerts related to a given machine ID. +keywords: apis, graph api, supported apis, get, machines, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get machine related alerts +Retrieves a collection of alerts related to a given machine ID. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machines/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and machine and alert exists - 200 OK. +If no machine or no alerts found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 1, + "value": [ + { + "id": "636396066728379047_-395412459", + "severity": "Medium", + "status": "New", + "description": "A reverse shell created from PowerShell was detected. A reverse shell allows an attacker to access the compromised machine without authenticating.", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..7674740001 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,76 @@ +--- +title: Get machines API +description: Retrieves a collection of recently seen machines. +keywords: apis, graph api, supported apis, get, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get machines +Retrieves a collection of recently seen machines. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and machines exists - 200 OK. +If no recent machines - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "@odata.count": 5000, + "@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/machines?$skip=5000", + "value": [ + { + "id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9", + "computerDnsName": "", + "firstSeen": "2015-03-15T00:18:20.6588778Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..cf588557dc --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md @@ -0,0 +1,70 @@ +--- +title: Get user information API +description: Retrieve a User entity by key such as user name or domain. +keywords: apis, graph api, supported apis, get, user, user information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get user information +Retrieve a User entity by key (user name or domain\user). + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/users/{id}/ +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and user exists - 200 OK. +If user does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/users/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity", + "id": "", + "accountSid": null, + "accountName": "", + "accountDomainName": "", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..88cc381aaf --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,74 @@ +--- +title: Get user related alerts API +description: Retrieves a collection of alerts related to a given user ID. +keywords: apis, graph api, supported apis, get, user, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get user related alerts +Retrieves a collection of alerts related to a given user ID. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/users/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and user and alert exists - 200 OK. +If user does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 9, + "value": [ + { + "id": "636396023170943366_-36088267", + "severity": "Medium", + "status": "New", + "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.", + "recommendedAction": "Update AV signatures and run a full scan.", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..46b715810b --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Get user related machines API +description: Retrieves a collection of machines related to a given user ID. +keywords: apis, graph api, supported apis, get, user, user related alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Get user related machines +Retrieves a collection of machines related to a given user ID. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/users/{id}/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and user and machine exists - 200 OK. +If user or machine does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "0a3250e0693a109f1affc9217be9459028aa8426", + "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631", + "firstSeen": "2017-07-05T08:21:00.0572159Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png b/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png new file mode 100644 index 0000000000..3c945c3b8d Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png new file mode 100644 index 0000000000..f195635b73 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png new file mode 100644 index 0000000000..a29e87f278 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png new file mode 100644 index 0000000000..080b28974c Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png index ff3c828a38..5f0e1199b6 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png new file mode 100644 index 0000000000..90e1f30d77 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png new file mode 100644 index 0000000000..ce13835ade Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png new file mode 100644 index 0000000000..df19e86e74 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png new file mode 100644 index 0000000000..467cb3414e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png new file mode 100644 index 0000000000..71d61dca5f Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png new file mode 100644 index 0000000000..5b5116f4dd Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png new file mode 100644 index 0000000000..88ed4da744 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png new file mode 100644 index 0000000000..70a29f078a Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png new file mode 100644 index 0000000000..79dfdf7756 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png b/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png new file mode 100644 index 0000000000..e46547a2ff Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-application.png b/windows/threat-protection/windows-defender-atp/images/atp-add-application.png new file mode 100644 index 0000000000..38767341f9 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-add-application.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png index f162f21b1b..9745627e88 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png b/windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png new file mode 100644 index 0000000000..ae493ad999 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-application-information.png b/windows/threat-protection/windows-defender-atp/images/atp-application-information.png new file mode 100644 index 0000000000..0fa908d66c Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-application-information.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png new file mode 100644 index 0000000000..d980fc4ed9 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png new file mode 100644 index 0000000000..aed05187d6 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png new file mode 100644 index 0000000000..31a49811ec Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png new file mode 100644 index 0000000000..2fe20462f2 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png new file mode 100644 index 0000000000..a222f09880 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png index 9c41b16d73..7bb3ec3bb5 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png index 4d1885054b..acf42ec448 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png new file mode 100644 index 0000000000..effefd5424 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png new file mode 100644 index 0000000000..ce3d0672a6 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png new file mode 100644 index 0000000000..5aa454b9c8 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png b/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png new file mode 100644 index 0000000000..23dcbb397e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png b/windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png new file mode 100644 index 0000000000..d90199bb76 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png b/windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png new file mode 100644 index 0000000000..e56876ff1b Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png b/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png new file mode 100644 index 0000000000..5a04cb5fd5 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png new file mode 100644 index 0000000000..614424a2ae Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png new file mode 100644 index 0000000000..4f738b77ae Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png b/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png new file mode 100644 index 0000000000..8166caf6ae Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png b/windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png new file mode 100644 index 0000000000..3cfe2f682f Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png new file mode 100644 index 0000000000..11c2bf608b Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png new file mode 100644 index 0000000000..90f5b5b557 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png new file mode 100644 index 0000000000..3e486c0565 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png new file mode 100644 index 0000000000..c846a207df Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png new file mode 100644 index 0000000000..345a260612 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png new file mode 100644 index 0000000000..e71db86d17 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png b/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png index 4905b60304..d416fcb5ad 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png and b/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png new file mode 100644 index 0000000000..ad6c46725c Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png new file mode 100644 index 0000000000..dc88fe76e4 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png index 2c32d9780d..65eafd21ea 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png index 10b778ae73..cdc1be01f6 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png index c9063c8fa9..0c7f50581f 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png index da80abb64f..c90cef7b32 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png new file mode 100644 index 0000000000..5e2258d16d Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png index 746d043732..7c10c6b14f 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png and b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png b/windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png new file mode 100644 index 0000000000..fc88a55489 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png b/windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png new file mode 100644 index 0000000000..3160d850e0 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png b/windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png new file mode 100644 index 0000000000..5dbd52ce1c Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png b/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png index 508822a2ad..b4865884d3 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png and b/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png new file mode 100644 index 0000000000..bad96b9438 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-score.png b/windows/threat-protection/windows-defender-atp/images/atp-org-score.png new file mode 100644 index 0000000000..e0e05e11be Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-org-score.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png new file mode 100644 index 0000000000..65dc93e72c Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png b/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png new file mode 100644 index 0000000000..c8a1a31e06 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-portal.png index 5f39939886..742b8deb22 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-portal.png and b/windows/threat-protection/windows-defender-atp/images/atp-portal.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png new file mode 100644 index 0000000000..953e4af373 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png new file mode 100644 index 0000000000..96200e68ff Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png new file mode 100644 index 0000000000..2061e53383 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png new file mode 100644 index 0000000000..be0e101c6e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png new file mode 100644 index 0000000000..92599b5a75 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png b/windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png new file mode 100644 index 0000000000..d587e6d40a Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png b/windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png new file mode 100644 index 0000000000..ff284e05fc Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png b/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png new file mode 100644 index 0000000000..47cedd37ae Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png b/windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png new file mode 100644 index 0000000000..fd2d52834b Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png new file mode 100644 index 0000000000..1b3c80e762 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png new file mode 100644 index 0000000000..e7f8d974bf Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png new file mode 100644 index 0000000000..627d376ba2 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png b/windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png new file mode 100644 index 0000000000..2a1d763b3f Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png b/windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png new file mode 100644 index 0000000000..d99b7de547 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png b/windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png new file mode 100644 index 0000000000..07fa544f73 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png index 8dcfa06ea0..191941085d 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png index cb58fad705..1f09d12343 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png and b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png new file mode 100644 index 0000000000..e1d37a4f65 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-tag-management.png b/windows/threat-protection/windows-defender-atp/images/atp-tag-management.png new file mode 100644 index 0000000000..6a4b746009 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-tag-management.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png index ea42abd060..ce515c1e79 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png and b/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png index 1d852999b9..b08381baed 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png and b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png new file mode 100644 index 0000000000..b0732653d6 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details.png new file mode 100644 index 0000000000..1d852999b9 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-details.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png b/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png new file mode 100644 index 0000000000..2bea8cb48d Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png differ diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 22cb47ce0e..d2e1a9a60a 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Investigate Windows Defender Advanced Threat Protection alerts @@ -18,6 +19,8 @@ ms.localizationpriority: high - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Investigate alerts that are affecting your network, what they mean, and how to resolve them. Use the alert details view to see various tiles that provide information about alerts. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. ![Image of the alert page](images/atp-alert-details.png) @@ -27,7 +30,7 @@ The alert context tile shows the where, who, and when context of the alert. As w For more information about managing alerts, see [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md). -The alert details page also shows the alert process tree, an incident graph, and an alert timeline. +The alert details page also shows the alert process tree, an incident graph, and an artifact timeline. You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**. @@ -74,15 +77,15 @@ The **Incident Graph** expansion by destination IP Address, shows the organizati You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed. -## Alert timeline -The **Alert timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert. +## Artifact timeline +The **Artifact timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert. -![Image of alert timeline](images/atp-alert-timeline.png) +![Image of artifact timeline](images/atp-alert-timeline.png) Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. ## Related topics -- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index bb040b50a1..6c5effd35b 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Investigate a domain associated with a Windows Defender ATP alert @@ -21,6 +22,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. You can see information from the following sections in the URL view: @@ -45,7 +48,7 @@ The **Communication with URL in organization** section provides a chronological 5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics -- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index 60f65b2052..afb66067f3 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Investigate a file associated with a Windows Defender ATP alert @@ -21,31 +22,36 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. You can get information from the following sections in the file view: - File details, Malware detection, Prevalence worldwide -- Deep analysis -- Alerts related to this file -- File in organization -- Most recent observed machines with file - +- Deep analysis +- Alerts related to this file +- File in organization +- Most recent observed machines with file +## File worldwide and Deep analysis The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file. For more information on how to take action on a file, see [Take response action on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md). -You'll also see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis). +You'll see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis). ![Image of file information](images/atp-file-information.png) +## Alerts related to this file The **Alerts related to this file** section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. ![Image of alerts related to the file section](images/atp-alerts-related-to-file.png) +## File in organization The **File in organization** section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization. ![Image of file in organization](images/atp-file-in-org.png) +## Most recent observed machinew with the file The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file. ![Image of most recent observed machine with the file](images/atp-observed-machines.png) @@ -53,7 +59,7 @@ The **Most recent observed machines with the file** section allows you to specif This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching. ## Related topics -- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 486af0335d..0efb6d5061 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Investigate an IP address associated with a Windows Defender ATP alert @@ -21,6 +22,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Examine possible communication between your machines and external internet protocol (IP) addresses. Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines. @@ -53,7 +56,7 @@ Use the search filters to define the search criteria. You can also use the timel Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics -- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 2a4675f3c4..f437a524b9 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Investigate machines in the Windows Defender ATP Machines list -description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines list. -keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity +description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health. +keywords: machines, endpoints, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Investigate machines in the Windows Defender ATP Machines list @@ -18,6 +19,8 @@ ms.localizationpriority: high - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + ## Investigate machines Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach. @@ -25,39 +28,43 @@ You can click on affected machines whenever you see them in the portal to open a - The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) -- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- The [Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - Any individual alert - Any individual file details view - Any IP address or domain details view When you investigate a specific machine, you'll see: -- Machine details, Logged on users, and Machine Reporting +- Machine details, Logged on users, and Machine Reporting - Alerts related to this machine - Machine timeline -![Image of machine details page](images/atp-machine-details-view.png) +![Image of machine view](images/atp-machine-details-view.png) -The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health state, actions you can take on the machine, and others. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md). +The machine details, total logged on users, and machine reporting sections display various attributes about the machine. -You'll also see other information such as domain, operating system (OS) and build, total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service. +The machine details tile provides information such as the domain and OS of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package. + +For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md). Clicking on the number of total logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days: - Interactive and remote interactive logins - Network, batch, and system logins -![Image of user details pane](images/atp-user-details-pane.png) +![Image of user details pane](images/atp-user-details.png) You'll also see details such as logon types for each user account, the user group, and when the account logon occurred. For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md). +## Alerts related to this machine The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts). This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You'll also see a list of displayed alerts and you'll be able to quickly know the total number of alerts on the machine. You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**. +## Machine timeline The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. @@ -72,38 +79,39 @@ Use the search bar to look for specific timeline events. Harness the power of us - **Value** - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search supports defined search queries based on type:value pairs.
      You can use any of the following values:
      - - Hash: Sha1 or MD5 - - File name - - File extension - - Path - - Command line - - User - - IP - - URL + - Hash: Sha1 or MD5 + - File name + - File extension + - Path + - Command line + - User + - IP + - URL + - **Informational level** – Click the drop-down button to filter by the following levels: - - Detections mode: displays Windows ATP Alerts and detections - - Behaviors mode: displays "detections" and selected events of interest - - Verbose mode: displays all raw events without aggregation or filtering + - Detections mode: displays Windows ATP Alerts and detections + - Behaviors mode: displays "detections" and selected events of interest + - Verbose mode: displays all raw events without aggregation or filtering - **Event type** - Click the drop-down button to filter by the following levels: - - Windows Defender ATP alerts - - Windows Defender AV alerts - - Response actions - - AppGuard related events - - Windows Defender Device Guard events - - Process events - - Network events - - File events - - Registry events - - Load DLL events - - Other events

      - Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed. + - Windows Defender ATP alerts + - Windows Defender AV alerts + - Response actions + - AppGuard related events + - Windows Defender Device Guard events + - Process events + - Network events + - File events + - Registry events + - Load DLL events + - Other events

      + Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed. - **User account** – Click the drop-down button to filter the machine timeline by the following user associated events: - - Logon users - - System - - Network - - Local service + - Logon users + - System + - Network + - Local service The following example illustrates the use of type:value pair. The events were filtered by searching for the user jonathan.wolcott and network events as the event type: @@ -133,14 +141,16 @@ From the list of events that are displayed in the timeline, you can examine the ![Image of machine timeline details pane](images/atp-machine-timeline-details-panel.png) -You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) feature to see the correlation between alerts and events on a specific machine. +You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine. Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address. The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context. + + ## Related topics -- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index 3fad51eada..52c8a9583f 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Investigate a user account in Windows Defender ATP @@ -21,6 +22,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + ## Investigate user account entities Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. @@ -36,7 +39,7 @@ When you investigate a user account entity, you'll see: - Alerts related to this user - Observed in organization (machines logged on to) -![Image of the user account entity details page](images/atp-user-details-view.png) +![Image of the user account entity details page](images/atp-user-details-view-tdp.png) The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine. @@ -64,7 +67,7 @@ You can filter the results by the following time periods: - 6 months ## Related topics -- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..5d32e4419b --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md @@ -0,0 +1,66 @@ +--- +title: Is domain seen in org API +description: Use this API to create calls related to checking whether a domain was seen in the organization. +keywords: apis, graph api, supported apis, domain, domain seen +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Is domain seen in org +Answers whether a domain was seen in the organization. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/domains/{id}/ +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK. +If domain does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/domains/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains/$entity", + "host": "example.com" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..9dfc6cd763 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md @@ -0,0 +1,66 @@ +--- +title: Is IP seen in org API +description: Answers whether an IP was seen in the organization. +keywords: apis, graph api, supported apis, is, ip, seen, org, organization +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Is IP seen in org +Answers whether an IP was seen in the organization. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/ips/{id}/ +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and IP exists - 200 OK. +If IP do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/ips/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips/$entity", + "id": "192.168.1.1" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index a36ea1a0a9..4fa77ae8f4 100644 --- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # View and organize the Windows Defender ATP Machines list @@ -22,19 +23,21 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network. Use the Machines list in these main scenarios: -- **During onboarding**
      +- **During onboarding**
      During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis. -- **Day-to-day work** +- **Day-to-day work**
      The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them. ## Sort, filter, and download the list of machines from the Machines list You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order. -Filter the **Machines list** by time period, **OS Platform**, **Health**, or **Malware category alerts** to focus on certain sets of machines, according to the desired criteria. +Filter the **Machines list** by time period, **OS Platform**, **Health**, **Security state**, **Malware category alerts**, or **Groups** to focus on certain sets of machines, according to the desired criteria. You can also download the entire list in CSV format using the **Export to CSV** feature. @@ -53,14 +56,22 @@ You can use the following filters to limit the list of machines displayed during - Windows 10 - Windows Server 2012 R2 - Windows Server 2016 +- Linux +- Mac OS - Other +**Health**
      +- All +- Well configure +- Requires attention - Depending on the Windows Defender security controls configured in your enterprise, you'll see various available filters. + + **Sensor health state**
      Filter the list to view specific machines grouped together by the following machine health states: - **Active** – Machines that are actively reporting sensor data to the service. -- **Misconfigured** – Machines that have impaired communication with service or are unable to send sensor data. Misconfigured machines can further be classified to: - - Impaired communication +- **Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to: + - Impaired communications - No sensor data For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). @@ -101,7 +112,7 @@ You can sort the **Machines list** by the following columns: ## Related topics -- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index fb191cc3b3..be0229d1d1 100644 --- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Manage Windows Defender Advanced Threat Protection alerts @@ -22,7 +23,9 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu. +[!include[Prerelease information](prerelease.md)] + +Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu. You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view. @@ -52,10 +55,9 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen Added comments instantly appear on the pane. ## Suppress alerts +There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. -Windows Defender ATP lets you create suppression rules so you can limit the alerts you see in the **Alerts queue**. - -Suppression rules can be created from an existing alert. +Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed. When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created. @@ -64,7 +66,9 @@ There are two contexts for a suppression rule that you can choose from: - **Suppress alert on this machine** - **Suppress alert in my organization** -The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule: +The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal. + +You can use the examples in the following table to help you choose the context for a suppression rule: | **Context** | **Definition** | **Example scenarios** | |:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -87,38 +91,31 @@ Create custom rules to control when alerts are suppressed, or resolved. You can > [!NOTE] > You cannot create a custom or blank suppression rule. You must start from an existing alert. + 4. Specify the conditions for when the rule is applied: - - Alert title - - Indicator of compromise (IOC) - - Suppression conditions + - Alert title + - Indicator of compromise (IOC) + - Suppression conditions > [!NOTE] - > The SHA1 of the alert cannot be modified -5. Specify the action and scope on the alert. You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. You can also specify to suppress the alert on the machine only or the whole organization. + > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions. + +5. Specify the action and scope on the alert.
      + You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization. 6. Click **Save and close**. -**See the list of suppression rules:** +### View the list of suppression rules -1. Click the settings icon ![The settings icon looks like a cogwheel or gear](images/settings.png) on the main menu bar at the top of the Windows Defender ATP screen. -2. Click **Suppression rules**. +1. Click **Alerts queue** > **Suppression rules**. - ![Click the settings icon and then Suppression rules to create and modify rules](images/atp-suppression-rules.png) - -The list of suppression rules shows all the rules that users in your organization have created. -![Suppression rules show the rule name or title, the context, the date, and an icon to delete the rule](images/rules-legend.png) - -Each rule shows: - -- (1) The title of the alert that is suppressed -- (2) Whether the alert was suppressed for a single machine (clicking the machine name will allow you to investigate the machine) or the entire organization -- (3) The date when the alert was suppressed -- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards. +2. The list of suppression rules shows all the rules that users in your organization have created. +You can select rules to open up the **Alert management** pane. From there, you can activate previously disabled rules. ## Related topics -- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 34e836f47e..b43ff9eb93 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -7,9 +7,10 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: iawilt -author: iaanw +ms.author: macapara +author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Minimum requirements for Windows Defender ATP @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + There are some minimum requirements for onboarding your network and endpoints. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1) @@ -35,7 +38,7 @@ Windows Defender Advanced Threat Protection requires one of the following Micros - Windows 10 Enterprise E5 - Windows 10 Education E5 -- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5 +- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). @@ -117,10 +120,12 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the sc qc diagtrack ``` -## Windows Defender signature updates are configured -The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md). +## Windows Defender Antivirus signature updates are configured +The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. If Windows Defender Antivirus is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md). -When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md). +When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. + +For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md). ## Windows Defender Early Launch Antimalware (ELAM) driver is enabled If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard. diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index b433fffe39..d5a674a071 100644 --- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Onboard and set up Windows Defender Advanced Threat Protection @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + You need to onboard to Windows Defender ATP before you can use the service. For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). @@ -38,6 +41,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us ## In this section Topic | Description :---|:--- -[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise. +[Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise. +[Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. diff --git a/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..2f535cb869 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md @@ -0,0 +1,33 @@ +--- +title: Optimize Windows Defender Antivirus +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +ms.date: 09/05/2017 +--- + +# Optimize Windows Defender Antivirus + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +The Antivirus optimization tile provides a list of recommendations to affected machines. Taking action on the recommendations will help improve your overall organizational security: + +- [Use Windows Defender AV with Windows Defender ATP](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility) +- [Turn on cloud-delivered protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) +- [Turn on protection from potentially unwanted applications](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) +- [Turn on real-time protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) +- [Update antivirus protection and definitions](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index 6105da4bd7..7a8e8393e6 100644 --- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: DulceMV ms.localizationpriority: high +ms.date: 09/05/2017 --- # Windows Defender Advanced Threat Protection portal overview @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to: @@ -46,14 +49,14 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- (1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text.
      **Feedback** -Access the feedback button to provide comments about the portal.
      **Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information.
      **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support. -(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**. -**Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization. +(2) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**. +**Dashboards** | Enables you to view the Security operations or the Security analytics dashboard. **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts. **Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. **Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features. **Endpoint management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding. -(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines list. +(3) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list. ## Windows Defender ATP icons The following table provides information on the icons used all throughout the portal: diff --git a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..afcd9030c3 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -0,0 +1,137 @@ +--- +title: Create and build Power BI reports using Windows Defender ATP data +description: Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources. +keywords: preferences setup, power bi, power bi service, power bi desktop, reports, dashboards, connectors , security insights, mashup +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +ms.date: 09/05/2017 +--- +# Create and build Power BI reports using Windows Defender ATP data + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI. + +Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph. + +Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization. + +You can easily get started by: +- Creating a dashboard on the Power BI service +- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization + +You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported. + +## Create a Windows Defender ATP dashboard on Power BI service +Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. + +1. In the navigation pane, select **Preferences setup** > **Power BI reports**. + +2. Click **Create dashboard**. This opens up a new tab in your browser and loads the Power BI service with data from your organization. + + ![Preferences setup with create dashboard button](images/atp-create-dashboard.png) + + >[!NOTE] + >Loading your data in the Power BI service can take a few minutes. + +3. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data. + + ![Consent image](images/atp-powerbi-consent.png) + +4. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. + +When the dashboard is ready, you’ll get a notification within the Power BI website. Use the link in the portal to the Power BI console after creating the dashboard. + +For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/). + +## Build a custom Windows Defender ATP dashboard in Power BI Desktop +You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires. + +### Before you begin +1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/). + +2. In the Windows Defender ATP portal navigation pane, select **Preferences setup** > **Power BI reports**. + +3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it. + + ![Preferences setup with download connector button](images/atp-download-connector.png) + +4. Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder. + +5. Copy WDATPDataConnector.mez from the zip to the directory you just created. + +6. Open Power BI Desktop. + +7. Click **File** > **Options and settings** > **Custom data connectors**. + +8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**. + + >[NOTE] + >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**. + + ![Power BI options page](images/atp-powerbi-options.png) + +9. Restart Power BI Desktop. + +## Customize the Windows Defender ATP Power BI dashboard +After completing the steps in the Before you begin section, you can proceed with building your custom dashboard. + +1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop. + +2. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data. + + ![Consent image](images/atp-powerbi-consent.png) + +3. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports. + +## Mashup Windows Defender ATP data with other data sources +You can use Power BI Desktop to analyse data from Windows Defender ATP and mash that data up with other data sources to gain better security perspective in your organization. + +1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Windows Defender Advanced Threat Protection**. + + ![Get data in Power BI](images/atp-powerbi-get-data.png) + +2. Click **Connect**. + +3. On the Preview Connector windows, click **Continue**. + + ![Power BI preview connector](images/atp-powerbi-preview.png) + +4. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data. + + ![Consent image](images/atp-powerbi-consent.png) + +5. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports. + +6. In the Navigator dialog box, select the Windows Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph. + + ![Power BI navigator page](images/atp-powerbi-navigator.png) + +7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source. + +8. Add visuals and select fields from the available data sources. + +## Related topics +- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) +- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) +- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) +- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) + + + + diff --git a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index 68be48aa4f..e3960714e7 100644 --- a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # PowerShell code examples for the custom threat intelligence API @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + This article provides PowerShell code examples for using the custom threat intelligence API. These code examples demonstrate the following tasks: diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index 66b0319b67..beade9fba5 100644 --- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Configure Windows Defender ATP preferences settings @@ -21,6 +22,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Use the **Preferences setup** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature. ## In this section @@ -33,3 +36,4 @@ Topic | Description [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications. [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) | Enable security information and event management (SIEM) integration to pull alerts from the Windows Defender ATP portal using your SIEM solution. [Enable Threat intel API](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application. +[Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) | Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources. diff --git a/windows/threat-protection/windows-defender-atp/prerelease.md b/windows/threat-protection/windows-defender-atp/prerelease.md new file mode 100644 index 0000000000..315e4f96d8 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/prerelease.md @@ -0,0 +1,3 @@ +>[!IMPORTANT] + +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index 8a3c2389d9..ec38ff1fd1 100644 --- a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Turn on the preview experience in Windows Defender ATP @@ -21,6 +22,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Turn on the preview experience setting to be among the first to try upcoming features. 1. In the navigation pane, select **Preferences setup** > **Preview experience**. @@ -32,3 +35,4 @@ Turn on the preview experience setting to be among the first to try upcoming fea - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 4347ed4f8c..096f49bab4 100644 --- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Windows Defender ATP preview features @@ -22,6 +23,7 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities. @@ -35,4 +37,34 @@ Turn on the preview experience setting to be among the first to try upcoming fea 2. Toggle the setting between **On** and **Off** and select **Save preferences**. ## Preview features -There are currently no preview only features. +The following features are included in the preview release: + +- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
      +You can now onboard VDI machines to the Windows Defender ATP service. + +- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
      +Windows Defender ATP supports the onboarding of the following servers: + - Windows Server 2012 R2 + - Windows Server 2016 + +- [View the Windows Defender ATP Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
      +The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. + +- [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
      +You can lock down a device and prevent subsequent attempts of potentially malicious programs from running. + +- [Run Windows Defender Antivirus scan on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
      +As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. + +- [Manage machine group and tags](respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
      +Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. + +- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
      +Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph. + +- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
      + Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. + + + + diff --git a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 38e72858dc..ebf7206b49 100644 --- a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Pull Windows Defender ATP alerts using REST API @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal. In general, the OAuth 2.0 protocol supports four types of flows: diff --git a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index d9602489d5..607ab8d422 100644 --- a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Python code examples for the custom threat intelligence API @@ -22,6 +23,7 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] ## Before you begin You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library. diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 7f69b9369f..328a0ff719 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Take response actions on a file @@ -22,6 +23,7 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. @@ -33,29 +35,29 @@ You can also submit files for deep analysis to run the file in a secure cloud sa ## Stop and quarantine files in your network You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed. -The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. +The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: - - **Alerts** - click the corresponding links from the Description or Details in the Alert timeline + - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline - **Search box** - select File from the drop–down menu and enter the file name -2. Open the **Actions menu** and select **Stop & Quarantine File**. +2. Open the **Actions menu** and select **Stop and Quarantine File**. ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png) -3. Type a comment (optional), and select **Yes** to take action on the file. The comment will be saved in the Action center for reference. +3. Type a comment and select **Yes, stop and quarantine** to take action on the file. + ![Image of stop and quarantine file](images/atp-stop-quarantine.png) The Action center shows the submission information: ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) - - **Submission time** - Shows when the action was submitted.
      - - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
      - - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
      - - **Success** - Shows the number of machines where the file has been stopped and quarantined.
      - - **Failed** - Shows the number of machines where the action failed and details about the failure.
      + - **Submission time** - Shows when the action was submitted. + - **Success** - Shows the number of machines where the file has been stopped and quarantined. + - **Failed** - Shows the number of machines where the action failed and details about the failure. + - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network. 4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. @@ -104,14 +106,17 @@ This feature is designed to prevent suspected malware (or potentially malicious ![Image of preferences setup](images/atp-preferences-setup.png) -3. Type a comment (optional) and select **Yes** to take action on the file. -The Action center shows the submission information: - ![Image of block file](images/atp-blockfile.png) +3. Type a comment and select **Yes, block file** to take action on the file. + + + The Action center shows the submission information: + + ![Image of block file](images/atp-blockfile.png) - **Submission time** - Shows when the action was submitted.
      - - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
      - - **Status** - Indicates whether the file was added to or removed from the blacklist. + - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
      + - **Status** - Indicates whether the file was added to or removed from the blacklist. When the file is blocked, there will be a new event in the machine timeline.
      @@ -130,9 +135,9 @@ For prevalent files in the organization, a warning is shown before an action is ### Remove file from blocked list 1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box: - - **Alerts** - Click the file links from the Description or Details in the Alert timeline
      - - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
      - - **Search box** - Select File from the drop–down menu and enter the file name + - **Alerts** - Click the file links from the Description or Details in the Artifact timeline
      + - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
      + - **Search box** - Select File from the drop–down menu and enter the file name 2. Open the **Actions** menu and select **Remove file from blocked list**. @@ -175,7 +180,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure **Submit files for deep analysis:** 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
      - - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
      + - Alerts - click the file links from the **Description** or **Details** in the Artifact timeline
      - **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
      - Search box - select **File** from the drop–down menu and enter the file name
      2. In the **Deep analysis** section of the file view, click **Submit**. @@ -229,4 +234,4 @@ HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection > If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. ## Related topics -– [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 3c8baf58e6..0879c73c17 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Take response actions on a machine in Windows Defender ATP -description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details. -keywords: respond, isolate, isolate machine, collect investigation package, action center +description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution. +keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Take response actions on a machine @@ -22,59 +23,60 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. >[!NOTE] > These response actions are only available for machines on Windows 10, version 1703. -## Isolate machines from the network -Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. +## Manage machine group and tags +Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. -This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. +Machine related properties are being extended to account for: ->[!NOTE] ->You’ll be able to reconnect the machine back to the network at any time. +- Group affiliation +- Dynamic context capturing -1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views: - - **Dashboard** - Select the machine name from the Top machines with active alerts section. - - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines list** - Select the machine name from the list of machines. - - **Search box** - Select Machine from the drop-down menu and enter the machine name. -2. Open the **Actions** menu and select **Isolate machine**. +### Group machines +Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines. - ![Image of isolate machine](images/atp-isolate-machine.png) +Machine group is defined in the following registry key entry of the machine: -3. Type a comment (optional) and select **Yes** to take action on the machine. - >[!NOTE] - >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. +- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` +- Registry key value (string): Group - The Action center shows the submission information: - ![Image of machine isolation](images/atp-machine-isolation.png) - - **Submission time** - Shows when the isolation action was submitted. - - **Submitting user** - Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon. - - **Status** - Indicates any pending actions or the results of completed actions. +### Set standard tags on machines +Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. -When the isolation configuration is applied, there will be a new event in the machine timeline. +1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: -**Notification on machine user**:
      -When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. -![Image of no network connection](images/atp-notification-isolate.png) + You can also get to the alert page through the file and IP views. -## Undo machine isolation -Depending on the severity of the attack and the state of the machine you can choose to release the machine isolation after you have verified that the compromised machine has been remediated. +2. Open the **Actions** menu and select **Manage tags**. -1. Select a machine that was previously isolated. + ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png) -2. Open the **Actions** menu and select **Undo machine isolation**. +3. Enter tags on the machine. To add more tags, click the + icon. +4. Click **Save and close**. - ![Image of undo isolation](images/atp-undo-isolation.png) + ![Image of adding tags on a machine](images/atp-save-tag.png) + + Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines. + +### Manage machine tags +You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. + +![Image of adding tags on a machine](images/atp-tag-management.png) -3. Type a comment (optional) and select **Yes** to take action on the file. The machine will be reconnected to the network. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. @@ -83,35 +85,40 @@ You can download the package (Zip file) and investigate the events that occurred The package contains the following folders: -Folder | Description -:---|:--- -Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine.

      NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” -Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). -Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

      - ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

      - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

      ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

      - Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

      - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. -Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.

      - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

      - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. -Processes | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. -Scheduled tasks | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. -Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy.

      NOTE: Open the event log file using Event viewer. -Services | Contains the services.txt file which lists services and their states. -Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement.

      Contains files for SMBInboundSessions and SMBOutboundSession.

      NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound). -Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system.

      This can help to track suspicious files that an attacker may have dropped on the system.

      NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system. -Users and Groups | Provides a list of files that each represent a group and its members. -CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. +| Folder | Description | +|:--------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine.

      NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | +| Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | +| Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

      - ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

      - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

      ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

      - Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

      - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. | +| Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.

      - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

      - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. | +| Processes | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. | +| Scheduled tasks | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. | +| Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy.

      NOTE: Open the event log file using Event viewer. | +| Services | Contains the services.txt file which lists services and their states. | +| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement.

      Contains files for SMBInboundSessions and SMBOutboundSession.

      NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound). | +| Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system.

      This can help to track suspicious files that an attacker may have dropped on the system.

      NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system. | +| Users and Groups | Provides a list of files that each represent a group and its members. | +| CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. | 1. Select the machine that you want to investigate. You can select or search for a machine from any of the following views: - - **Dashboard** - Select the machine name from the Top machines with active alerts section. - - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines list** - Select the heading of the machine name from the machines list. - - **Search box** - Select Machine from the drop-down menu and enter the machine name. + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the heading of the machine name from the machines list. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. 2. Open the **Actions** menu and select **Collect investigation package**. + ![Image of collect investigation package action](images/atp-actions-collect-investigation-package.png) + +3. Type a comment and select **Yes, collect package** to take action on the machine. + + ![Image of notification to collect package](images/atp-notification-collect-package.png) + The Action center shows the submission information: - ![Image of investigation package in action center](images/atp-investigation-package-action-center.png) + ![Image of investigation package in action center](images/atp-action-center-package-collection.png) - **Submission time** - Shows when the action was submitted. - - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. - **Status** - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package. 3. Select **Package available** to download the package.
      @@ -122,8 +129,152 @@ CollectionSummaryReport.xls | This file is a summary of the investigation packag You can also search for historical packages in the machine timeline. +## Run Windows Defender Antivirus scan on machines +As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. + +>[!NOTE] +> A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. + +1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views: + + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. +2. Open the **Actions** menu and select **Run antivirus scan**. + + ![Image of run antivirus scan](images/atp-actions-run-av.png) + +3. Select the scan type that you'd like to run. You can choose between a quick or a full scan. + + ![Image of notification to select quick scan or full scan and add comment](images/atp-av-scan-notification.png) + + +4. Type a comment and select **Yes, run scan** to start the scan.
      + + The Action center shows the scan information: + + ![Image of action center with antivirus scan](images/atp-av-scan-action-center.png) + + - **Submission time** - Shows when the isolation action was submitted. + - **Status** - Indicates any pending actions or the results of completed actions. + +The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan. + +## Restrict app execution +In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. + +The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. + +>[!NOTE] +>You’ll be able to reverse the restriction of applications from running at any time. + +1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views: + + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. + +2. Open the **Actions** menu and select **Restrict app execution**. + + ![Image of restrict app execution action](images/atp-actions-restrict-app-execution.png) + +3. Type a comment and select **Yes, restict app execution** to take action on the file. + + ![Image of app restriction notification](images/atp-notification-restrict.png) + + The Action center shows the submission information: + ![Image of action center with app restriction](images/atp-action-center-app-restriction.png) + + + - **Submission time** - Shows when the isolation action was submitted. + - **Status** - Indicates any pending actions or the results of completed actions. + +When the application execution restriction configuration is applied, a new event is reflected in the machine timeline. + + +**Notification on machine user**:
      +When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running: + +![Image of app restriction](images/atp-app-restriction.png) + +## Remove app restriction +Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated. + +1. Select the machine where you restricted an application from running from. + +2. Open the **Actions** menu and select **Remove app restrictions**. + + ![Image of remove app restrictions](images/atp-actions-remove-app-restrictions.png) + +3. Type a comment and select **Yes, remove restriction** to take action on the application. The machine application restriction will no longer apply on the machine. + + +## Isolate machines from the network +Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. + +This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. + +On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. + +>[!NOTE] +>You’ll be able to reconnect the machine back to the network at any time. + +1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views: + + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. + +2. Open the **Actions** menu and select **Isolate machine**. + + ![Image of isolate machine](images/atp-actions-isolate-machine.png) + +3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated. + + ![Image of isolation confirmation](images/atp-confirm-isolate.png) + +4. Type a comment and select **Yes, isolate machine** to take action on the machine. + + >[!NOTE] + >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated. + + The Action center shows the submission information: + ![Image of machine isolation](images/atp-machine-isolation.png) + + - **Submission time** - Shows when the isolation action was submitted. + - **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication. + +When the isolation configuration is applied, a new event is reflected in the machine timeline. + +**Notification on machine user**:
      +When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: + +![Image of no network connection](images/atp-notification-isolate.png) + +## Release machine from isolation +Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated. + +1. Select a machine that was previously isolated. + +2. Open the **Actions** menu and select **Release from isolation**. + + ![Image of release from isolation](images/atp-actions-release-from-isolation.png) + +3. Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network. + + ## Check activity details in Action center -The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed. +The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details: + +- Investigation package collection +- Antivirus scan +- App restriction +- Machine isolation + +All other related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed. ![Image of action center with information](images/atp-action-center-with-info.png) diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index eef6296540..548e32a5b1 100644 --- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Take response actions in Windows Defender ATP @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization. @@ -35,7 +38,7 @@ Topic | Description [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network. ## Related topics -- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..4a5e44b615 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -0,0 +1,120 @@ +--- +title: View the Security Analytics dashboard in Windows Defender ATP +description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles. +keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverate, security control, improvement opportunities, edr, antivirus, av, os security updates +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +ms.date: 09/05/2017 +--- + +# View the Windows Defender Advanced Threat Protection Security analytics dashboard + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. + +The **Security analytics dashboard** displays a snapshot of: +- Organizational security score +- Security coverage +- Improvement opportunities + +![Security analytics dashboard](images/atp-dashboard-security-analytics.png) + +## Organizational security score +The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings. + +![Organizational security score](images/atp-org-score.png) + +Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score. + +The denominator is reflective of the organizational score potential and calculated by multiplying the number of supported security controls (Security coverage pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). + + +In the example image, the total points from the **Improvement opportunities** tile add up to 279 points for the three pillars from the **Security coverage** tile. + +## Security coverage +The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar contributes 100 points to the overall organizational security score. It also represents the various Windows 10 security components with an indicator of the total number of machines that are well configured and those that require attention. Hovering on top of the individual bars will show exact numbers for each category. + + +![Security coverage](images/atp-sec-coverage.png) + +## Improvement opportunities +Improve your organizational security score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control. + +Click on each control to see the recommended optimizations. + +![Improvement opportunities](images/atp-improv-ops.png) + +The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile. + +Recommendations that do not display a green action are informational only and no action is required. + +Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. + +The following image shows an example list of machines where the EDR sensor is not turned on. + +![Image of view machines list with a filter applied](images/atp-security-analytics-view-machines2.png) + +### Endpoint detection and response (EDR) optimization +This tile provides a specific list of actions you can take on Windows Defender ATP to improve how endpoints provide sensor data to the Windows Defender ATP service. + +You can take the following actions to increase the overall security score of your organization: +- Turn on sensor +- Fix sensor data collection +- Fix impaired communications + +For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + +### Windows Defender Antivirus optimization +This tile provides a list of specific list of actions you can implement on endpoints with Windows Defender Antivirus to improve the security in your organization. Each action shows the exact number of endpoints where you can apply the action on. + +You can take the following actions to increase the overall security score of your organization: + +>[!NOTE] +> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the endpoint. + +- Fix antivirus reporting + - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). +- Turn on antivirus +- Update antivirus definitions +- Turn on cloud-based protection +- Turn on real-time protection +- Turn on PUA protection + +For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md). + + +### OS security updates optimization +This tile shows you the exact number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds. + +You can take the following actions to increase the overall security score of your organization: +- Install the latest security updates + +For more information on, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter). + +## Related topics +- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) + diff --git a/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..a6f76a8f46 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md @@ -0,0 +1,22 @@ +--- +title: +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Security updates + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index edd9a3e180..aed38dc020 100644 --- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Check the Windows Defender Advanced Threat Protection service health @@ -22,16 +23,18 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status. -You can view details on the service health by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane. +You can view details on the service health by clicking the tile from the **Security operations dashboard** or selecting the **Service health** menu from the navigation pane. The **Service health** details page has the following tabs: - **Current issues** -- **Status History** +- **Status history** ## Current issues The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md index 91ce5a0bb4..4f5fd7e713 100644 --- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: DulceMV ms.localizationpriority: high +ms.date: 09/05/2017 --- # Windows Defender Advanced Threat Protection settings @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone, suppression rules, and view license information. ## Time zone settings diff --git a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..108fefc1b7 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -0,0 +1,38 @@ +--- +title: Supported Windows Defender Advanced Threat Protection APIs +description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Supported Windows Defender ATP APIs + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. + +## In this section +Topic | Description +:---|:--- +Actor | Run API calls such as get actor information and get actor related alerts. +Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information. +Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization. +File | Run API calls such as get file information, file related alerts, file related machines, and file statistics. +IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization. +Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID. +User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. + diff --git a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index c5cc1addec..f802ef999b 100644 --- a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Understand threat intelligence concepts @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious. With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track. diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index 1d8d5a0b52..a7b4331483 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Troubleshoot custom threat intelligence issues @@ -22,6 +23,7 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] You might need to troubleshoot issues while using the custom threat intelligence feature. diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 8575f7b937..30083255ae 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints. diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index 0a66cc942d..b04d0fdea3 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Troubleshoot SIEM tool integration issues @@ -22,6 +23,9 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + + You might need to troubleshoot issues while pulling alerts in your SIEM tools. This page provides detailed steps to troubleshoot issues you might encounter. diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index b2e87a83f0..18014303d9 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -10,7 +10,9 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- + # Troubleshoot Windows Defender Advanced Threat Protection **Applies to:** @@ -21,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. ### Server error - Access is denied due to invalid credentials diff --git a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index d4e2d80927..727c6135b0 100644 --- a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Use the threat intelligence API to create custom alerts @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization. You can use the code examples to guide you in creating calls to the custom threat intelligence API. diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index 3c7f06e779..bcd359ef0c 100644 --- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Use the Windows Defender Advanced Threat Protection portal @@ -22,9 +23,11 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + A typical security breach investigation requires a member of a security operations team to: -1. View an alert on the **Dashboard** or **Alerts queue** +1. View an alert on the **Security operations dashboard** or **Alerts queue** 2. Review the indicators of compromise (IOC) or indications of attack (IOAs) 3. Review a timeline of alerts, behaviors, and events from the machine 4. Manage alerts, understand the threat or potential breach, collect information to support taking action, and resolve the alert @@ -33,13 +36,14 @@ A typical security breach investigation requires a member of a security operatio Security operation teams can use Windows Defender ATP portal to carry out this end-to-end process without having to leave the portal. -Teams can monitor the overall status of enterprise endpoints from the **Dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance. +Teams can monitor the overall status of enterprise endpoints from the **Security operations dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance. ### In this section Topic | Description :---|:--- -[View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. +[View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. +[View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Security Analytics dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues. [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization. [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index 512dd52132..4f308f2bea 100644 --- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high +ms.date: 09/05/2017 --- # Windows Defender Advanced Threat Protection @@ -22,6 +23,8 @@ ms.localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1) > >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). @@ -95,6 +98,7 @@ Topic | Description [Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise. [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) | Learn about pulling alerts from the Windows Defender ATP portal using supported security information and events management (SIEM) tools. [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) | Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization. +[Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) | Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI. [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) | Check the sensor health state on endpoints to verify that they are providing sensor data and communicating with the Windows Defender ATP service. [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Use the Preferences setup menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature. [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) | Configure time zone settings, suppression rules, and view license information. diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md new file mode 100644 index 0000000000..0916abe7b6 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -0,0 +1,178 @@ +--- +title: Use Attack Surface Reduction rules to prevent malware infection +description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware +keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Reduce attack surfaces with Windows Defender Exploit Guard + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Configuration service providers for mobile device management + + +Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. + +It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). + +Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: + +- Executable files and scripts used in Office apps or web mail that attempt to download or run files +- Scripts that are obfuscated or otherwise suspicious +- Behaviors that apps undertake that are not usually inititated during normal day-to-day work + +See the [Attack Surface Reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule. + +When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. + +You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled. + +## Attack Surface Reduction rules + +The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: + +Rule name | GUIDs +-|- +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B + + +### Rule: Block executable content from email client and webmail + + +This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): + +- Executable files (such as .exe, .dll, or .scr) +- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +- Script archive files + + + +### Rule: Block Office applications from creating child processes + +Office apps, such as Word or Excel, will not be allowed to create child processes. + +This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. + +### Rule: Block Office applications from creating executable content + +This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. + +Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. + + +### Rule: Block Office applications from injecting into other processes + + +Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. + +This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. + + + +### Rule: Impede JavaScript and VBScript to launch executables + +JavaScript and VBScript scripts can be used by malware to launch other malicious apps. + +This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. + + + +### Rule: Block execution of potentially obfuscated scripts + +Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. + +This rule prevents scripts that appear to be obfuscated from running. + +It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them. + + + + + +## Requirements + +The following requirements must be met before Attack Surface Reduction will work: + +Windows 10 version | Windows Defender Antivirus +- | - +Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled + + + + +## Review Attack Surface Reduction events in Windows Event Viewer + +You can review the Windows event log to see events that are created when an Attack Surface Reduction rule is triggered (or audited): + +1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. + +1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +2. On the left panel, under **Actions**, click **Import custom view...** + + ![](images/events-import.gif) + +3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction: + + Event ID | Description +-|- +5007 | Event when settings are changed +1122 | Event when rule fires in Audit-mode +1121 | Event when rule fires in Block-mode + + + +### Event fields + +- **ID**: matches with the Rule-ID that triggered the block/audit. +- **Detection time**: Time of detection +- **Process Name**: The process that performed the "operation" that was blocked/audited +- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus + + + ## In this section + +Topic | Description +---|--- +[Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created. +[Enable Attack Surface Reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network. +[Customize Attack Surface Reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file. + diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md new file mode 100644 index 0000000000..8ca8c4120a --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -0,0 +1,82 @@ +--- +title: Test how Windows Defender EG features work +description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled +keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + +# Use audit mode to evaluate Windows Defender Exploit Guard features + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +You can enable each of the features of Windows Defender Explot Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. + +You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. + +While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. + +You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. + +You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode. + + + +Audit options | How to enable audit mode | How to view events +- | - | - +Audit applies to all events | [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled Folder Access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer) +Audit applies to individual rules | [Enable Attack Surface Reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack Surface Reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) +Audit applies to all events | [Enable Network Protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network Protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) +Audit applies to individual mitigations | [Enable Exploit Protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit Protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) + + +You can also use the a custom PowerShell script that enables the features in audit mode automatically: + +1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine. + +1. Type **powershell** in the Start menu. + +2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. + +3. Enter the following in the PowerShell window to enable Controlled Folder Access and Attack Surface Reduction in audie mode: + ```PowerShell + Set-ExecutionPolicy Bypass -Force + \Enable-ExploitGuardAuditMode.ps1 + ``` + + Replace \ with the folder path where you placed the file. + + A message should appear to indicate that audit mode was enabled. + + +## Related topics + +Topic | Description +---|--- +- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) +- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) +- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) + + + diff --git a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md new file mode 100644 index 0000000000..2cda929649 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -0,0 +1,99 @@ +--- +title: Help prevent ransomware and threats from encrypting and changing files +description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware encrypting your files. +keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Protect important folders with Controlled Folder Access + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell +- Configuration service providers for mobile device management + + +Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. + +It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). + +Controlled Folder Access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. + +This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. + +A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. + +The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. + +As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled Folder Access would impact your organization if it were enabled. + + + +## Requirements + +The following requirements must be met before Controlled Folder Access will work: + +Windows 10 version | Windows Defender Antivirus +-|- +Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled + + +## Review Controlled Folder Access events in Windows Event Viewer + +You can review the Windows event log to see events that are created when Controlled Folder Access blocks (or audits) an app: + +1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. + +2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +3. On the left panel, under **Actions**, click **Import custom view...** + + ![](images/events-import.gif) + +4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Controlled Folder Access: + +Event ID | Description +-|- +5007 | Event when settings are changed +1124 | Audited Controlled Folder Access event +1123 | Blocked Controlled Folder Access event + + + ## In this section + +Topic | Description +---|--- +[Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled Folder Access works, and what events would typically be created. +[Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled Folder Access in your network +[Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders. diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md new file mode 100644 index 0000000000..71db423dcf --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -0,0 +1,94 @@ +--- +title: Configure how ASR works to finetune protection in your network +description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR +keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + +# Customize Attack Surface Reduction + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell +- Configuration service providers for mobile device management + + +Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. + +This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. + +You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. + +## Exclude files and folders + +You can exclude files and folders from being evaluated by Attack Surface Reduction rules. + +You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode). + +### Use Group Policy to exclude files and folders + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**. + +6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. + +### Use PowerShell to exclude files and folderss + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + Add-MpPreference -AttackSurfaceReductionOnlyExclusions "" + ``` + +Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list. + + +>[!IMPORTANT] +>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. + +### Use MDM CSPs to exclude files and folders + +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. + + + +## Customize the notification + +See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. + + + +## Related topics + +- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) +- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md) +- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) + diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md new file mode 100644 index 0000000000..9bde74faf6 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -0,0 +1,194 @@ +--- +title: Add additional folders and apps to be protected by Windows 10 +description: Add additional folders that should be protected by Controlled Folder Access, or whitelist apps that are incorrectly blocking changes to important files. +keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Customize Controlled Folder Access + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell +- Configuration service providers for mobile device management + + +Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). + +This topic describes how to customize the following settings of the Controlled Folder Access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): + +- [Add additional folders to be protected](#protect-additional-folders) +- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders) + + ## Protect additional folders + +Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop. + +You can add additional folders to be protected, but you cannot remove the default folders in the default list. + +Adding other folders to Controlled Folder Access can be useful, for example, if you dont store files in the default Windows libraries or youve changed the location of the libraries away from the defaults. + +You can also enter network shares and mapped drives, but environment variables and wildcards are not supported. + +You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders. + +### Use the Windows Defender Security Center app to protect additional folders + +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + + ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png) + +3. Under the **Controlled folder access** section, click **Protected folders** + +4. Click **Add a protected folder** and follow the prompts to add apps. + + ![](images/cfa-prot-folders.png) + + +### Use Group Policy to protect additional folders + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**. + +6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder. + +> [!IMPORTANT] +> Environment variables and wildcards are not supported. + + +### Use PowerShell to protect additional folders + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + Add-MpPreference -ControlledFolderAccessProtectedFolders "" + ``` + + +Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app. + + +![](images/cfa-allow-folder-ps.png) + + +>[!IMPORTANT] +>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. + +### Use MDM CSPs to protect additional folders + +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. + + + + ## Allow specifc apps to make changes to controlled folders + +You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if youre finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature. + +>[!IMPORTANT] +>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets. +>You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. + + +You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders. + +When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the whitelist and may be blocked by Controlled Folder Access. + +### Use the Windows Defender Security app to whitelist specific apps + +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + + ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png) + +3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access** + +4. Click **Add an allowed app** and follow the prompts to add apps. + + ![](images/cfa-allow-app.png) + +### Use Group Policy to whitelist specific apps + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**. + +6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name? + + + +### Use PowerShell to whitelist specific apps + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + Add-MpPreference -ControlledFolderAccessAllowedApplications "" + ``` + + For example, to add the executable *test.exe*, located in the folder *C:\apps*, the cmdlet would be as follows: + + ```PowerShell + Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe" + ``` + +Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app. + + +![](images/cfa-allow-app-ps.png) + + +>[!IMPORTANT] +>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. + + + +### Use MDM CSPs to whitelist specific apps + +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. + +## Customize the notification + +See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. + +## Related topics +- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) +- [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) +- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md new file mode 100644 index 0000000000..86c947101d --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -0,0 +1,260 @@ +--- +title: Enable or disable specific mitigations used by Exploit Protection +keywords: exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr +description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations. +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + +# Customize Exploit Protection + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell + + + +Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. + + It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). + +You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. + + This topic lists each of the mitigations available in Exploit Protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. + +It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md). + + +## Exploit Protection mitigations + +All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level. + +You can set each of the mitigations to on, off, or to their default value as indicated in the following table. Some mitigations have additional options, these are indicated in the description in the table. + +For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic. + +Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available +- | - | - | - +Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On** | No +Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On** | No +Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off** | No +Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On** | No +Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On** | No +Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off** | No +Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | Yes +Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | Yes +Block remote images | Prevents loading of images from remote devices. | App-level only | Yes +Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | Yes +Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | Yes +Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | No +Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | Yes +Do not allow child processes | Prevents an app from creating child processes. | App-level only | Yes +Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes +Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes +Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes +Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes +Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | No +Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | Yes +Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | Yes + + + + +### Configure system-level mitigations with the Windows Defender Security Center app + +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label: + + ![](images/wdsc-exp-prot.png) + +3. Under the **System settings** section, find the mitigation you want to configure and select either: + - **On by default** + - **Off by default** + -**Use default** + + >[!NOTE] + >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. + + Changing some settings may required a restart, which will be indicated in red text underneath the setting. + + ![](images/wdsc-exp-prot-sys-settings.png) + +4. Repeat this for all the system-level mitigations you want to configure. + +You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. + +Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. + + +### Configure app-specific mitigations with the Windows Defender Security Center app + +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen: + + ![](images/wdsc-exp-prot.png) + + +3. Go to the **Program settings** section and choose the app you want to apply mitigations to: + + 1. If the app you want to configure is already listed, click it and then click **Edit** + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + + ![](images/wdsc-exp-prot-app-settings.png) + + +4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. + +5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. + + ![](images/wdsc-exp-prot-app-settings-options.png) + +You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. + +Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. + + + ## PowerShell reference + + You can use the Windows Defender Security Center app to configure exploit protection, or you can use PowerShell cmdlets. + + The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. + + >[!IMPORTANT] + >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overriden. + + + You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: + +```PowerShell +Get-ProcessMitigation -Name processName.exe +``` + + Use `Set` to configure each mitigation in the following format: + + ```PowerShell +Set-ProcessMitigation - - ,, +``` + + +Where: + +- \: + - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. + - `-System` to indicate the mitigation should be applied at the system level +- \: + - `-Enable` to enable the mitigation + - `-Disable` to disable the mitigation +- \: + - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma. + + + For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: + + ```PowerShell +Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation +``` + + >[!IMPORTANT] + >Seperate each mitigation option with commas. + + If you wanted to apply DEP at the system level, you'd use the following command: + + ```PowerShell +Set-Processmitigation -System -Enable DEP +``` + + To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. + + If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: + + ```PowerShell +Set-Processmitigation -Name test.exe -Remove -Disable DEP +``` + + + You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. + + For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command: + + ```PowerShell +Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode +``` + +You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`. + +### PowerShell reference table + +This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. + + + + +Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet +- | - | - | - +Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available +Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available +Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocate | Audit not available +Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available +Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available +Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available +Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode +Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad +Block remote images | App-level only | BlockRemoteImages | Audit not available +Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly +Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned +Disable extension points | App-level only | ExtensionPoint | Audit not available +Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall +Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess +Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available +Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available +Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available +Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available +Validate handle usage | App-level only | StrictHandle | Audit not available +Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available +Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available + + + +\[1\]: Use the following format to enable EAF modules for dlls for a process: + +```PowerShell +Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll +``` + + +## Customize the notification + +See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. + +## Related topics + +- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) +- [Evaluate Exploit Protection](evaluate-exploit-protection.md) +- [Enable Exploit Protection](enable-exploit-protection.md) +- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md new file mode 100644 index 0000000000..f2c3551f4a --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -0,0 +1,46 @@ +--- +title: Compare the features in Exploit Protection with EMET +keywords: emet, enhanced mitigation experience toolkit, configuration, exploit +description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET. +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard + + +**Applies to:** + +- Windows 10 Insider Preview, build 16232 and later + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + + + + +We're still working on this content and will have it published soon! + + + +Check out the following topics for more information about Exploit Protection: + +- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Evaluate Exploit Protection](evaluate-exploit-protection.md) +- [Enable Exploit Protection](enable-exploit-protection.md) +- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md new file mode 100644 index 0000000000..910db87d44 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -0,0 +1,118 @@ +--- +title: Enable ASR rules individually to protect your organization +description: Enable ASR rules to protect your devices from attacks the use macros, scripts, and common injection techniques +keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + +# Enable Attack Surface Reduction + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Configuration service providers for mobile device management + + +Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. + + + +## Enable and audit Attack Surface Reduction rules + +You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode. + +For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + +Attack Surface Reduction rules are identified by their unique rule ID. + +You can manually add the rules by using the GUIDs in the following table: + +Rule description | GUIDs +-|- +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B + +See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. + +### Use Group Policy to enable Attack Surface Reduction rules + + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**. + +6. Double-click the **Configure Attack Surface Reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: + - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: + - Block mode = 1 + - Disabled = 0 + - Audit mode = 2 + + + ![](images/asr-rules-gp.png) + + + + + ### Use PowerShell to enable Attack Surface Reduction rules + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + Add-MpPreference -AttackSurfaceReductionRules_Ids + ``` + +You can enable the feature in audit mode using the following cmdlet: + +```PowerShell +Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode +``` + +Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. + + + +### Use MDM CSPs to enable Attack Surface Reduction rules + +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. + + + + +## Related topics + +- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) +- [Customize Attack Surface Reduction](customize-attack-surface-reduction.md) +- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md new file mode 100644 index 0000000000..3471eba455 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -0,0 +1,107 @@ +--- +title: Turn on the protected folders feature in Windows 10 +keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use +description: Learn how to protect your important files by enabling Controlled Folder Access +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Enable Controlled Folder Access + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell +- Configuration service providers for mobile device management + + +Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). + +This topic describes how to enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). + + +## Enable and audit Controlled Folder Access + +You can enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. + +For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + + +### Use the Windows Defender Security app to enable Controlled Folder Access + +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + + ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png) + +3. Set the switch for the feature to **On** + + ![](images/cfa-on.png) + +### Use Group Policy to enable Controlled Folder Access + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**. + +6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following: + - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log + - **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders. + - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. + + ![](images/cfa-gp-enable.png) + +>[!IMPORTANT] +>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. + +### Use PowerShell to enable Controlled Folder Access + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + Set-MpPreference -EnableControlledFolderAccess Enabled + ``` + +You can enable the feauting in audit mode by specifying `AuditMode` instead of `Enabled`. + +Use `Disabled` to turn the feature off. + +### Use MDM CSPs to enable Controlled Folder Access + +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. + + +## Related topics + +- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) +- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) +- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md new file mode 100644 index 0000000000..90e6cd1782 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -0,0 +1,76 @@ +--- +title: Turn on Exploit Protection to help mitigate against attacks +keywords: exploit, mitigation, attacks, vulnerability +description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET. +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Enable Exploit Protection + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell + + + +Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. + +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection. + +It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). + + + +## Enable and audit Exploit Protection + +You enable and configure each Exploit Protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. + +The mitigations available in Exploit Protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. + +You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. + +For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + +You can also convert an existing EMET configuration file (in XML format) and import it into Exploit Protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using. + +See the following topics for instructions on configuring Exploit Protection mitigations and importing, exporting, and converting configurations: + +1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md) +2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md). + + +## Related topics + +- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) +- [Evaluate Exploit Protection](evaluate-exploit-protection.md) +- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) + + + diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md new file mode 100644 index 0000000000..4e8f0eea70 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -0,0 +1,100 @@ +--- +title: Turn Network Protection on +description: Enable Network Protection with Group Policy, PowerShell, or MDM CSPs +keywords: ANetwork Protection, exploits, malicious website, ip, domain, domains, enable, turn on +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + +# Enable Network Protection + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Configuration service providers for mobile device management + + +Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. + +This topic describes how to enable Network Protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). + + +## Enable and audit Network Protection + +You can enable Network Protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP. + +For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + + +### Use Group Policy to enable or audit Network Protection + + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection**. + +6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following: + - **Block** - Users will not be able to access malicious IP addresses and domains + - **Disable (Default)** - The Network Protection feature will not work. Users will not be blocked from accessing malicious domains + - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. + + +>[!IMPORTANT] +>To fully enable the Network Protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. + + + ### Use PowerShell to enable or audit Network Protection + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ``` + Set-MpPreference -EnableNetworkProtection Enabled + ``` + +You can enable the feauting in audit mode using the following cmdlet: + +``` +Set-MpPreference -EnableNetworkProtection AuditMode +``` + +Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. + + + +### Use MDM CSPs to enable or audit Network Protection + + +Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network Protection. + + +## Related topics + +- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) +- [Evaluate Network Protection](evaluate-network-protection.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md new file mode 100644 index 0000000000..1e5a5acdee --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -0,0 +1,249 @@ +--- +title: Use a demo to see how ASR can help protect your devices +description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks +keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + +# Evaluate Attack Surface Reduction rules + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell + + + + +Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). + +This topic helps you evaluate Attack Surface Reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. + +>[!NOTE] +>This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. +>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). + + +## Use the demo tool to see how Attack Surface Reduction works + +Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines. + +The tool is part of the Windows Defender Exploit Guard evaluation package: +- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) + +This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule. + +When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken. + +![](images/asr-test-tool.png) + +Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running. + +>[!IMPORTANT] +>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). + +**Run a rule using the demo tool:** + +1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop). + +2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. + + + >[!IMPORTANT] + >Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10. + +3. Select the rule from the drop-down menu. + +4. Select the mode, **Disabled**, **Block**, or **Audit**. + 1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**. + +5. Click **RunScenario**. + +The scenario will run, and an output will appear describing the steps taken. + +You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer. + +>[!TIP] +>You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules. + + +Choosing the **Mode** will change how the rule functions: + +Mode option | Description +-|- +Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack Surface Reduction at all. +Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack Surface Reduction. +Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack Surface Reduction will work but without impacting how you use the machine. + +Block mode will cause a notification to appear on the user's desktop: + +![](images/asr-notif.png) + +You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk. + +For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + +The following sections describe what each rule does and what the scenarios entail for each rule. + +### Rule: Block executable content from email client and webmail + + +This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail. + +The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule: + +Scenario name | File type | Program +- | - | - +Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail +Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook +Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook +Mail Client Script Archive | Script archive files | Microsoft Outlook +WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail +WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail +WebMail Script Archive | Script archive files | Web mail + + +### Rule: Block Office applications from creating child processes + +>[!NOTE] +>There is only one scenario to test for this rule. + +Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. + +### Rule: Block Office applications from creating executable content + +This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique. + +The following scenarios can be individually chosen: + +- Random + - A scenario will be randomly chosen from this list +- Extension Block + - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. + + +### Rule: Block Office applications from injecting into other processes + + +>[!NOTE] +>There is only one scenario to test for this rule. + + +Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. + + + +### Rule: Impede JavaScript and VBScript to launch executables + +JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. + +- Random + - A scenario will be randomly chosen from this list +- JScript + - JavaScript will not be allowed to launch executable files +- VBScript + - VBScript will not be allowed to launch executable files + + + +### Rule: Block execution of potentially obfuscated scripts + +Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. + + +- Random + - A scenario will be randomly chosen from this list +- AntiMalwareScanInterface + - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script +- OnAccess + - Potentially obfuscated scripts will be blocked when an attempt is made to access them + + +## Review Attack Surface Reduction events in Windows Event Viewer + +You can also review the Windows event log to see the events there were created when using the tool: + +1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +2. On the left panel, under **Actions**, click **Import custom view...** + +3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction: + +Event ID | Description +-|- +5007 | Event when settings are changed +1122 | Event when rule fires in Audit-mode +1121 | Event when rule fires in Block-mode + + +## Use audit mode to measure impact + +You can also enable the Attack Surface Reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature. + +You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use. + +To enable audit mode, use the following PowerShell cmdlet: + +```PowerShell +Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode +``` + +This enables all Attack Surface Reduction rules in audit mode. + +>[!TIP] +>If you want to fully audit how Attack Surface Reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md). + + + +## Customize Attack Surface Reduction + +During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature. + +See the [Customize Exploit Protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. + + +## Related topics +- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) +- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) +- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) + + + + + + + + + + + + + + diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md new file mode 100644 index 0000000000..3b7019e217 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -0,0 +1,133 @@ +--- +title: See how CFA can help protect files from being changed by malicious apps +description: Use a custom tool to see how Controlled Folder Access works in Windows 10. +keywords: controlled folder access, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + +# Evaluate Controlled Folder Access + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell + +Controlled Folder Access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md). + +It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. + +This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. + +>[!NOTE] +>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. +>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md). + + +## Use the demo tool to see how Controlled Folder Access works + +Use the **ExploitGuard CFA File Creator** tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders. + +The tool is part of the Windows Defender Exploit Guard evaluation package: +- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) + +This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. + +You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders. + + + +1. Type **powershell** in the Start menu. + +2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. + +3. Enter the following in the PowerShell window to enable Controlled Folder Access: + ```PowerShell + Set-MpPreference -EnableControlledFolderAccess Enabled + ``` + +4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop). + +5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. + +6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test. + + ![](images/cfa-filecreator.png) + +7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example: + + ![](images/cfa-notif.png) + +## Review Controlled Folder Access events in Windows Event Viewer + +You can also review the Windows event log to see the events there were created when using the tool: + +1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +2. On the left panel, under **Actions**, click **Import custom view...** + +3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Controlled Folder Access: + +Event ID | Description +-|- +5007 | Event when settings are changed +1124 | Audited Controlled Folder Access event +1123 | Blocked Controlled Folder Access event + + +## Use audit mode to measure impact + +As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting. + +You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. + +To enable audit mode, use the following PowerShell cmdlet: + +```PowerShell +Set-MpPreference -EnableControlledFolderAccess AuditMode +``` + +>[!TIP] +>If you want to fully audit how Controlled Folder Access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md). + + +For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + + + +## Customize protected folders and apps + +During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. + +See the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP. + +## Related topics +- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) +- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) +- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md new file mode 100644 index 0000000000..94309ec278 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -0,0 +1,133 @@ +--- +title: See how Exploit Protection works in a demo +description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps. +keywords: exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Evaluate Exploit Protection + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell + + +Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. + +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection. + +This topcs helps you evaluate Exploit Protection. See the [Exploit Protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit Protection does and how to configure it for real-world deployment. + +>[!NOTE] +>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. +>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit Protection topic](exploit-protection-exploit-guard.md) . + + +## Enable and validate an Exploit Protection mitigation + +For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app. + +First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app: + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** + +2. Enter the following cmdlet: + + ```PowerShell + SetProcessMitigation Name iexplore.exe Enable DisallowChildProcessCreation + ``` + +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. + +3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. + +4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**. + +Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user: + +1. Type **run** in the Start menu andp ress **Enter** to open the run dialog box. + +2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer. + +3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process). + +Lastly, we can disable the mitigation so that Internet Explorer works properly again: + +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. + +3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. + +4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply** + +5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected. + + +## Review Exploit Protection events in Windows Event Viewer + +You can now review the events that Exploit Protection sent to the Windows Event log to confirm what happened: + +1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. + +2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +3. On the left panel, under **Actions**, click **Import custom view...** + +4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Exploit Protection, which are all listed in the [Exploit Protection](exploit-protection-exploit-guard.md) topic. + +6. The specific event to look for in this demo is event ID 4, which should have the following or similar information: + + Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. + + +## Use audit mode to measure impact + +As with other Windows Defender EG features, you can enable Exploit Protection in audit mode. You can enable audit mode for individual mitigations. + +This lets you see a record of what *would* have happened if you had enabled the mitigation. + +You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period. + +See the [**PowerShell reference** section in the Customize Exploit Protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. + +For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). + + + +## Related topics +- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) +- [Enable Exploit Protection](enable-exploit-protection.md) +- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md new file mode 100644 index 0000000000..41d3ca0276 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -0,0 +1,115 @@ +--- +title: Conduct a demo to see how Network Protection works +description: Quickly see how Network Protection works by performing common scenarios that it protects against +keywords: Network Protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + +# Evaluate Network Protection + + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell + + + +Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). + +It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. + +This topic helps you evaluate Network Protection by enabling the feature and guiding you to a testing site. + +>[!NOTE] +>The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. + +## Enable Network Protection + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + Set-MpPreference -EnableNetworkProtection Enabled + ``` + +You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`. + +### Visit a (fake) malicious domain + +1. Open Internet Explorer, Google Chrome, or any other browser of your choice. + +1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net). + +You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked. + +![](images/np-notif.png) + + + ## Review Network Protection events in Windows Event Viewer + +You can also review the Windows event log to see the events there were created when performing the demo: + +1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +2. On the left panel, under **Actions**, click **Import custom view...** + +3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Network Protection: + +Event ID | Description +-|- +5007 | Event when settings are changed +1125 | Event when rule fires in Audit-mode +1126 | Event when rule fires in Block-mode + + +## Use audit mode to measure impact + +You can also enable the Network Protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled. + +You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use. + +To enable audit mode, use the following PowerShell cmdlet: + +```PowerShell +Set-MpPreference -EnableNetworkProtection AuditMode +``` + + +>[!TIP] +>If you want to fully audit how Network Protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network Protection topic](network-protection-exploit-guard.md). + + + + + ## Related topics + +- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) +- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) +- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md new file mode 100644 index 0000000000..7f93a40671 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -0,0 +1,55 @@ +--- +title: Evaluate the impact of Windows Defender Exploit Guard +description: Use our evaluation guides to quickly enable and configure features, and test them against common attack scenarios +keywords: evaluate, guides, evaluation, exploit guard, controlled folder access, attack surface reduction, exploit protection, network protection, test, demo +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Evaluate Windows Defender Exploit Guard + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + +Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software. + +Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization. + +Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisutes are. + + +- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) +- [Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md) +- [Evaluate Exploit Protection](evaluate-exploit-protection.md) +- [Evaluate Network Protection](evaluate-network-protection.md) + +You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits: + +- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) + +## Related topics + +Topic | Description +---|--- +- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) +- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) +- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md new file mode 100644 index 0000000000..2e4142e7ae --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -0,0 +1,183 @@ +--- +title: Import custom views to see Windows Defender Exploit Guard events +description: Use Windows Event Viewer to import individual views for each of the features. +keywords: event view, exploit guard, audit, review, events +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.date: 08/25/2017 +localizationpriority: medium +author: iaanw +ms.author: iawilt + +--- + + +# Reduce attack surfaces with Windows Defender Exploit Guard + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + +Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windos Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. + +Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled. + +This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. + +## Use custom views to review Windows Defender Exploit Guard features + +You can create custom views in the Windows Event Viewer to only see events for specific features and settings. + +The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page. + +### Import an existing XML custom view + +1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views: + - Controlled Folder Access events custom view: *cfa-events.xml* + - Exploit Protection events custom view: *ep-events.xml* + - Attack Surface Reduction events custom view: *asr-events.xml* + - Network Protection events custom view: *np-events.xml* + +1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**. + +3. On the left panel, under **Actions**, click **Import Custom View...** + + ![](images/events-import.gif) + +4. Navigate to where you extracted XML file for the custom view you want and select it. + +4. Click **Open**. + +5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events). + + +### Copy the XML directly + + +1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**. + +3. On the left panel, under **Actions**, click **Create Custom View...** + + ![](images/events-create.gif) + +4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**. + +5. Paste the XML code for the feature you want to filter events from into the XML section. + +4. Click **OK**. Specify a name for your filter. + +5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events). + + + + + +### XML for Attack Surface Reduction events + +```xml + + + + + + +``` + +### XML for Controlled Folder Access events + +```xml + + + + + + +``` + +### XML for Exploit Protection events + +```xml + + + + + + + + + + + + + + + +``` + +### XML for Network Protection events + +```xml + + + + + + + +``` + + + +## List of all Windows Defender Exploit Guard events + + +All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table. + +Feature | Provider/source | Event ID | Description +:-|:-|:-:|:- +Exploit Protection | Security-Mitigations | 1 | ACG audit +Exploit Protection | Security-Mitigations | 2 | ACG enforce +Exploit Protection | Security-Mitigations | 3 | Do not allow child processes audit +Exploit Protection | Security-Mitigations | 4 | Do not allow child processes block +Exploit Protection | Security-Mitigations | 5 | Block low integrity images audit +Exploit Protection | Security-Mitigations | 6 | Block low integrity images block +Exploit Protection | Security-Mitigations | 7 | Block remote images audit +Exploit Protection | Security-Mitigations | 8 | Block remote images block +Exploit Protection | Security-Mitigations | 9 | Disable win32k system calls audit +Exploit Protection | Security-Mitigations | 10 | Disable win32k system calls block +Exploit Protection | Security-Mitigations | 11 | Code integrity guard audit +Exploit Protection | Security-Mitigations | 12 | Code integrity guard block +Exploit Protection | Security-Mitigations | 13 | EAF audit +Exploit Protection | Security-Mitigations | 14 | EAF enforce +Exploit Protection | Security-Mitigations | 15 | EAF+ audit +Exploit Protection | Security-Mitigations | 16 | EAF+ enforce +Exploit Protection | Security-Mitigations | 17 | IAF audit +Exploit Protection | Security-Mitigations | 18 | IAF enforce +Exploit Protection | Security-Mitigations | 19 | ROP StackPivot audit +Exploit Protection | Security-Mitigations | 20 | ROP StackPivot enforce +Exploit Protection | Security-Mitigations | 21 | ROP CallerCheck audit +Exploit Protection | Security-Mitigations | 22 | ROP CallerCheck enforce +Exploit Protection | Security-Mitigations | 23 | ROP SimExec audit +Exploit Protection | Security-Mitigations | 24 | ROP SimExec enforce +Exploit Protection | WER-Diagnostics | 5 | CFG Block +Exploit Protection | Win32K | 260 | Untrusted Font +Network Protection | Windows Defender | 5007 | Event when settings are changed +Network Protection | Windows Defender | 1125 | Event when Network Protection fires in Audit-mode +Network Protection | Windows Defender | 1126 | Event when Network Protection fires in Block-mode +Controlled Folder Access | Windows Defender | 5007 | Event when settings are changed +Controlled Folder Access | Windows Defender | 1124 | Audited Controlled Folder Access event +Controlled Folder Access | Windows Defender | 1123 | Blocked Controlled Folder Access event +Attack Surface Reduction | Windows Defender | 5007 | Event when settings are changed +Attack Surface Reduction | Windows Defender | 1122 | Event when rule fires in Audit-mode +Attack Surface Reduction | Windows Defender | 1121 | Event when rule fires in Block-mode \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md new file mode 100644 index 0000000000..cc5ba5334b --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -0,0 +1,125 @@ +--- +title: Apply mitigations to help prevent attacks through vulnerabilities +keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet +description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET. +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Protect devices from exploits with Windows Defender Exploit Guard + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell + + + +Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. + +It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). + +Exploit Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + + You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once. + + When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. + + You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit Protection would impact your organization if it were enabled. + + Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection. + + >[!IMPORTANT] + >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit Protection in Windows 10. You can [convert an existing EMET configuration file into Exploit Protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. + + + +## Requirements + +The following requirements must be met before Exploit Protection will work: + +Windows 10 version | Windows Defender Advanced Threat Protection +-|- +Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md) + + + ## Review Exploit Protection events in Windows Event Viewer + +You can review the Windows event log to see events that are created when Exploit Protection blocks (or audits) an app: + +1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. + +2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +3. On the left panel, under **Actions**, click **Import custom view...** + + ![](images/events-import.gif) + +4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). + +5. Click **OK**. + +6. This will create a custom view that filters to only show the following events related to Exploit Protection: + +Provider/source | Event ID | Description +-|:-:|- +Security-Mitigations | 1 | ACG audit +Security-Mitigations | 2 | ACG enforce +Security-Mitigations | 3 | Do not allow child processes audit +Security-Mitigations | 4 | Do not allow child processes block +Security-Mitigations | 5 | Block low integrity images audit +Security-Mitigations | 6 | Block low integrity images block +Security-Mitigations | 7 | Block remote images audit +Security-Mitigations | 8 | Block remote images block +Security-Mitigations | 9 | Disable win32k system calls audit +Security-Mitigations | 10 | Disable win32k system calls block +Security-Mitigations | 11 | Code integrity guard audit +Security-Mitigations | 12 | Code integrity guard block +Security-Mitigations | 13 | EAF audit +Security-Mitigations | 14 | EAF enforce +Security-Mitigations | 15 | EAF+ audit +Security-Mitigations | 16 | EAF+ enforce +Security-Mitigations | 17 | IAF audit +Security-Mitigations | 18 | IAF enforce +Security-Mitigations | 19 | ROP StackPivot audit +Security-Mitigations | 20 | ROP StackPivot enforce +Security-Mitigations | 21 | ROP CallerCheck audit +Security-Mitigations | 22 | ROP CallerCheck enforce +Security-Mitigations | 23 | ROP SimExec audit +Security-Mitigations | 24 | ROP SimExec enforce +WER-Diagnostics | 5 | CFG Block +Win32K | 260 | Untrusted Font + + + ## In this section + +Topic | Description +---|--- +[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit Protection. This topic identifies those features and explains how the features have changed or evolved. +[Evaluate Exploit Protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit Protection mitigations can protect your network from malicious and suspicious behavior. +[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit Protection in your network. +[Customize and configure Exploit Protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps. +[Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection. \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png b/windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png new file mode 100644 index 0000000000..2f8eb02556 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png b/windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png new file mode 100644 index 0000000000..fa6285cb56 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png b/windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png new file mode 100644 index 0000000000..569ee7a256 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png new file mode 100644 index 0000000000..f93dbe34e3 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png new file mode 100644 index 0000000000..6b078ec9d5 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png new file mode 100644 index 0000000000..88cd35c6ce Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png new file mode 100644 index 0000000000..89abf15424 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png new file mode 100644 index 0000000000..96e6874361 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png new file mode 100644 index 0000000000..d8f0ccffab Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png new file mode 100644 index 0000000000..62ca8c3021 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-on.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-on.png new file mode 100644 index 0000000000..7441a54834 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-on.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png new file mode 100644 index 0000000000..a61b54a696 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/ep-prog.png b/windows/threat-protection/windows-defender-exploit-guard/images/ep-prog.png new file mode 100644 index 0000000000..d36cdd8498 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/ep-prog.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png b/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png new file mode 100644 index 0000000000..96d12d3af1 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif b/windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif new file mode 100644 index 0000000000..68f057de3a Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif b/windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif new file mode 100644 index 0000000000..55e77c546f Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png b/windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png new file mode 100644 index 0000000000..d7b921aa69 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/np-notif.png b/windows/threat-protection/windows-defender-exploit-guard/images/np-notif.png new file mode 100644 index 0000000000..69eb1bbeee Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/np-notif.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png new file mode 100644 index 0000000000..01801a519d Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png new file mode 100644 index 0000000000..38404d7569 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png new file mode 100644 index 0000000000..3289ace8cf Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png new file mode 100644 index 0000000000..53edeb6135 Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png new file mode 100644 index 0000000000..5bc0f3e22b Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png differ diff --git a/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md new file mode 100644 index 0000000000..c864cb9ed7 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -0,0 +1,172 @@ +--- +title: Deploy Exploit Protection mitigations across your organization +keywords: exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install +description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit Protection configuration. +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Import, export, and deploy Exploit Protection configurations + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- Group Policy +- PowerShell + + + + +Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. + +It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). + +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit Protection. + +You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings. + +You can also convert and import an existing EMET configuration XML file into an Exploit Protection configuration XML. + +This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration. + +The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit Protection and then review the settings in the Windows Defender Security Center app, as described further in this topic. + + + +## Create and export a configuration file + +Before you export a configuration file, you need to ensure you have the correct settings. + +You should first configure Exploit Protection on a single, dedicated machine. See the [Customize Exploit Protection](customize-exploit-protection.md) topic for descriptions about and instrucitons for configuring mitigations. + +When you have configured Exploit Protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell. + +### Use the Windows Defender Security Center app to export a configuration file + + +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**: + + ![](images/wdsc-exp-prot.png) + +3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved. + + + ![](images/wdsc-exp-prot-export.png) + +>[!NOTE] +>When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings. + + +### Use PowerShell to export a configuration file + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + Get-ProcessMitigation -RegistryConfigFilePath filename.xml + ``` + +Change `filename` to any name or location of your choosing. + +> [!IMPORTANT] +> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. + + +## Import a configuration file + +You can import an Exploit Protection configuration file that you've previously created. You can only use PowerShell to import the configuration file. + +After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app. + +### Use PowerShell to import a configuration file + + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + Set-ProcessMitigation -RegistryConfigFilePath filename.xml + ``` + +Change `filename` to the location and name of the Exploit Protection XML file. + +>[!IMPORTANT] +>Ensure you import a configuration file that is created specifically for Exploit Protection. You cannot directly import an EMET configuration file, you must convert it first. + + +## Convert an EMET configuration file to an Exploit Protection configuration file + +You can convert an existing EMET configuration file to the new format used by Exploit Protection. You must do this if you want to import an EMET configuration into Exploit Protection in Windows 10. + +You can only do this conversion in PowerShell. + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml + ``` + +Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use. + + +## Manage or deploy a configuration + +You can use Group Policy to deploy the configuration you've created to multiple machines in your network. + +> [!IMPORTANT] +> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location. + +### Use Group Policy to distribute the configuration + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit Protection**. + + ![](images/exp-prot-gp.png) + +6. Double-click the **Use a common set of exploit protection settings** setting and set the option to **Enabled**. + +7. In the **Options::** section, enter the location and filename of the Exploit Protection configuration file that you want to use, such as in the following examples: + - C:\MitigationSettings\Config.XML + - \\Server\Share\Config.xml + - https://localhost:8080/Config.xml + +8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). + + +## Related topics + +- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) +- [Evaluate Exploit Protection](evaluate-exploit-protection.md) +- [Enable Exploit Protection](enable-exploit-protection.md) +- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md new file mode 100644 index 0000000000..2f1e023d45 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -0,0 +1,95 @@ +--- +title: Use Network Protection to help prevent connections to bad sites +description: Protect your network by preventing users from accessing known malicious and suspicious network addresses +keywords: Network Protection, exploits, malicious website, ip, domain, domains +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Protect your network with Windows Defender Exploit Guard + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Configuration service providers for mobile device management + + +Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. + +It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outboud HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). + +It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). + +Network Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +When Network Protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. + +You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network Protection would impact your organization if it were enabled. + + + +## Requirements + +The following requirements must be met before Network Protection will work: + +Windows 10 version | Windows Defender Antivirus +- | - +Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled + + +## Review Network Protection events in Windows Event Viewer + + +You can review the Windows event log to see events that are created when Network Protection blocks (or audits) access to a malicious IP or domain: + +1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine. + +1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. + +2. On the left panel, under **Actions**, click **Import custom view...** + + ![](images/events-import.gif) + +3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). + +4. Click **OK**. + +5. This will create a custom view that filters to only show the following events related to Network Protection: + + Event ID | Description +-|- +5007 | Event when settings are changed +1125 | Event when Network Protection fires in Audit-mode +1126 | Event when Network Protection fires in Block-mode + + + + + ## In this section + +Topic | Description +---|--- +[Evaluate Network Protection](evaluate-network-protection.md) | Undertake aa quick scenario that demonstrate how the feature works, and what events would typically be created. +[Enable Network Protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network Protection feature in your network. \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/prerelease.md b/windows/threat-protection/windows-defender-exploit-guard/prerelease.md new file mode 100644 index 0000000000..1164534c8a --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/prerelease.md @@ -0,0 +1,2 @@ +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md new file mode 100644 index 0000000000..3df7e0ace2 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -0,0 +1,79 @@ +--- +title: Use Windows Defender Exploit Guard to protect your network +description: Windows Defender EG employs features that help protect your network from threats, including helping prevent ransomware encryption and exploit attacks +keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 +--- + + + +# Windows Defender Exploit Guard + + +**Applies to:** + +- Windows 10 Insider Preview + +[!include[Prerelease information](prerelease.md)] + +**Audience** + +- Enterprise security administrators + +Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. + +There are four features in Windows Defender EG: + +- [Exploit Protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps +- [Attack Surface Reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware +- [Network Protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices +- [Controlled Folder Access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware + + +You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action: +- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) + + +You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security. + +Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes: +- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md) +- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +- [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) +- Windows Defender Device Guard +- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) + +You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +Each of the features in Windows Defender EG have slightly different requirements: + +Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) +-|-|-|- +Exploit Protection | No requirement | Required for reporting in the Windows Defender ATP console +Attack Surface Reduction | Must be enabled | Required for reporting in the Windows Defender ATP console +Network Protection | Must be enabled | Required for reporting in the Windows Defender ATP console +Controlled Folder Access | Must be enabled | Required for reporting in the Windows Defender ATP console + +> [!NOTE] +> Each feature's requirements are further described in the individual topics in this library. + + + ## In this library + +Topic | Description +---|--- +[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. +[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts. +[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors. +[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. + + diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png new file mode 100644 index 0000000000..ea5b039dd9 Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png differ diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png b/windows/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png new file mode 100644 index 0000000000..363648cbc0 Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png differ diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 84618a3d06..00470f7842 100644 --- a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 08/25/2017 --- @@ -108,6 +110,43 @@ See the following links for more information on the features in the Windows Defe - Family options, which include a number of parental controls along with tips and information for keeping kids safe online - Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender) +## Customize notifications from the Windows Defender Security Center + +You can customize notifcations so they show information to users about how to get more help from your organization's help desk. + +![](images/security-center-custom-notif.png) + +This information will also appear as a pop-out window on the Windows Defender Security Center app. + +![](images/security-center-custom-flyout.png) + +Users can click on the displayed information to get more help: +- Clicking **Call** or the phone number will open Skype to start a call to the displayed number +- Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email +- Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address + + +### Use Group Policy to customize the notification + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Security Center > Enterprise Customization**. + +6. Open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**. + +7. Open the **Specify contact company name** setting and set it to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**. + +8. To ensure the custom notification appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**: + 1. Specify contact email address of Email ID + 2. Specify contact phone number or Skype ID + 3. Specify contact website + +9. Click **OK** after configuring each setting to save your changes. + >[!NOTE] diff --git a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md index 5e1df99718..853ef9a50d 100644 --- a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.pagetype: security ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md index 2b6985d243..922db68920 100644 --- a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # How to collect Windows Information Protection (WIP) audit event logs diff --git a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 50bf85a578..cee2d5b687 100644 --- a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index e4edc3e586..163ef51a0f 100644 --- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md index 7b54968b51..83010d82bf 100644 --- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 6f9d99a876..48b2f0abd2 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md index 2f74bae405..b40ee0a441 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md index 16465baf1b..af978f2b5a 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager @@ -342,14 +342,14 @@ If you're running into compatibility issues where your app is incompatible with ### Manage the WIP-protection level for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). |Mode |Description | |-----|------------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

      After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index b953181936..1324eed5be 100644 --- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md index 1cdad28951..8dd0fcf76f 100644 --- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune diff --git a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 3694e13ba8..f3ef168e1c 100644 --- a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # List of enlightened Microsoft apps for use with Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md index 73eddd870d..08e74a6265 100644 --- a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # General guidance and best practices for Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/limitations-with-wip.md b/windows/threat-protection/windows-information-protection/limitations-with-wip.md index 67b6897a16..9c61e080b5 100644 --- a/windows/threat-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/threat-protection/windows-information-protection/limitations-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Limitations while using Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md index d810066027..34070f6316 100644 --- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Mandatory tasks and settings required to turn on Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md index 428c25c20d..6dcd047747 100644 --- a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Create a Windows Information Protection (WIP) policy diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 934aa9ae7c..d374d95478 100644 --- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Protect your enterprise data using Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md index 418c24c0ef..5bd3eccc1f 100644 --- a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md index 0c5aff23c1..88f14510a5 100644 --- a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Testing scenarios for Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md index e2aacd97c4..dbba82c416 100644 --- a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Using Outlook on the web with Windows Information Protection (WIP) diff --git a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md index fbf77802f5..bc89db2205 100644 --- a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium --- # Determine the Enterprise Context of an app running in Windows Information Protection (WIP) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index c9f5e7c9b1..f9ecc8bc12 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -1,5 +1,5 @@ --- -title: What's in Windows 10, version 1703 +title: What's new in Windows 10, version 1703 description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated). keywords: ["What's new in Windows 10", "Windows 10", "creators update"] ms.prod: w10 @@ -295,6 +295,37 @@ Windows 10 Mobile, version 1703 also includes the following enhancements: - Set Ethernet port properties - Set proxy properties for the Ethernet port +## Miracast on existing wireless network or LAN + +In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). + +Miracast over Infrastructure offers a number of benefits: + +- Windows automatically detects when sending the video stream over this path is applicable. +- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. +- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- No changes to current wireless drivers or PC hardware are required. +- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. +- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. + + +### How it works + +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. + +### Enabling Miracast over Infrastructure + +If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: + +- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703. +- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. + +It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. + ## New features in related products The following new features aren't part of Windows 10, but help you make the most of it.