From 934794efd246de9332b0e8ca34e7427b8fcbb870 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 9 Jun 2017 14:29:30 -0700 Subject: [PATCH 1/4] TFS 12108701, Policy CSP, added 5 new Update policies --- .../policy-configuration-service-provider.md | 179 +++++++++++++++++- 1 file changed, 177 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1fb89dc1e2..a8d92a4bd2 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -19352,7 +19352,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

Enables the IT admin to schedule the day of the update installation. -

The data type is a string. +

The data type is a integer.

Supported operations are Add, Delete, Get, and Replace. @@ -19367,6 +19367,181 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 6 – Friday - 7 – Saturday + + + +**Update/ScheduledInstallEveryWeek** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
+ + + +

Added in Windows 10, the next major update. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values: +

+ + + + +**Update/ScheduledInstallFirstWeek** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
+ + + +

Added in Windows 10, the next major update. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: +

+ + + + +**Update/ScheduledInstallFourthWeek** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
+ + + +

Added in Windows 10, the next major update. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: +

+ + + + +**Update/ScheduledInstallSecondWeek** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
+ + + +

Added in Windows 10, the next major update. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: +

+ + + + +**Update/ScheduledInstallThirdWeek** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
+ + + +

Added in Windows 10, the next major update. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: +

+ @@ -19402,7 +19577,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

Enables the IT admin to schedule the time of the update installation. -

The data type is a string. +

The data type is a integer.

Supported operations are Add, Delete, Get, and Replace. From 735b907ebac46ecfe416c969fef089595958d45c Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 16 Jun 2017 15:20:17 -0700 Subject: [PATCH 2/4] What's new topic change history --- .../mdm/new-in-windows-mdm-enrollment-management.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 0a201a89d0..8de98c6e08 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1237,6 +1237,11 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).

  • Power/HibernateTimeoutPluggedIn
  • Power/StandbyTimeoutOnBattery
  • Power/StandbyTimeoutPluggedIn
    • +
  • Update/ScheduledInstallEveryWeek
    • +
  • Update/ScheduledInstallFirstWeek
    • +
  • Update/ScheduledInstallFourthWeek
    • +
  • Update/ScheduledInstallSecondWeek
    • +
  • Update/ScheduledInstallThirdWeek
    • From bde7f93ecfd4a58f1f3bd18a547771792961c31b Mon Sep 17 00:00:00 2001 From: John Tobin Date: Fri, 16 Jun 2017 16:53:56 -0700 Subject: [PATCH 3/4] Remove reference to WSH --- ...etting-started-on-the-device-guard-deployment-process.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md index 6137312ec7..b8c330f882 100644 --- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -38,11 +38,7 @@ This topic provides a roadmap for planning and getting started on the Device Gua For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your code integrity policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used. - Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. (See the Acknowledgments section of [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps)). -Depending on the context, you may want to block these applications. To see this list of applications and for use case examples, such as disabling Windows Script Host (WHS) or disabling msbuild.exe, see Deploy code integrity policies: steps. - - - + Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps). From 4ca36ec74056be20a92f947bbe641accb9c0a505 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Fri, 16 Jun 2017 16:59:00 -0700 Subject: [PATCH 4/4] Remove reference to WSH --- ...nd-getting-started-on-the-device-guard-deployment-process.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md index b8c330f882..d3919505b8 100644 --- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -73,3 +73,5 @@ This topic provides a roadmap for planning and getting started on the Device Gua > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md). + +
    \ No newline at end of file