diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index 880289a39d..40444da9f6 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -44,7 +44,7 @@ If you're having trouble deciding whether Microsoft Edge is right for your organ |Microsoft Edge |IE11 | |---------|---------| -|Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. |IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. | +|Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. |IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. | ## Configure the Enterprise Mode Site List diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index d86492ba81..c17f639024 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -1,50 +1,51 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Turned on)* - -[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | | -| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | | -| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. | ![Most restricted value](../images/check-gn.png) | - ---- - -To verify Windows Defender SmartScreen is turned off (disabled): -1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Windows Defender SmartScreen -- **GP name:** AllowSmartScreen -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** EnabledV9 -- **Value type:** REG_DWORD - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Turned on)* + +[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | | +| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | | +| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. | ![Most restricted value](../images/check-gn.png) | + +--- + +To verify Windows Defender SmartScreen is turned off (disabled): +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Windows Defender SmartScreen +- **GP name:** AllowSmartScreen +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** EnabledV9 +- **Value type:** REG_DWORD + +

diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml index 341292cab7..5c105dcdc2 100644 --- a/browsers/edge/microsoft-edge.yml +++ b/browsers/edge/microsoft-edge.yml @@ -40,7 +40,7 @@ sections: - items: - type: markdown text: " - Microsoft Edge uses Windows Hello and SmartScreen to defend against phishing and malware. Take a look at some of the additional features behind the strong defense that Microsoft Edge provides against web-based attacks.
+ Microsoft Edge uses Windows Hello and Windows Defender SmartScreen to defend against phishing and malware. Take a look at some of the additional features behind the strong defense that Microsoft Edge provides against web-based attacks.

**NSS Labs web browser security reports**
See the results of two global tests measuring how effective browsers are at protecting against socially engineered malware and phishing attacks.
Download the reports
**Microsoft Edge sandbox**
See how Microsoft Edge has significantly reduced the attack surface of the sandbox by configuring the app container to further reduce its privilege.
Find out more
**Windows Defender SmartScreen**
Manage your organization's computer settings with Group Policy and MDM settings to display a warning page to employees or block a site entirely.
Read the docs
" diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 9ca78fbbdd..0729485e7d 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -105,13 +105,12 @@ Here are some things you can try saying (remember to say "Hey Cortana" first). - Take a picture. - Start recording. (Starts recording a video.) - Stop recording. (Stops recording a video.) -- Call <*contact*>. (Requires Skype.) - What time is it? - Show me the latest NBA scores. - How much battery do I have left? - Tell me a joke. -Some Cortana features that you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens Development Edition. Cortana on HoloLens is English-only, and the Cortana experience may vary from one region to another. +Some Cortana features that you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens, and the Cortana experience may vary from one region to another. ### Turn Cortana off diff --git a/devices/hololens/hololens-environment-considerations.md b/devices/hololens/hololens-environment-considerations.md index ec56133a01..bdd500b298 100644 --- a/devices/hololens/hololens-environment-considerations.md +++ b/devices/hololens/hololens-environment-considerations.md @@ -117,5 +117,5 @@ If someone else is going to be using your HoloLens, they should run the Calibrat ## See also -- [Spatial mapping design](https://docs.microsoft.com/windows/mixed-reality/spatial-mapping-design) +- [Spatial mapping design](https://docs.microsoft.com/windows/mixed-reality/spatial-mapping) - [Holograms](https://docs.microsoft.com/windows/mixed-reality/hologram) diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 286fbfe2de..1ca366ecf5 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -55,7 +55,7 @@ If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or- ### Start layout file for MDM (Intune and others) -Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). +Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). >[!NOTE] >If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index d9c8fcb96b..f977fa45ff 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -8,7 +8,7 @@ ms.prod: hololens ms.sitesec: library ms.topic: article ms.localizationpriority: medium -ms.date: 10/14/2019 +ms.date: 12/02/2019 audience: ITPro appliesto: - HoloLens 1 @@ -19,6 +19,8 @@ appliesto: # HoloLens Release Notes ## HoloLens 2 +> [!Note] +> HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive). ### November Update - build 18362.1039 diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index 1b001aa627..ea543e69f2 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -15,130 +15,131 @@ ms.localizationpriority: medium --- # Hybrid deployment (Surface Hub) -A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-premises](#exchange-on-prem), [Exchange hosted online](#exchange-online), Skype for Business on-premises, Skype for Business online, and Skype for Business hybrid. Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).) ->[!NOTE] ->In an Exchange hybrid environment, follow the steps for [Exchange on-premises](#exchange-on-prem). To move Exchange objects to Office 365, use the [New-MoveRequest](https://docs.microsoft.com/powershell/module/exchange/move-and-migration/new-moverequest?view=exchange-ps) cmdlet. +A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-premises](#exchange-on-premises), [Exchange hosted online](#exchange-online), Skype for Business on-premises, Skype for Business online, and Skype for Business hybrid. Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).) + +> [!NOTE] +> In an Exchange hybrid environment, follow the steps for [Exchange on-premises](#exchange-on-premises). To move Exchange objects to Office 365, use the [New-MoveRequest](https://docs.microsoft.com/powershell/module/exchange/move-and-migration/new-moverequest?view=exchange-ps) cmdlet. - ## Exchange on-premises + Use this procedure if you use Exchange on-premises. -1. For this procedure, you'll be using AD admin tools to add an email address for your on-premises domain account. This account will be synced to Office 365. +1. For this procedure, you'll be using AD admin tools to add an email address for your on-premises domain account. This account will be synced to Office 365. - - In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**. - - Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.

- - ![New object box for creating a new user in active directory.](images/hybriddeployment-01a.png) +- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**. +- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.

- - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected. +![New object box for creating a new user in active directory.](images/hybriddeployment-01a.png) - >**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. +- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected. - ![Image showing password dialog box.](images/hybriddeployment-02a.png) - - - Click **Finish** to create the account. +> **Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. - ![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png) +![Image showing password dialog box.](images/hybriddeployment-02a.png) +- Click **Finish** to create the account. +![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png) -2. Enable the remote mailbox. +2. Enable the remote mailbox. - Open your on-premises Exchange Management Shell with administrator permissions, and run this cmdlet. +Open your on-premises Exchange Management Shell with administrator permissions, and run this cmdlet. - ```PowerShell - Enable-RemoteMailbox 'HUB01@contoso.com' -RemoteRoutingAddress 'HUB01@contoso.com' -Room - ``` - >[!NOTE] - >If you don't have an on-premises Exchange environment to run this cmdlet, you can make the same changes directly to the Active Directory object for the account. - > - >msExchRemoteRecipientType = 33 - > - >msExchRecipientDisplayType = -2147481850 - > - >msExchRecipientTypeDetails = 8589934592 - -3. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Microsoft 365 admin center and verify that the account created in the previous steps has merged to online. - -4. Connect to Microsoft Exchange Online and set some properties for the account in Office 365. +```PowerShell +Enable-RemoteMailbox 'HUB01@contoso.com' -RemoteRoutingAddress 'HUB01@contoso.com' -Room +``` - Start a remote PowerShell session on a PC and connect to Microsoft Exchange. Be sure you have the right permissions set to run the associated cmdlets. +> [!NOTE] +> If you don't have an on-premises Exchange environment to run this cmdlet, you can make the same changes directly to the Active Directory object for the account. +> +> msExchRemoteRecipientType = 33 +> +> msExchRecipientDisplayType = -2147481850 +> +> msExchRecipientTypeDetails = 8589934592 - The next steps will be run on your Office 365 tenant. +3. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Microsoft 365 admin center and verify that the account created in the previous steps has merged to online. - ```PowerShell - Set-ExecutionPolicy RemoteSigned - $cred=Get-Credential -Message "Please use your Office 365 admin credentials" - $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection - Import-PSSession $sess - ``` +4. Connect to Microsoft Exchange Online and set some properties for the account in Office 365. -5. Create a new Exchange ActiveSync policy, or use a compatible existing policy. +Start a remote PowerShell session on a PC and connect to Microsoft Exchange. Be sure you have the right permissions set to run the associated cmdlets. - After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy or use a compatible existing policy. - - Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. +The next steps will be run on your Office 365 tenant. - If you haven’t created a compatible policy yet, use the following cmdlet—-this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. +```PowerShell +Set-ExecutionPolicy RemoteSigned +$cred=Get-Credential -Message "Please use your Office 365 admin credentials" +$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection +Import-PSSession $sess +``` - ```PowerShell - $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false - ``` +5. Create a new Exchange ActiveSync policy, or use a compatible existing policy. - Once you have a compatible policy, then you will need to apply the policy to the device account. +After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy or use a compatible existing policy. - ```PowerShell - Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id - ``` +Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. -6. Set Exchange properties. +If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. - Setting Exchange properties on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. +```PowerShell +$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false +``` - ```PowerShell - Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false - Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse 'This is a Surface Hub room!' - ``` +Once you have a compatible policy, you will need to apply the policy to the device account. -7. Connect to Azure AD. +```PowerShell +Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id +``` - You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command : - ```PowerShell - Install-Module -Name AzureAD - ``` - - You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. +6. Set Exchange properties. - ```PowerShell - Import-Module AzureAD - Connect-AzureAD -Credential $cred - ``` -8. Assign an Office 365 license. +Setting Exchange properties on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. - The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. - - You can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. +```PowerShell +Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false +Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse 'This is a Surface Hub room!' +``` - Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. +7. Connect to Azure AD. - ```PowerShell - Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" - - Get-AzureADSubscribedSku | Select Sku*,*Units - $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense - $License.SkuId = SkuId You selected - - $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses - $AssignedLicenses.AddLicenses = $License - $AssignedLicenses.RemoveLicenses = @() - - Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses - ``` +You first need to install Azure AD module for PowerShell version 2. In an elevated PowerShell prompt, run the following command: + +```PowerShell +Install-Module -Name AzureAD +``` + +You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. + +```PowerShell +Import-Module AzureAD +Connect-AzureAD -Credential $cred +``` + +8. Assign an Office 365 license. + +The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. + +You can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. + +Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. + +```PowerShell +Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" + +Get-AzureADSubscribedSku | Select Sku*,*Units +$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense +$License.SkuId = SkuId You selected + +$AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses +$AssignedLicenses.AddLicenses = $License +$AssignedLicenses.RemoveLicenses = @() + +Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses +``` Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-premises](#skype-for-business-on-premises), or [Skype for Business hybrid](#skype-for-business-hybrid). - ### Skype for Business Online To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need. @@ -149,7 +150,7 @@ To enable Skype for Business online, your tenant users must have Exchange mailbo | Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL | | Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with Audio Conferencing

**Note** PSTN consumption billing is optional | E1 or E3 with Audio Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL | | Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Phone System and a PSTN Voice Calling plan | E1 or E3 with Phone System and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL | - + The following table lists the Office 365 plans and Skype for Business options. | O365 Plan | Skype for Business | Phone System | Audio Conferencing | Calling Plans | @@ -162,42 +163,42 @@ The following table lists the Office 365 plans and Skype for Business options. 1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment. - ```PowerShell - Import-Module SkypeOnlineConnector - $cssess=New-CsOnlineSession -Credential $cred - Import-PSSession $cssess -AllowClobber - ``` - +```PowerShell +Import-Module SkypeOnlineConnector +$cssess=New-CsOnlineSession -Credential $cred +Import-PSSession $cssess -AllowClobber +``` + 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: - ```PowerShell - Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName - ``` - - If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: +```PowerShell +Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName +``` - ```PowerShell - Get-CsOnlineUser -Identity ‘HUB01@contoso.com’| fl *registrarpool* - ``` +If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: + +```PowerShell +Get-CsOnlineUser -Identity ‘HUB01@contoso.com’| fl *registrarpool* +``` 3. Assign Skype for Business license to your Surface Hub account. - Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device. - - - Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app. - - - Click on **Users and Groups** and then **Add users, reset passwords, and more**. - - - Click the Surface Hub account, and then click the pen icon to edit the account information. - - - Click **Licenses**. - - - In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub. - - - Click **Save**. + Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) license to the device. - >[!NOTE] - >You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here. +- Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app. + +- Click on **Users and Groups** and then **Add users, reset passwords, and more**. + +- Click the Surface Hub account, and then click the pen icon to edit the account information. + +- Click **Licenses**. + +- In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub. + +- Click **Save**. + +> [!NOTE] +> You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here. For validation, you should be able to use any Skype for Business client (PC, Android, etc.) to sign in to this account. @@ -205,7 +206,7 @@ For validation, you should be able to use any Skype for Business client (PC, And To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run: -``` +```PowerShell Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName ``` @@ -217,181 +218,181 @@ The Surface Hub requires a Skype account of the type `meetingroom`, while a norm In Skype for Business Server 2015 hybrid environment, any user that you want in Skype for Business Online must first be created in the on-premises deployment, so that the user account is created in Active Directory Domain Services. You can then move the user to Skype for Business Online. The move of a user account from on-premises to online is done via the [Move-CsUser](https://technet.microsoft.com/library/gg398528.aspx) cmdlet. To move a Csmeetingroom object, use the [Move-CsMeetingRoom](https://technet.microsoft.com/library/jj204889.aspx?f=255&mspperror=-2147217396) cmdlet. ->[!NOTE] ->To use the Move-CsMeetingRoom cmdlet, you must have installed [the May 2017 cumulative update 6.0.9319.281 for Skype for Business Server 2015](https://support.microsoft.com/help/4020991/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p) or [the July 2017 cumulative update 5.0.8308.992 for Lync Server 2013](https://support.microsoft.com/help/4034279/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p). +> [!NOTE] +> To use the Move-CsMeetingRoom cmdlet, you must have installed [the May 2017 cumulative update 6.0.9319.281 for Skype for Business Server 2015](https://support.microsoft.com/help/4020991/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p) or [the July 2017 cumulative update 5.0.8308.992 for Lync Server 2013](https://support.microsoft.com/help/4034279/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p). ## Exchange online + Use this procedure if you use Exchange online. -1. Create an email account in Office 365. +1. Create an email account in Office 365. - Start a remote PowerShell session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets. +Start a remote PowerShell session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets. - ```PowerShell - Set-ExecutionPolicy RemoteSigned - $cred=Get-Credential -Message "Please use your Office 365 admin credentials" - $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection - Import-PSSession $sess - ``` +```PowerShell +Set-ExecutionPolicy RemoteSigned +$cred=Get-Credential -Message "Please use your Office 365 admin credentials" +$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection +Import-PSSession $sess +``` -2. Set up mailbox. +2. Set up a mailbox. - After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub. +After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub. - If you're changing an existing resource mailbox: +If you're changing an existing resource mailbox: - ```PowerShell - Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) - ``` +```PowerShell +Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) +``` - If you’re creating a new resource mailbox: +If you’re creating a new resource mailbox: - ```PowerShell - New-Mailbox -MicrosoftOnlineServicesID 'HUB01@contoso.com' -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) - ``` +```PowerShell +New-Mailbox -MicrosoftOnlineServicesID 'HUB01@contoso.com' -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) +``` -3. Create Exchange ActiveSync policy. +3. Create Exchange ActiveSync policy. - After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. +After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. - Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. +Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, Exchange services on the Surface Hub (mail, calendar, and joining meetings) will not be enabled. - If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. +If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. - ```PowerShell - $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false - ``` +```PowerShell +$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false +``` - Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too. +Once you have a compatible policy, you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too. - ```PowerShell - Set-Mailbox 'HUB01@contoso.com' -Type Regular - Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id - Set-Mailbox 'HUB01@contoso.com' -Type Room - $credNewAccount = Get-Credential -Message "Please provide the Surface Hub username and password" - Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true - ``` +```PowerShell +Set-Mailbox 'HUB01@contoso.com' -Type Regular +Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id +Set-Mailbox 'HUB01@contoso.com' -Type Room +$credNewAccount = Get-Credential -Message "Please provide the Surface Hub username and password" +Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true +``` -4. Set Exchange properties. +4. Set Exchange properties. - Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. +Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. - ```PowerShell - Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false - Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" - ``` +```PowerShell +Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false +Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" +``` -5. Add email address for your on-premises domain account. +5. Add an email address for your on-premises domain account. - For this procedure, you'll be using AD admin tools to add an email address for your on-premises domain account. - - - In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**. - - Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**. +For this procedure, you'll be using AD admin tools to add an email address for your on-premises domain account. - ![New object box for creating a new user in Active Directory.](images/hybriddeployment-01a.png) +- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**. +- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**. - - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected. - - >[!IMPORTANT] - >Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. - - ![Image showing password dialog box.](images/hybriddeployment-02a.png) - - - Click **Finish** to create the account. +![New object box for creating a new user in Active Directory.](images/hybriddeployment-01a.png) - ![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png) +- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected. -6. Run directory synchronization. +> [!IMPORTANT] +> Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. - After you've created the account, run a directory synchronization. When it's complete, go to the users page and verify that the two accounts created in the previous steps have merged. +![Image showing password dialog box.](images/hybriddeployment-02a.png) -7. Connect to Azure AD. +- Click **Finish** to create the account. - You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command : - - ```PowerShell - Install-Module -Name AzureAD - ``` - You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. +![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png) - ```PowerShell - Import-Module AzureAD - Connect-AzureAD -Credential $cred - ``` +6. Run directory synchronization. -8. Assign an Office 365 license. +After you've created the account, run a directory synchronization. When it's complete, go to the users page and verify that the two accounts created in the previous steps have merged. - The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. +7. Connect to Azure AD. - Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. +You first need to install Azure AD module for PowerShell version 2. In an elevated PowerShell prompt, run the following command: - Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. +```PowerShell +Install-Module -Name AzureAD +``` - ```PowerShell - Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" - - Get-AzureADSubscribedSku | Select Sku*,*Units - $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense - $License.SkuId = SkuId You selected - - $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses - $AssignedLicenses.AddLicenses = $License - $AssignedLicenses.RemoveLicenses = @() - - Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses - ``` +You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect: -Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-premises](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid). +```PowerShell +Import-Module AzureAD +Connect-AzureAD -Credential $cred +``` +8. Assign an Office 365 license. -### Skype for Business Online - -In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](#sfb-online). +The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. + +Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. + +Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. + +```PowerShell +Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" + +Get-AzureADSubscribedSku | Select Sku*,*Units +$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense +$License.SkuId = SkuId You selected + +$AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses +$AssignedLicenses.AddLicenses = $License +$AssignedLicenses.RemoveLicenses = @() + +Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses +``` + +Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-premises](#skype-for-business-on-premises), or [Skype for Business hybrid](#skype-for-business-hybrid). + +### Skype for Business Online + +In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](#skype-for-business-online). 1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC. - ```PowerShell - Import-Module SkypeOnlineConnector - $cssess=New-CsOnlineSession -Credential $cred - Import-PSSession $cssess -AllowClobber - ``` +```PowerShell +Import-Module SkypeOnlineConnector +$cssess=New-CsOnlineSession -Credential $cred +Import-PSSession $cssess -AllowClobber +``` 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: - ```PowerShell - Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool - 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName - ``` +```PowerShell +Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool +'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName +``` If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: - ```PowerShell - Get-CsOnlineUser -Identity 'HUB01@contoso.com'| fl *registrarpool* - ``` +```PowerShell +Get-CsOnlineUser -Identity 'HUB01@contoso.com'| fl *registrarpool* +``` 10. Assign Skype for Business license to your Surface Hub account - Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device. +Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) license to the device. - - Sign in as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app. - - - Click on **Users and Groups** and then **Add users, reset passwords, and more**. - - - Click the Surface Hub account, and then click the pen icon to edit the account information. - - - Click **Licenses**. - - - In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub. - - - Click **Save**. +- Sign in as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app. - >[!NOTE] - > You can also use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here. +- Click on **Users and Groups** and then **Add users, reset passwords, and more**. + +- Click the Surface Hub account, and then click the pen icon to edit the account information. + +- Click **Licenses**. + +- In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub. + +- Click **Save**. + +> [!NOTE] +> You can also use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here. For validation, you should be able to use any Skype for Business client (PC, Android, etc) to sign in to this account. - ### Skype for Business on-premises To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run: @@ -400,15 +401,13 @@ To run this cmdlet, you will need to connect to one of the Skype front-ends. Ope Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName ``` - ### Skype for Business hybrid If your organization has set up [hybrid connectivity between Skype for Business Server and Skype for Business Online](https://technet.microsoft.com/library/jj205403.aspx), the guidance for creating accounts differs from a standard Surface Hub deployment. The Surface Hub requires a Skype account of the type *meetingroom*, while a normal user would use a *user* type account in Skype. If your Skype server is set up for hybrid where you might have users on the local Skype server as well as users hosted in Office 365, you might run into a few issues when trying to create a Surface Hub account. - + In Skype for Business Server 2015 hybrid environment, any user that you want in Skype for Business Online must first be created in the on-premises deployment, so that the user account is created in Active Directory Domain Services. You can then move the user to Skype for Business Online. The move of a user account from on-premises to online is done via the [Move-CsUser](https://technet.microsoft.com/library/gg398528.aspx) cmdlet. To move a Csmeetingroom object, use the [Move-CsMeetingRoom](https://technet.microsoft.com/library/jj204889.aspx?f=255&mspperror=-2147217396) cmdlet. ->[!NOTE] ->To use the Move-CsMeetingRoom cmdlet, you must have installed [the May 2017 cumulative update 6.0.9319.281 for Skype for Business Server 2015](https://support.microsoft.com/help/4020991/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p) or [the July 2017 cumulative update 5.0.8308.992 for Lync Server 2013](https://support.microsoft.com/help/4034279/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p). - +> [!NOTE] +> To use the Move-CsMeetingRoom cmdlet, you must have installed [the May 2017 cumulative update 6.0.9319.281 for Skype for Business Server 2015](https://support.microsoft.com/help/4020991/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p) or [the July 2017 cumulative update 5.0.8308.992 for Lync Server 2013](https://support.microsoft.com/help/4034279/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p). diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 5b45fdcb93..91d561934c 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -117,9 +117,9 @@ The following tables include info on Windows 10 settings that have been validate | Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index a072d4d7b4..0cd6fc5219 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -90,7 +90,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow Set-AzureADUser -ObjectId "HUB01@contoso.com" -PasswordPolicies "DisablePasswordExpiration" ``` -7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online). +7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#skype-for-business-online). Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. @@ -124,13 +124,13 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, alice@contoso.com): ```PowerShell - (Get-CsTenant).TenantPoolExtension + Get-CsOnlineUser -Identity 'alice@contoso.com' | fl registrarpool ``` OR by setting a variable ```PowerShell - $strRegistrarPool = (Get-CsTenant).TenantPoolExtension - $strRegistrarPool = $strRegistrarPool[0].Substring($strRegistrarPool[0].IndexOf(':') + 1) + $strRegistrarPool = Get-CsOnlineUser -Identity 'alice@contoso.com' | fl registrarpool | out-string + $strRegistrarPool = $strRegistrarPool.Substring($strRegistrarPool.IndexOf(':') + 2) ``` - Enable the Surface Hub account with the following cmdlet: diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md index 852ea6463d..3312d5f4ec 100644 --- a/devices/surface-hub/surface-hub-2s-account.md +++ b/devices/surface-hub/surface-hub-2s-account.md @@ -54,25 +54,26 @@ Instead of using the Microsoft Admin Center portal, you can create the account u ### Connect to Exchange Online PowerShell -``` -$365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential (Get-Credential) -Authentication Basic –AllowRedirection $ImportResults = Import-PSSession $365Session +```powershell +$365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential (Get-Credential) -Authentication Basic –AllowRedirection +$ImportResults = Import-PSSession $365Session ``` ### Create a new Room Mailbox -``` +```powershell New-Mailbox -MicrosoftOnlineServicesID account@YourDomain.com -Alias SurfaceHub2S -Name SurfaceHub2S -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String "" -AsPlainText -Force) ``` ### Set Calendar Auto processing -``` +```powershell Set-CalendarProcessing -Identity "account@YourDomain.com" -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is equipped with a Surface Hub" ``` ### Assign a license -``` +```powershell Connect-MsolService Set-Msoluser -UserPrincipalName account@YourDomain.com -UsageLocation IE Set-MsolUserLicense -UserPrincipalName "account@YourDomain.com" -AddLicenses "contoso:MEETING_ROOM" @@ -85,10 +86,11 @@ Set-MsolUserLicense -UserPrincipalName "account@YourDomain.com" -AddLicenses "co - [Visual C++ 2017 Redistributable](https://aka.ms/vs/15/release/vc_redist.x64.exe) - [Skype for Business Online PowerShell Module](https://www.microsoft.com/download/confirmation.aspx?id=39366) -``` +```powershell Import-Module LyncOnlineConnector $SfBSession = New-CsOnlineSession -Credential (Get-Credential) Import-PSSession $SfBSession -AllowClobber -Enable the Skype for Business meeting room + +# Enable the Skype for Business meeting room Enable-CsMeetingRoom -Identity account@YourDomain.com -RegistrarPool(Get-CsTenant).Registrarpool -SipAddressType EmailAddress ``` diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 50b4c82f2a..92527470f2 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -19,7 +19,7 @@ ms.topic: article # Deploy the latest firmware and drivers for Surface devices -> **Home users:** This article is only intended for technical support agents and IT professionals. If you're looking for help to install Surface updates or firmware on a home device, please see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505). +> **Home users:** This article is only intended for technical support agents and IT professionals, and applies only to Surface devices. If you're looking for help to install Surface updates or firmware on a home device, please see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505). Under typical conditions, Windows Update automatically keeps Windows Surface devices up-to-date by downloading and installing the latest device drivers and firmware. However, you may sometimes have to download and install updates manually. For example, you may have to manually manage updates when you deploy a new version of Windows. diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md index 8dd12ede7c..7234366511 100644 --- a/devices/surface/support-solutions-surface.md +++ b/devices/surface/support-solutions-surface.md @@ -19,6 +19,9 @@ ms.audience: itpro # Top support solutions for Surface devices +> [!Note] +> **Home users**: This article is only intended for use by IT professionals and technical support agents. If you're looking for help with a problem with your home device, please see [Surface Devices Help](https://support.microsoft.com/products/surface-devices). + Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated. For a complete listing of the update history, see [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) and [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined). diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 8f334bb260..104b12b126 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -45,7 +45,10 @@ If preferred, you can manually complete the update as follows: You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using System Center Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent: -- **Msiexec.exe /i /quiet /norestart** +- **Msiexec.exe /i /quiet /norestart** + +> [!NOTE] +> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]" > [!NOTE] > A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]" @@ -89,11 +92,11 @@ Successful completion of Surface Dock Firmware Update results in new registry ke **Table 1. Log files for Surface Dock Firmware Update** | Log | Location | Notes | -| -------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Surface Dock Firmware Update log | /l*v %windir%\logs\ SurfaceDockFWI.log | | -| Windows Device Install log | %windir%\inf\setupapi.dev.log | For more information about using Device Install Log, refer to [SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-). | +| -------------------------------- | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Surface Dock Firmware Update log | Path needs to be specified (see note) | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | +| Windows Device Install log | %windir%\inf\setupapi.dev.log | For more information about using Device Install Log, refer to [SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-) documentation. | + - **Table 2. Event log IDs for Surface Dock Firmware Update**
Events are logged in the Application Event Log. Note: Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 6281fa157d..81b911bb6f 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -9,7 +9,7 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 11/20/2019 +ms.date: 12/02/2019 ms.reviewer: scottmca manager: dansimp ms.localizationpriority: medium @@ -90,7 +90,7 @@ The following list shows all the available devices you can manage in SEMM: | Alternate Boot | Allows you to manage use of an Alternate boot order to boot directly to a USB or Ethernet device by pressing both the Volume Down button and Power button during boot. If you do not configure this setting, Alternate boot is enabled. | | Boot Order Lock | Allows you to lock the boot order to prevent changes. If you do not configure this setting, Boot Order Lock is disabled. | | USB Boot | Allows you to manage booting to USB devices. If you do not configure this setting, USB Boot is enabled. | -| Network Stack | Allows you to manage Network Stack boot settings. If you do not configure this setting, the ability to manage Network Stack boot settings is enabled. | +| Network Stack | Allows you to manage Network Stack boot settings. If you do not configure this setting, the ability to manage Network Stack boot settings is disabled. | | Auto Power On | Allows you to manage Auto Power On boot settings. If you do not configure this setting, Auto Power on is enabled. | | Simultaneous Multi-Threading (SMT) | Allows you to manage Simultaneous Multi-Threading (SMT) to enable or disable hyperthreading. If you do not configure this setting, SMT is enabled. | |Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled | diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index 74c348d2d1..cb201c332e 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -24,6 +24,9 @@ System Model and System SKU are variables that are stored in the System Manageme | Device | System Model | System SKU | | ---------- | ----------- | -------------- | +| AMD Surface Laptop 3 | Surface 3 | Surface_Laptop_3_1873 | +| Surface Laptop 3 | Surface 3 | Surface_Laptop_3_1867:1868 | +| Surface Laptop 3 | Surface 3 | Surface_3 | Surface 3 WiFI | Surface 3 | Surface_3 | | Surface 3 LTE AT&T | Surface 3 | Surface_3_US1 | | Surface 3 LTE Verizon | Surface 3 | Surface_3_US2 | diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 43b68e46ad..35146fcace 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -1617,7 +1617,7 @@ As a final quality control step, verify the device configuration to ensure that * The device can connect to the Internet and view the appropriate web content in Microsoft Edge. * Windows Update is active and current with software updates. * Windows Defender is active and current with malware Security intelligence. -* The SmartScreen Filter is active. +* Windows Defender SmartScreen is active. * All Microsoft Store apps are properly installed and updated. * All Windows desktop apps are properly installed and updated. * Printers are properly configured. diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index 3cfeafb6d3..5fd1f4093a 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -1096,7 +1096,7 @@ As a final quality control step, verify the device configuration to ensure that - The device can connect to the Internet and view the appropriate web content in Microsoft Edge. - Windows Update is active and current with software updates. - Windows Defender is active and current with malware Security intelligence. -- The SmartScreen Filter is active. +- Windows Defender SmartScreen is active. - All Microsoft Store apps are properly installed and updated. - All Windows desktop apps are properly installed and updated. - Printers are properly configured. diff --git a/mdop/agpm/index.md b/mdop/agpm/index.md index 3832e088c4..bd78561b83 100644 --- a/mdop/agpm/index.md +++ b/mdop/agpm/index.md @@ -19,7 +19,7 @@ Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of th ## AGPM Version Information -[AGPM 4.0 SP3](agpm-40-sp3-navengl.md) supports Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1. +[AGPM 4.0 SP3](agpm-40-sp3-navengl.md) supports Windows 10, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1. [AGPM 4.0 SP2](agpm-40-sp2-navengl.md) supports Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1. diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md index e2ed065b74..55dcc71e05 100644 --- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md +++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md @@ -1,5 +1,5 @@ --- -title: How to Allow Only Administrators to Enable Connection Groups (Windows 10) +title: Only Allow Admins to Enable Connection Groups (Windows 10) description: How to Allow Only Administrators to Enable Connection Groups author: dansimp ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md index b6d62b3219..5ba6786e15 100644 --- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to apply the deployment configuration file by using Windows PowerShell (Windows 10) +title: Apply deployment config file via Windows PowerShell (Windows 10) description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10. author: dansimp ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md index 6e88aa4a89..3acd5f85db 100644 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md @@ -1,5 +1,5 @@ --- -title: Automatically clean up unpublished packages on the App-V client (Windows 10) +title: Auto-remove unpublished packages on App-V client (Windows 10) description: How to automatically clean up any unpublished packages on your App-V client devices. author: dansimp ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index 87ee2f267a..7209027bb8 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -1,5 +1,5 @@ --- -title: How to Install the Publishing Server on a Remote Computer (Windows 10) +title: Install the Publishing Server on a Remote Computer (Windows 10) description: How to Install the App-V Publishing Server on a Remote Computer author: lomayor ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 44260b0181..a7c0f2f152 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -46,15 +46,22 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu > >`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD. > + > This command only works for AADJ device users already added to any of the local groups (administrators). + > Otherwise this command throws the below error. For example:
+ > for cloud only user: "There is no such global user or group : *name*"
+ > for synced user: "There is no such global user or group : *name*"
+ > >In Windows 10, version 1709, the user does not have to sign in to the remote device first. > >In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. - >[!TIP] - >When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. + > [!TIP] + > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. +> [!Note] +> If you cannot connect using Remote Desktop Connection 6.0, then you must turn off new features of RDP 6.0 and revert back to RDP 5.0 by changing a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). ## Supported configurations diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 67aad1cf77..9241a7fdf7 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -237,7 +237,6 @@ #### [Security](policy-csp-security.md) #### [ServiceControlManager](policy-csp-servicecontrolmanager.md) #### [Settings](policy-csp-settings.md) -#### [SmartScreen](policy-csp-smartscreen.md) #### [Speech](policy-csp-speech.md) #### [Start](policy-csp-start.md) #### [Storage](policy-csp-storage.md) @@ -253,6 +252,7 @@ #### [Wifi](policy-csp-wifi.md) #### [WindowsConnectionManager](policy-csp-windowsconnectionmanager.md) #### [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md) +#### [WindowsDefenderSmartScreen](policy-csp-smartscreen.md) #### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md) #### [WindowsLogon](policy-csp-windowslogon.md) #### [WindowsPowerShell](policy-csp-windowspowershell.md) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index cb636ce3ef..dbbecb3b74 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -40,7 +40,7 @@ This node is the policy binary itself, which is encoded as base64. Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. -Value type is b64. Supported value is any well-formed WDAC policy, i.e. the base64-encoded content output by the ConvertFrom-CIPolicy cmdlet. +Value type is b64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet. Default value is empty. @@ -118,8 +118,7 @@ To use ApplicationControl CSP, you must: - Know a generated policy’s GUID, which can be found in the policy xml as ``. - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI -functionality to apply the Code Integrity policy. +If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy via uploading the binary file. ### Deploy policies To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. @@ -224,4 +223,4 @@ The following is an example of Delete command: -``` \ No newline at end of file +``` diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 044b5dd851..a24f114581 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -504,7 +504,7 @@ Supported operation is Get. -**AppInstallation/*PackageFamilyName*/LastErrorDescription** +**AppInstallation/*PackageFamilyName*/LastErrorDesc** Required. Description of last error relating to the app installation. Supported operation is Get. diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index a3dc006fc8..bc80bbff44 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -1,5 +1,5 @@ --- -title: Implement server-side support for mobile application management on Windows +title: Provide server-side support for mobile app management on Windows description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP). ms.author: dansimp ms.topic: article diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 682ae5b63d..01ee6820fc 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -34,7 +34,7 @@ With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM secur The MDM security baseline includes policies that cover the following areas: -- Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall +- Microsoft inbox security technology (not deprecated) such as Bitlocker, Windows Defender Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall - Restricting remote access to devices - Setting credential requirements for passwords and PINs - Restricting use of legacy technology diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 32d3ae4dc0..f8dfc0e3c3 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -190,7 +190,7 @@ Default value is false. If you set this policy to true, Remote Windows Hello for Supported operations are Add, Get, Delete, and Replace. -*Not supported on Windows Holographic and Windows Holographic for Business.* +*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* ***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT) Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. @@ -206,7 +206,7 @@ This node is deprecated. Use **Biometrics/UseBiometrics** node instead. **Biometrics** (only for ./Device/Vendor/MSFT) Node for defining biometric settings. This node was added in Windows 10, version 1511. -*Not supported on Windows Holographic and Windows Holographic for Business.* +*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* **Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. @@ -230,7 +230,7 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re Supported operations are Add, Get, Delete, and Replace. -*Not supported on Windows Holographic and Windows Holographic for Business.* +*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* **DeviceUnlock** (only for ./Device/Vendor/MSFT) Added in Windows 10, version 1803. Interior node. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index d0d52bed09..9d72af8a49 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3202,7 +3202,7 @@ The following diagram shows the Policy configuration service provider in tree fo -### SmartScreen policies +### Windows Defender SmartScreen policies

diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index b10a4a04f0..58bf93fb63 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1748,7 +1748,7 @@ Most restricted value: 1 To verify AllowSmartScreen is set to 0 (not allowed): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled. +2. Verify that the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled. diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 783b570d85..6e0db74b13 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -2448,7 +2448,7 @@ ADMX Info: Value and index pairs in the SyncML example: - http://adfs.contoso.org 1 -- http://microsoft.com 2 +- https://microsoft.com 2 @@ -3253,11 +3253,11 @@ ADMX Info: -This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. +This policy setting determines whether the user can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen prevents the user from browsing to or downloading from sites that are known to host malicious content. Windows Defender SmartScreen also prevents the execution of files that are known to be malicious. -If you enable this policy setting, SmartScreen Filter warnings block the user. +If you enable this policy setting, Windows Defender SmartScreen warnings block the user. -If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. +If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. > [!TIP] @@ -3324,11 +3324,11 @@ ADMX Info: -This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. +This policy setting determines whether the user can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen warns the user about executable files that Internet Explorer users do not commonly download from the Internet. -If you enable this policy setting, SmartScreen Filter warnings block the user. +If you enable this policy setting, Windows Defender SmartScreen warnings block the user. -If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. +If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. > [!TIP] @@ -6501,13 +6501,13 @@ ADMX Info: -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. +This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -8604,13 +8604,13 @@ ADMX Info: -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. +This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -9561,13 +9561,13 @@ ADMX Info: -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. +This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -10518,13 +10518,13 @@ ADMX Info: -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. +This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -11481,13 +11481,13 @@ ADMX Info: -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. +This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -12286,13 +12286,13 @@ ADMX Info: -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. +This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -13170,13 +13170,13 @@ ADMX Info: -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. +This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -14054,13 +14054,13 @@ ADMX Info: -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. +This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -14733,11 +14733,11 @@ ADMX Info: -This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. +This policy setting prevents the user from managing Windows Defender SmartScreen, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. -If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. +If you enable this policy setting, the user is not prompted to turn on Windows Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. -If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience. +If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience. > [!TIP] @@ -16477,13 +16477,13 @@ ADMX Info: -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. +This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -19053,13 +19053,13 @@ ADMX Info: -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. +This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index b99fa3f5fc..9263511ddf 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -173,6 +173,9 @@ manager: dansimp
+> [!NOTE] +> To find data formats (and other policy-related details), see [Policy DDF file](https://docs.microsoft.com/windows/client-management/mdm/policy-ddf-file). + **LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** @@ -3698,4 +3701,3 @@ Footnotes: - 6 - Added in Windows 10, version 1903. - diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index e620185a9d..c26f13353d 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -130,3 +130,8 @@ Value type is Base64. Supported operation is Replace. Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting. Supported operation is Get. + + +## Related topics + +[UEFI DDF file](./uefi-ddf.md) diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index b6fb182eae..914c39c364 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -296,21 +296,13 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro [**Win32\_UninterruptiblePowerSupply**](https://msdn.microsoft.com/library/windows/hardware/aa394503) | [**Win32\_USBController**](https://msdn.microsoft.com/library/windows/hardware/aa394504) | [**Win32\_UTCTime**](https://msdn.microsoft.com/library/windows/hardware/aa394510) | ![cross mark](images/checkmark.png) -[**Win32\_VideoController**](https://msdn.microsoft.com/library/windows/hardware/aa394505) | +[**Win32\_VideoController**](https://docs.microsoft.com/windows/win32/cimwin32prov/win32-videocontroller) | **Win32\_WindowsUpdateAgentVersion** | ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - -10/10/2016 - - - - +## Related Links +[CIM Video Controller](https://docs.microsoft.com/windows/win32/cimwin32prov/cim-videocontroller) diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 27b46491dc..3acffc551f 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -1,5 +1,5 @@ --- -title: Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device +title: Advanced advice for Stop error 7B, Inaccessible_Boot_Device description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device ms.prod: w10 ms.mktglfcycl: diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index da7f583966..47a439de72 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -634,12 +634,12 @@ The following settings for Microsoft Edge on Windows 10 Mobile can be managed. - **Allow InPrivate** Whether users can use InPrivate browsing - **Allow Password Manager** Whether users can use Password Manager to save and manage passwords locally - **Allow Search Suggestions in Address Bar** Whether search suggestions are shown in the address bar -- **Allow SmartScreen** Whether SmartScreen Filter is enabled +- **Allow Windows Defender SmartScreen** Whether Windows Defender SmartScreen is enabled - **Cookies** Whether cookies are allowed - **Favorites** Configure Favorite URLs - **First Run URL** The URL to open when a user launches Microsoft Edge for the first time -- **Prevent SmartScreen Prompt Override** Whether users can override the SmartScreen warnings for URLs -- **Prevent Smart Screen Prompt Override for Files** Whether users can override the SmartScreen warnings for files +- **Prevent Windows Defender SmartScreen Prompt Override** Whether users can override the Windows Defender SmartScreen warnings for URLs +- **Prevent Smart Screen Prompt Override for Files** Whether users can override the Windows Defender SmartScreen warnings for files ## Manage diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index c319034f39..8c30018235 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -18,23 +18,23 @@ Microsoft regularly releases both updates for Windows Server. To ensure your ser This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 in an enterprise or IT pro environment. Additional topics will be added as they become available. -### Troubleshoot 802.1x Authentication +## Troubleshoot 802.1x Authentication - [Advanced Troubleshooting 802.1X Authentication](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-802-authentication) - [Data collection for troubleshooting 802.1X authentication](https://docs.microsoft.com/windows/client-management/data-collection-for-802-authentication) -### Troubleshoot BitLocker -- [BitLocker overview and requirements FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq) -- [BitLocker Upgrading FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq) -- [BitLocker frequently asked questions (FAQ) (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq) -- [BitLocker Key Management FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq) -- [BitLocker To Go FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-to-go-faq) -- [BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq) -- [BitLocker Security FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-security-faq) -- [BitLocker frequently asked questions (FAQ) (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq) -- [Using BitLocker with other programs FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq) -- [BitLocker recovery guide (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan) +## Troubleshoot BitLocker +- [Guidelines for troubleshooting BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/troubleshoot-bitlocker) +- [BitLocker cannot encrypt a drive: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues) +- [Enforcing BitLocker policies by using Intune: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues) +- [BitLocker Network Unlock: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues) +- [BitLocker recovery: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues) +- [BitLocker configuration: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues) +- [BitLocker cannot encrypt a drive: known TPM issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues) +- [BitLocker and TPM: other known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues) +- [Decode Measured Boot logs to track PCR changes](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs) +- [BitLocker frequently asked questions (FAQ)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions) -### Troubleshoot Bugcheck and Stop errors +## Troubleshoot Bugcheck and Stop errors - [Introduction to the page file](https://docs.microsoft.com/windows/client-management/introduction-page-file) - [How to determine the appropriate page file size for 64-bit versions of Windows](https://docs.microsoft.com/windows/client-management/determine-appropriate-page-file-size) - [Configure system failure and recovery options in Windows](https://docs.microsoft.com/windows/client-management/system-failure-recovery-options) @@ -44,20 +44,20 @@ This section contains advanced troubleshooting topics and links to help you reso - [Blue Screen Data - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/blue-screen-data) - [Bug Check Code Reference - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2) -### Troubleshoot Credential Guard +## Troubleshoot Credential Guard - [Windows Defender Credential Guard - Known issues (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-known-issues) -### Troubleshoot Disks +## Troubleshoot Disks - [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) - [Windows and GPT FAQ](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-and-gpt-faq) -### Troubleshoot Kiosk mode +## Troubleshoot Kiosk mode - [Troubleshoot kiosk mode issues](https://docs.microsoft.com/windows/configuration/kiosk-troubleshoot) -### Troubleshoot No Boot +## Troubleshoot No Boot - [Advanced troubleshooting for Windows boot problems](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-boot-problems) -### Troubleshoot Push Button Reset +## Troubleshoot Push Button Reset - [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-faq) - [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-validation) - [Recovery components](https://docs.microsoft.com/windows-hardware/manufacture/desktop/recovery-strategy-for-common-customizations) @@ -66,46 +66,46 @@ This section contains advanced troubleshooting topics and links to help you reso - [Modern Standby FAQs](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-faqs) -### Troubleshoot Secure Boot +## Troubleshoot Secure Boot - [Secure Boot isn't configured correctly: troubleshooting](https://docs.microsoft.com/windows-hardware/manufacture/desktop/secure-boot-isnt-configured-correctly-troubleshooting) -### Troubleshoot Setup and Install +## Troubleshoot Setup and Install - [Deployment Troubleshooting and Log Files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files) -### Troubleshoot Start Menu +## Troubleshoot Start Menu - [Troubleshoot Start menu errors](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot) -### Troubleshoot Subscription Activation +## Troubleshoot Subscription Activation - [Deploy Windows 10 Enterprise licenses](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses) -### Troubleshoot System Hang +## Troubleshoot System Hang - [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze) -### Troubleshoot TCP/IP Communication +## Troubleshoot TCP/IP Communication - [Collect data using Network Monitor](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-netmon) - [Troubleshoot TCP/IP connectivity](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-connectivity) - [Troubleshoot port exhaustion issues](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-port-exhaust) - [Troubleshoot Remote Procedure Call (RPC) errors](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-rpc-errors) -### Troubleshoot User State Migration Toolkit (USMT) +## Troubleshoot User State Migration Toolkit (USMT) - [Common Issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues) - [Frequently Asked Questions](https://docs.microsoft.com/windows/deployment/usmt/usmt-faq) - [Log Files](https://docs.microsoft.com/windows/deployment/usmt/usmt-log-files) - [Return Codes](https://docs.microsoft.com/windows/deployment/usmt/usmt-return-codes) -### Troubleshoot Windows Hello for Business (WHFB) +## Troubleshoot Windows Hello for Business (WHFB) - [Windows Hello for Business Frequently Asked Questions](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello errors during PIN creation (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation) - [Event ID 300 - Windows Hello successfully created (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-event-300) -### Troubleshoot Windows Analytics +## Troubleshoot Windows Analytics - [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-faq-troubleshooting) -### Troubleshoot Windows Update +## Troubleshoot Windows Update - [How Windows Update works](https://docs.microsoft.com/windows/deployment/update/how-windows-update-works) - [Windows Update log files](https://docs.microsoft.com/windows/deployment/update/windows-update-logs) - [Windows Update troubleshooting](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting) @@ -114,7 +114,7 @@ This section contains advanced troubleshooting topics and links to help you reso - [Get started with Windows Update](https://docs.microsoft.com/windows/deployment/update/windows-update-overview) - [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates) -### Troubleshoot Windows Upgrade +## Troubleshoot Windows Upgrade - [Quick fixes - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/quick-fixes) - [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) - [Troubleshoot Windows 10 upgrade errors - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/troubleshoot-upgrade-errors) @@ -123,10 +123,10 @@ This section contains advanced troubleshooting topics and links to help you reso - [Log files - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/log-files) - [Resolution procedures - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/resolution-procedures) -### Troubleshoot Windows Recovery (WinRE) +## Troubleshoot Windows Recovery (WinRE) - [Windows RE troubleshooting features](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-re-troubleshooting-features) -### Troubleshoot Wireless Connection +## Troubleshoot Wireless Connection - [Advanced Troubleshooting Wireless Network Connectivity](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-wireless-network-connectivity) ## Other Resources diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 8c6f2186a3..0122fb2eb7 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -1,5 +1,5 @@ --- -title: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization (Windows 10) +title: Configure Cortana with Group Policy and MDM settings (Windows 10) description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index a1dfe7d5c0..a7b6e72c12 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -1,5 +1,5 @@ --- -title: Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook (Windows 10) +title: Sign-in to Azure AD and manage notebook with Cortana (Windows 10) description: A test scenario walking you through signing in and managing the notebook. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index 70a280cb22..c58d165771 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -1,5 +1,5 @@ --- -title: Test scenario 2 - Perform a quick search with Cortana at work (Windows 10) +title: Perform a quick search with Cortana at work (Windows 10) description: A test scenario about how to perform a quick search with Cortana at work. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index e82abbd92a..d072cdb5fa 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -1,5 +1,5 @@ --- -title: Test scenario 3 - Set a reminder for a specific location using Cortana at work (Windows 10) +title: Set a reminder for a location with Cortana at work (Windows 10) description: A test scenario about how to set a location-based reminder using Cortana at work. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 3283f2d1ad..4ea208fcfd 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -1,5 +1,5 @@ --- -title: Test scenario 4 - Use Cortana at work to find your upcoming meetings (Windows 10) +title: Use Cortana at work to find your upcoming meetings (Windows 10) description: A test scenario about how to use Cortana at work to find your upcoming meetings. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 7fe284c023..f5efc05577 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -1,5 +1,5 @@ --- -title: Test scenario 5 - Use Cortana to send email to a co-worker (Windows 10) +title: Use Cortana to send email to a co-worker (Windows 10) description: A test scenario about how to use Cortana at work to send email to a co-worker. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index 7d96f06030..f5ffb003b7 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -1,5 +1,5 @@ --- -title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email (Windows 10) +title: Review a reminder suggested by Cortana (Windows 10) description: A test scenario about how to use Cortana with the Suggested reminders feature. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index 01f326616c..a00867e25b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -1,5 +1,5 @@ --- -title: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10) +title: Help protect data with Cortana and WIP (Windows 10) description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP). ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index bda947c233..047006fce2 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start and taskbar with mobile device management (MDM) (Windows 10) +title: Alter Windows 10 Start and taskbar via mobile device management description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users. ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 ms.reviewer: diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md index dabf9951dc..afb1fa0310 100644 --- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md +++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md @@ -1,6 +1,6 @@ --- -title: Use Windows Configuration Designer to configure Windows 10 Mobile devices (Windows 10) -description: +title: Configure Windows 10 Mobile devices with Configuration Designer +description: Use Windows Configuration Designer to configure Windows 10 Mobile devices keywords: phone, handheld, lockdown, customize ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md index 4ea4c7f814..f1d9a178fc 100644 --- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md +++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md @@ -1,5 +1,5 @@ --- -title: Settings and quick actions that can be locked down in Windows 10 Mobile (Windows 10) +title: Lock down settings and quick actions in Windows 10 Mobile description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185 ms.reviewer: diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 107e1b4b1c..be16f1f393 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -1,5 +1,5 @@ --- -title: Introduction to configuration service providers (CSPs) for IT pros (Windows 10) +title: Intro to configuration service providers for IT pros (Windows 10) description: Configuration service providers (CSPs) expose device configuration settings in Windows 10. ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6 ms.reviewer: diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index e8ebc96787..8e974645d5 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -1,5 +1,5 @@ --- -title: Settings changed when you uninstall a provisioning package (Windows 10) +title: Uninstall a provisioning package - reverted settings (Windows 10) description: This topic lists the settings that are reverted when you uninstall a provisioning package. ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index 191b74f140..3fe4ab887a 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -1,5 +1,5 @@ --- -title: Managing the UE-V Service and Packages with Windows PowerShell and WMI +title: Manage UE-V Service and Packages with Windows PowerShell and WMI description: Managing the UE-V service and packages with Windows PowerShell and WMI author: dansimp ms.pagetype: mdop, virtualization diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 5ccfcbb449..62f3b52b5d 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -135,8 +135,8 @@ This section describes the **Policies** settings that you can configure in [prov | [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | X | X | X | | X | | [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | | | [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | X | -| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | | X | -| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | | X | +| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | X | X | X | | X | +| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | X | X | X | | X | PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | X | | | | | | [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | X | | | | | | [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | X | diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md index a89f01eda9..692b7306a7 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -1,190 +1,191 @@ ---- -title: Create a task sequence with Configuration Manager and MDT (Windows 10) -description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. -ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, upgrade, task sequence, install -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.pagetype: mdt -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Create a task sequence with Configuration Manager and MDT - - -**Applies to** - -- Windows 10 - -In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. - -For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -## Create a task sequence using the MDT Integration Wizard - - -This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use. - -1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. - -2. On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**. - -3. On the **General** page, assign the following settings and then click **Next**: - - * Task sequence name: Windows 10 Enterprise x64 RTM - - * Task sequence comments: Production image with Office 2013 - -4. On the **Details** page, assign the following settings and then click **Next**: - - * Join a Domain - - * Domain: contoso.com - - * Account: CONTOSO\\CM\_JD - - * Password: Passw0rd! - - * Windows Settings - - * User name: Contoso - - * Organization name: Contoso - - * Product key: <blank> - -5. On the **Capture Settings** page, accept the default settings, and click **Next**. - -6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**. - -7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**. - -8. On the **MDT Details** page, assign the name **MDT** and click **Next**. - -9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**. - -10. On the **Deployment Method** page, accept the default settings and click **Next**. - -11. On the **Client Package** page, browse and select the **OSD / Configuration Manager Client** package. Then click **Next**. - -12. On the **USMT Package** page, browse and select **the OSD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**. - -13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings**. Then click **Next**. - -14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**. - -15. On the **Sysprep Package** page, click **Next** twice. - -16. On the **Confirmation** page, click **Finish**. - -## Edit the task sequence - - -After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more. - -1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**. - -2. In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following: - - * OSDPreserveDriveLetter: True - - >[!NOTE] - >If you don't change this value, your Windows installation will end up in E:\\Windows. - -3. In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values). - -4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.) - -5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**. - -6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: - - * Name: HP EliteBook 8560w - - * Driver Package: Windows 10 x64 - HP EliteBook 8560w - - * Options: Task Sequence Variable: Model equals HP EliteBook 8560w - - >[!NOTE] - >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' - - ![Driver package options](../images/fig27-driverpackage.png "Driver package options") - - *Figure 24. The driver package options* - -7. In the **State Restore / Install Applications** group, select the **Install Application** action. - -8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list. - - ![Add an application to the task sequence](../images/fig28-addapp.png "Add an application to the task sequence") - - *Figure 25. Add an application to the Configuration Manager task sequence* - -9. In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings: - - * Restore state from another computer - - * If computer account fails to connect to state store, use the Network Access account - - * Options: Continue on error - - * Options / Condition: - - * Task Sequence Variable - - * USMTLOCAL not equals True - -10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings: - - * Options: Continue on error - - * Options / Condition: - - * Task Sequence Variable - - * USMTLOCAL not equals True - -11. Click **OK**. - ->[!NOTE] ->The Request State Store and Release State Store actions need to be added for common computer replace scenarios. - - - -## Move the packages - - -While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps. - -1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. - -2. Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**. - -3. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**. - -## Related topics - - -[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) +--- +title: Create a task sequence with Configuration Manager (Windows 10) +description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. +ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, upgrade, task sequence, install +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.pagetype: mdt +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Create a task sequence with Configuration Manager and MDT + + +**Applies to** + +- Windows 10 + +In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. + +For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +## Create a task sequence using the MDT Integration Wizard + + +This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use. + +1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. + +2. On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**. + +3. On the **General** page, assign the following settings and then click **Next**: + + * Task sequence name: Windows 10 Enterprise x64 RTM + + * Task sequence comments: Production image with Office 2013 + +4. On the **Details** page, assign the following settings and then click **Next**: + + * Join a Domain + + * Domain: contoso.com + + * Account: CONTOSO\\CM\_JD + + * Password: Passw0rd! + + * Windows Settings + + * User name: Contoso + + * Organization name: Contoso + + * Product key: <blank> + +5. On the **Capture Settings** page, accept the default settings, and click **Next**. + +6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**. + +7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**. + +8. On the **MDT Details** page, assign the name **MDT** and click **Next**. + +9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**. + +10. On the **Deployment Method** page, accept the default settings and click **Next**. + +11. On the **Client Package** page, browse and select the **OSD / Configuration Manager Client** package. Then click **Next**. + +12. On the **USMT Package** page, browse and select **the OSD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**. + +13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings**. Then click **Next**. + +14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**. + +15. On the **Sysprep Package** page, click **Next** twice. + +16. On the **Confirmation** page, click **Finish**. + +## Edit the task sequence + + +After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more. + +1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**. + +2. In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following: + + * OSDPreserveDriveLetter: True + + >[!NOTE] + >If you don't change this value, your Windows installation will end up in E:\\Windows. + +3. In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values). + +4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.) + +5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**. + +6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: + + * Name: HP EliteBook 8560w + + * Driver Package: Windows 10 x64 - HP EliteBook 8560w + + * Options: Task Sequence Variable: Model equals HP EliteBook 8560w + + >[!NOTE] + >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' + + ![Driver package options](../images/fig27-driverpackage.png "Driver package options") + + *Figure 24. The driver package options* + +7. In the **State Restore / Install Applications** group, select the **Install Application** action. + +8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list. + + ![Add an application to the task sequence](../images/fig28-addapp.png "Add an application to the task sequence") + + *Figure 25. Add an application to the Configuration Manager task sequence* + +9. In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings: + + * Restore state from another computer + + * If computer account fails to connect to state store, use the Network Access account + + * Options: Continue on error + + * Options / Condition: + + * Task Sequence Variable + + * USMTLOCAL not equals True + +10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings: + + * Options: Continue on error + + * Options / Condition: + + * Task Sequence Variable + + * USMTLOCAL not equals True + +11. Click **OK**. + +>[!NOTE] +>The Request State Store and Release State Store actions need to be added for common computer replace scenarios. + + + +## Move the packages + + +While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps. + +1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. + +2. Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**. + +3. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**. + +## Related topics + + +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 895381896b..79b6610104 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -1,96 +1,97 @@ ---- -title: Use the MDT database to stage Windows 10 deployment information (Windows 10) -description: This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). -ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.pagetype: mdt -keywords: database, permissions, settings, configure, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Use the MDT database to stage Windows 10 deployment information - -This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines. - -## Database prerequisites - -MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment. - ->[!NOTE] ->Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. -  -## Create the deployment database - -The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01. - ->[!NOTE] ->Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. -  -1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. -2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**: - 1. SQL Server Name: MDT01 - 2. Instance: SQLEXPRESS - 3. Port: <blank> - 4. Network Library: Named Pipes -3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**. -4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**. - -![figure 8](../images/mdt-09-fig08.png) - -Figure 8. The MDT database added to MDT01. - -## Configure database permissions - -After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA. -1. On MDT01, start SQL Server Management Studio. -2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**. -3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**. - - ![figure 9](../images/mdt-09-fig09.png) - - Figure 9. The top-level Security node. - -4. On the **Login - New** page, next to the **Login** name field, click **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles: - 1. db\_datareader - 2. public (default) -5. Click **OK**, and close SQL Server Management Studio. - -![figure 10](../images/mdt-09-fig10.png) - -Figure 10. Creating the login and settings permissions to the MDT database. - -## Create an entry in the database - -To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier. -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**. -2. Right-click **Computers**, select **New**, and add a computer entry with the following settings: - 1. Description: New York Site - PC00075 - 2. MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format> - 3. Details Tab / OSDComputerName: PC00075 - -![figure 11](../images/mdt-09-fig11.png) - -Figure 11. Adding the PC00075 computer to the database. - -## Related topics - -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +--- +title: Use MDT database to stage Windows 10 deployment info (Windows 10) +description: This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). +ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.pagetype: mdt +keywords: database, permissions, settings, configure, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Use the MDT database to stage Windows 10 deployment information + +This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines. + +## Database prerequisites + +MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment. + +>[!NOTE] +>Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. +  +## Create the deployment database + +The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01. + +>[!NOTE] +>Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. +  +1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. +2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**: + 1. SQL Server Name: MDT01 + 2. Instance: SQLEXPRESS + 3. Port: <blank> + 4. Network Library: Named Pipes +3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**. +4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**. + +![figure 8](../images/mdt-09-fig08.png) + +Figure 8. The MDT database added to MDT01. + +## Configure database permissions + +After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA. +1. On MDT01, start SQL Server Management Studio. +2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**. +3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**. + + ![figure 9](../images/mdt-09-fig09.png) + + Figure 9. The top-level Security node. + +4. On the **Login - New** page, next to the **Login** name field, click **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles: + 1. db\_datareader + 2. public (default) +5. Click **OK**, and close SQL Server Management Studio. + +![figure 10](../images/mdt-09-fig10.png) + +Figure 10. Creating the login and settings permissions to the MDT database. + +## Create an entry in the database + +To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier. +1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**. +2. Right-click **Computers**, select **New**, and add a computer entry with the following settings: + 1. Description: New York Site - PC00075 + 2. MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format> + 3. Details Tab / OSDComputerName: PC00075 + +![figure 11](../images/mdt-09-fig11.png) + +Figure 11. Adding the PC00075 computer to the database. + +## Related topics + +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) + +[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) + +[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) + +[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) + +[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) + +[Use web services in MDT](use-web-services-in-mdt.md) + +[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index e86096e831..19ffe1ae2a 100644 --- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,107 +1,108 @@ ---- -title: Create an application to deploy with Windows 10 using Configuration Manager (Windows 10) -description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. -ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deployment, task sequence, custom, customize -ms.prod: w10 -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Create an application to deploy with Windows 10 using Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use. - -For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - ->[!NOTE] ->Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications. - -## Example: Create the Adobe Reader XI application - - -The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01. - -1. On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder. - -2. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**. - -3. Right-click **Applications** and select **Folder / Create Folder**. Assign the name **OSD**. - -4. Right-click the **OSD** folder, and select **Create Application**. - -5. In the Create Application Wizard, on the **General** page, use the following settings: - - * Automatically detect information about this application from installation files - - * Type: Windows Installer (\*.msi file) - - * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI - - * \\AdbeRdr11000\_en\_US.msi - - ![The Create Application Wizard](../images/mdt-06-fig20.png "The Create Application Wizard") - - *Figure 19. The Create Application Wizard* - -6. Click **Next**, and wait while Configuration Manager parses the MSI file. - -7. On the **Import Information** page, review the information and then click **Next**. - -8. On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**. - - >[!NOTE] - >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. - - ![Add the OSD Install suffix to the application name](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name") - - *Figure 20. Add the "OSD Install" suffix to the application name* - -9. In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar. - -10. In the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) - - - - - - - - - +--- +title: Create an app to deploy with Windows 10 using Configuration Manager +description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. +ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deployment, task sequence, custom, customize +ms.prod: w10 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Create an application to deploy with Windows 10 using Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use. + +For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +>[!NOTE] +>Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications. + +## Example: Create the Adobe Reader XI application + + +The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01. + +1. On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder. + +2. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**. + +3. Right-click **Applications** and select **Folder / Create Folder**. Assign the name **OSD**. + +4. Right-click the **OSD** folder, and select **Create Application**. + +5. In the Create Application Wizard, on the **General** page, use the following settings: + + * Automatically detect information about this application from installation files + + * Type: Windows Installer (\*.msi file) + + * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI + + * \\AdbeRdr11000\_en\_US.msi + + ![The Create Application Wizard](../images/mdt-06-fig20.png "The Create Application Wizard") + + *Figure 19. The Create Application Wizard* + +6. Click **Next**, and wait while Configuration Manager parses the MSI file. + +7. On the **Import Information** page, review the information and then click **Next**. + +8. On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**. + + >[!NOTE] + >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. + + ![Add the OSD Install suffix to the application name](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name") + + *Figure 20. Add the "OSD Install" suffix to the application name* + +9. In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar. + +10. In the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) + + + + + + + + + diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 097ab5c60f..b695cf75f7 100644 --- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -1,5 +1,5 @@ --- -title: Finalize the operating system configuration for Windows 10 deployment with Configuration Manager (Windows 10) +title: Finalize operating system configuration for Windows 10 deployment description: This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence. ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e ms.reviewer: diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md index c0e59fd398..d5fce49214 100644 --- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md @@ -1,88 +1,89 @@ ---- -title: Monitor the Windows 10 deployment with Configuration Manager (Windows 10) -description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. -ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, upgrade -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Monitor the Windows 10 deployment with Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature. - -For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows: - -1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh). - - >[!NOTE] - >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again. - - ![PC0001 being deployed by Configuration Manager](../images/mdt-06-fig39.png) - - *Figure 33. PC0001 being deployed by Configuration Manager* - -2. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. - -3. The task sequence will now run and do the following: - - * Install the Windows 10 operating system. - - * Install the Configuration Manager client and the client hotfix. - - * Join the machine to the domain. - - * Install the application added to the task sequence. - - >[!NOTE] - >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress. -   -4. If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -  - -  - - - - - +--- +title: Monitor the Windows 10 deployment with Configuration Manager +description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. +ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, upgrade +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Monitor the Windows 10 deployment with Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature. + +For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows: + +1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh). + + >[!NOTE] + >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again. + + ![PC0001 being deployed by Configuration Manager](../images/mdt-06-fig39.png) + + *Figure 33. PC0001 being deployed by Configuration Manager* + +2. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. + +3. The task sequence will now run and do the following: + + * Install the Windows 10 operating system. + + * Install the Configuration Manager client and the client hotfix. + + * Join the machine to the domain. + + * Install the application added to the task sequence. + + >[!NOTE] + >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress. +   +4. If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +  + +  + + + + + diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index c434f06486..bb66b25095 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -1,5 +1,5 @@ --- -title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10) +title: Create a Custom Compatibility Mode (Windows 10) description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0 ms.reviewer: diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md index e4ebfef4e3..8d8da0f126 100644 --- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md @@ -1,5 +1,5 @@ --- -title: Creating an AppHelp Message in Compatibility Administrator (Windows 10) +title: Create AppHelp Message in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848 ms.reviewer: diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md index f8f502fe93..e066e2b214 100644 --- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md @@ -1,5 +1,5 @@ --- -title: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator (Windows 10) +title: Install/Uninstall Custom Databases (Windows 10) description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f ms.reviewer: diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 7ff8c3069a..6def761bdb 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -28,7 +28,7 @@ The features described below are no longer being actively developed, and might b | Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team. Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | -| TFS1/TFS2 IME | TSF1 and TSF2 IME will be replaced by TSF3 IME in a future release. [Text Services Framework](https://docs.microsoft.com/windows/win32/tsf/what-is-text-services-framework) (TFS) enables language technologies. TSF IME are Windows components that you can add to enable typing text for Japanese, Simplified Chinese, Traditional Chinese, and Korean languages. ​| 1909 | +| TFS1/TFS2 IME | TSF1 and TSF2 IME will be replaced by TSF3 IME in a future release. [Text Services Framework](https://docs.microsoft.com/windows/win32/tsf/what-is-text-services-framework) (TSF) enables language technologies. TSF IME are Windows components that you can add to enable typing text for Japanese, Simplified Chinese, Traditional Chinese, and Korean languages. ​| 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
 
The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | | XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 | | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 | diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 8751735da2..49d29f4d8a 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -53,5 +53,5 @@ Typically, the improvements are reliability and performance improvements that do * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. -* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). -* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine. \ No newline at end of file +* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). +* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine. diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index d28b788ca7..4d5f0b31bc 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -1,5 +1,5 @@ --- -title: Integrate Windows Update for Business with management solutions (Windows 10) +title: Integrate Windows Update for Business (Windows 10) description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md index 7563d572b3..1ebdd76767 100644 --- a/windows/deployment/update/waas-manage-updates-configuration-manager.md +++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md @@ -1,5 +1,5 @@ --- -title: Deploy Windows 10 updates using System Center Configuration Manager (Windows 10) +title: Deploy Windows 10 updates via System Center Configuration Manager description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md index e425484498..c0d1218ade 100644 --- a/windows/deployment/update/waas-mobile-updates.md +++ b/windows/deployment/update/waas-mobile-updates.md @@ -1,6 +1,6 @@ --- -title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10) -description: tbd +title: Deploy updates to Windows 10 Mobile or Windows 10 IoT Mobile +description: Deploy updates to devices in your organization that are running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 71135004a4..7eda1ffad1 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -42,17 +42,17 @@ Two methods of peer-to-peer content distribution are available in Windows 10. | Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ->[!NOTE] ->System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache). +> [!NOTE] +> System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache). > ->In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx). +> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). ## Express update delivery Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. ->[!NOTE] ->Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. +> [!NOTE] +> Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. ### How Microsoft supports Express - **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. @@ -81,8 +81,8 @@ The Windows Update client will try to download Express first, and under certain At this point, the download is complete and the update is ready to be installed. ->[!TIP] ->Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates. +> [!TIP] +> Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates. ## Steps to manage updates for Windows 10 @@ -98,7 +98,6 @@ At this point, the download is complete and the update is ready to be installed. ## Related topics - - [Update Windows 10 in the enterprise](index.md) - [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index d4e43924fb..8b7d1bcfd2 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -1,6 +1,6 @@ --- -title: Walkthrough use Group Policy to configure Windows Update for Business - Windows 10 -description: Configure Windows Update for Business settings using Group Policy. +title: Configure Windows Update for Business via Group Policy (Windows 10) +description: Walkthrough demonstrating how to configure Windows Update for Business settings, using Group Policy. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -11,7 +11,7 @@ manager: laurawi ms.topic: article --- -# Walkthrough: use Group Policy to configure Windows Update for Business +# Walkthrough: Use Group Policy to configure Windows Update for Business **Applies to** diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index 2590530152..5b7b68067e 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -21,7 +21,7 @@ ms.topic: article With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. -Ues the following information to get started with Windows Update: +Use the following information to get started with Windows Update: - Understand the UUP architecture - Understand [how Windows Update works](how-windows-update-works.md) diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 82f4193c52..513ae0cfd8 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -1,216 +1,217 @@ ---- -title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10) -description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process. -ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.localizationpriority: medium -ms.mktglfcycl: deploy -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Perform an in-place upgrade to Windows 10 using Configuration Manager - - -**Applies to** - -- Windows 10 - -The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. - -## Proof-of-concept environment - - -For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -![figure 1](../images/upgrademdt-fig1-machines.png) - -Figure 1. The machines used in this topic. - -## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager - - -System Center 2012 R2 Configuration Manager SP1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks. - -## Create the task sequence - - -To help with this process, the Configuration Manager team has published [a blog](https://go.microsoft.com/fwlink/p/?LinkId=620179) that provides a sample task sequence, as well as the [original blog that includes the instructions for setting up the task sequence](https://go.microsoft.com/fwlink/p/?LinkId=620180). To summarize, here are the tasks you need to perform: - -1. Download the [Windows10Upgrade1506.zip](https://go.microsoft.com/fwlink/p/?LinkId=620182) file that contains the sample task sequence and related scripts. Extract the contents onto a network share. -2. Copy the Windows 10 Enterprise RTM x64 media into the extracted but empty **Windows vNext Upgrade Media** folder. -3. Using the Configuration Manager Console, right-click the **Task Sequences** node, and then choose **Import Task Sequence**. Select the **Windows-vNextUpgradeExport.zip** file that you extracted in Step 1. -4. Distribute the two created packages (one contains the Windows 10 Enterprise x64 media, the other contains the related scripts) to the Configuration Manager distribution point. - -For full details and an explanation of the task sequence steps, review the full details of the two blogs that are referenced above. - -## Create a device collection - - -After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the Configuration Manager client installed. - -1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - - General - - - Name: Windows 10 Enterprise x64 Upgrade - - - Limited Collection: All Systems - - - Membership rules: - - - Direct rule - - - Resource Class: System Resource - - - Attribute Name: Name - - - Value: PC0001 - - - Select Resources - - - Select PC0001 - -2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. - -## Deploy the Windows 10 upgrade - - -In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. -2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. -3. On the **Content** page, click **Next**. -4. On the **Deployment Settings** page, select the following settings, and then click **Next**: - - Action: Install - - - Purpose: Available - -5. On the **Scheduling** page, accept the default settings, and then click **Next**. -6. On the **User Experience** page, accept the default settings, and then click **Next**. -7. On the **Alerts** page, accept the default settings, and then click **Next**. -8. On the **Summary** page, click **Next**, and then click **Close**. - -## Start the Windows 10 upgrade - - -In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). - -1. On PC0001, start the **Software Center**. -2. Select the **Windows vNext Upgrade** task sequence, and then click **Install**. - -When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -![figure 2](../images/upgradecfg-fig2-upgrading.png) - -Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. - -After the task sequence finishes, the computer will be fully upgraded to Windows 10. - -## Upgrade to Windows 10 with System Center Configuration Manager Current Branch - - -With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10. - -**Note**   -For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released. - - - -### Create the OS upgrade package - -First, you need to create an operating system upgrade package that contains the full Windows 10 Enterprise x64 installation media. - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Operating System Upgrade Packages** node, then select **Add Operating System Upgrade Package**. -2. On the **Data Source** page, specify the UNC path to the Windows 10 Enterprise x64 media, and then click **Next**. -3. On the **General** page, specify Windows 10 Enterprise x64 Upgrade, and then click **Next**. -4. On the **Summary** page, click **Next**, and then click **Close**. -5. Right-click the created **Windows 10 Enterprise x64 Update** package, and then select **Distribute Content**. Choose the CM01 distribution point. - -### Create the task sequence - -To create an upgrade task sequence, perform the following steps: - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Task Sequences** node, and then select **Create Task Sequence**. -2. On the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**. -3. On the **Task Sequence Information** page, specify **Windows 10 Enterprise x64 Upgrade**, and then click **Next**. -4. On the **Upgrade the Windows operating system** page, select the **Windows 10 Enterprise x64 Upgrade operating system upgrade** package, and then click **Next**. -5. Click **Next** through the remaining wizard pages, and then click **Close**. - -![figure 3](../images/upgradecfg-fig3-upgrade.png) - -Figure 3. The Configuration Manager upgrade task sequence. - -### Create a device collection - -After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed. - -1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - - General - - - Name: Windows 10 Enterprise x64 Upgrade - - - Limited Collection: All Systems - - - Membership rules: - - - Direct rule - - - Resource Class: System Resource - - - Attribute Name: Name - - - Value: PC0001 - - - Select Resources - - - Select PC0001 - -2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. - -### Deploy the Windows 10 upgrade - -In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. -2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. -3. On the **Content** page, click **Next**. -4. On the **Deployment Settings** page, select the following settings and click **Next**: - - Action: Install - - - Purpose: Available - -5. On the **Scheduling** page, accept the default settings, and then click **Next**. -6. On the **User Experience** page, accept the default settings, and then click **Next**. -7. On the **Alerts** page, accept the default settings, and then click **Next**. -8. On the **Summary** page, click **Next**, and then click **Close**. - -### Start the Windows 10 upgrade - -In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). - -1. On PC0001, start the **Software Center**. -2. Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.** - -When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -After the task sequence completes, the computer will be fully upgraded to Windows 10. - -## Related topics - - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) - -[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109) - - - - - - - - - +--- +title: Perform in-place upgrade to Windows 10 via Configuration Manager +description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process. +ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Perform an in-place upgrade to Windows 10 using Configuration Manager + + +**Applies to** + +- Windows 10 + +The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. + +## Proof-of-concept environment + + +For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +![figure 1](../images/upgrademdt-fig1-machines.png) + +Figure 1. The machines used in this topic. + +## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager + + +System Center 2012 R2 Configuration Manager SP1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks. + +## Create the task sequence + + +To help with this process, the Configuration Manager team has published [a blog](https://go.microsoft.com/fwlink/p/?LinkId=620179) that provides a sample task sequence, as well as the [original blog that includes the instructions for setting up the task sequence](https://go.microsoft.com/fwlink/p/?LinkId=620180). To summarize, here are the tasks you need to perform: + +1. Download the [Windows10Upgrade1506.zip](https://go.microsoft.com/fwlink/p/?LinkId=620182) file that contains the sample task sequence and related scripts. Extract the contents onto a network share. +2. Copy the Windows 10 Enterprise RTM x64 media into the extracted but empty **Windows vNext Upgrade Media** folder. +3. Using the Configuration Manager Console, right-click the **Task Sequences** node, and then choose **Import Task Sequence**. Select the **Windows-vNextUpgradeExport.zip** file that you extracted in Step 1. +4. Distribute the two created packages (one contains the Windows 10 Enterprise x64 media, the other contains the related scripts) to the Configuration Manager distribution point. + +For full details and an explanation of the task sequence steps, review the full details of the two blogs that are referenced above. + +## Create a device collection + + +After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the Configuration Manager client installed. + +1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: + - General + + - Name: Windows 10 Enterprise x64 Upgrade + + - Limited Collection: All Systems + + - Membership rules: + + - Direct rule + + - Resource Class: System Resource + + - Attribute Name: Name + + - Value: PC0001 + + - Select Resources + + - Select PC0001 + +2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. + +## Deploy the Windows 10 upgrade + + +In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. +2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. +3. On the **Content** page, click **Next**. +4. On the **Deployment Settings** page, select the following settings, and then click **Next**: + - Action: Install + + - Purpose: Available + +5. On the **Scheduling** page, accept the default settings, and then click **Next**. +6. On the **User Experience** page, accept the default settings, and then click **Next**. +7. On the **Alerts** page, accept the default settings, and then click **Next**. +8. On the **Summary** page, click **Next**, and then click **Close**. + +## Start the Windows 10 upgrade + + +In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). + +1. On PC0001, start the **Software Center**. +2. Select the **Windows vNext Upgrade** task sequence, and then click **Install**. + +When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +![figure 2](../images/upgradecfg-fig2-upgrading.png) + +Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. + +After the task sequence finishes, the computer will be fully upgraded to Windows 10. + +## Upgrade to Windows 10 with System Center Configuration Manager Current Branch + + +With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10. + +**Note**   +For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released. + + + +### Create the OS upgrade package + +First, you need to create an operating system upgrade package that contains the full Windows 10 Enterprise x64 installation media. + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Operating System Upgrade Packages** node, then select **Add Operating System Upgrade Package**. +2. On the **Data Source** page, specify the UNC path to the Windows 10 Enterprise x64 media, and then click **Next**. +3. On the **General** page, specify Windows 10 Enterprise x64 Upgrade, and then click **Next**. +4. On the **Summary** page, click **Next**, and then click **Close**. +5. Right-click the created **Windows 10 Enterprise x64 Update** package, and then select **Distribute Content**. Choose the CM01 distribution point. + +### Create the task sequence + +To create an upgrade task sequence, perform the following steps: + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Task Sequences** node, and then select **Create Task Sequence**. +2. On the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**. +3. On the **Task Sequence Information** page, specify **Windows 10 Enterprise x64 Upgrade**, and then click **Next**. +4. On the **Upgrade the Windows operating system** page, select the **Windows 10 Enterprise x64 Upgrade operating system upgrade** package, and then click **Next**. +5. Click **Next** through the remaining wizard pages, and then click **Close**. + +![figure 3](../images/upgradecfg-fig3-upgrade.png) + +Figure 3. The Configuration Manager upgrade task sequence. + +### Create a device collection + +After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed. + +1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: + - General + + - Name: Windows 10 Enterprise x64 Upgrade + + - Limited Collection: All Systems + + - Membership rules: + + - Direct rule + + - Resource Class: System Resource + + - Attribute Name: Name + + - Value: PC0001 + + - Select Resources + + - Select PC0001 + +2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. + +### Deploy the Windows 10 upgrade + +In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. +2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. +3. On the **Content** page, click **Next**. +4. On the **Deployment Settings** page, select the following settings and click **Next**: + - Action: Install + + - Purpose: Available + +5. On the **Scheduling** page, accept the default settings, and then click **Next**. +6. On the **User Experience** page, accept the default settings, and then click **Next**. +7. On the **Alerts** page, accept the default settings, and then click **Next**. +8. On the **Summary** page, click **Next**, and then click **Close**. + +### Start the Windows 10 upgrade + +In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). + +1. On PC0001, start the **Software Center**. +2. Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.** + +When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +After the task sequence completes, the computer will be fully upgraded to Windows 10. + +## Related topics + + +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) + +[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109) + + + + + + + + + diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index 8a830c5fd9..b0cf117686 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -1,86 +1,87 @@ ---- -title: Getting Started with the User State Migration Tool (USMT) (Windows 10) -description: Getting Started with the User State Migration Tool (USMT) -ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Getting Started with the User State Migration Tool (USMT) -This topic outlines the general process that you should follow to migrate files and settings. - -## In this Topic -- [Step 1: Plan Your Migration](#step-1-plan-your-migration) - -- [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer) - -- [Step 3: Prepare the destination computer and restore files and settings](#step-3-prepare-the-destination-computer-and-restore-files-and-settings) - -## Step 1: Plan your migration -1. [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). - -2. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys. - -3. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). - -4. Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md) - -5. Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files. - - **Important**   - We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files. - - You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). - -6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files: - - `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log` - -7. Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate. - -## Step 2: Collect files and settings from the source computer -1. Back up the source computer. - -2. Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files. - - **Note**   - USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail. - -3. Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example, - - `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log` - - **Note**   - If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md). - -4. Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted. - -## Step 3: Prepare the destination computer and restore files and settings -1. Install the operating system on the destination computer. - -2. Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. - - **Note**   - The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version. - -3. Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. - - **Note**   - Use **/C** to continue your migration if errors are encountered, and use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail. - -4. Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md). - - For example, the following command migrates the files and settings: - - `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log` - - **Note**   - Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**. - -5. Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on. +--- +title: User State Migration Tool (USMT) - Getting Started (Windows 10) +description: Getting Started with the User State Migration Tool (USMT) +ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Getting Started with the User State Migration Tool (USMT) +This topic outlines the general process that you should follow to migrate files and settings. + +## In this Topic +- [Step 1: Plan Your Migration](#step-1-plan-your-migration) + +- [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer) + +- [Step 3: Prepare the destination computer and restore files and settings](#step-3-prepare-the-destination-computer-and-restore-files-and-settings) + +## Step 1: Plan your migration +1. [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). + +2. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys. + +3. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). + +4. Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md) + +5. Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files. + + **Important**   + We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files. + + You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). + +6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files: + + `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log` + +7. Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate. + +## Step 2: Collect files and settings from the source computer +1. Back up the source computer. + +2. Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files. + + **Note**   + USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail. + +3. Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example, + + `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log` + + **Note**   + If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md). + +4. Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted. + +## Step 3: Prepare the destination computer and restore files and settings +1. Install the operating system on the destination computer. + +2. Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. + + **Note**   + The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version. + +3. Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. + + **Note**   + Use **/C** to continue your migration if errors are encountered, and use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail. + +4. Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md). + + For example, the following command migrates the files and settings: + + `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log` + + **Note**   + Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**. + +5. Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on. diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index c1f9331822..db8c0256dd 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -25,12 +25,20 @@ ms.topic: article + + + - + @@ -299,6 +299,8 @@ For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com ## Create an Executable rule for unsigned apps +The executable rule helps to create an AppLocker rule to sign any unsigned apps. It enables adding the file path or the app publisher contained in the file's digital signature needed for the WIP policy to be applied. + 1. Open the Local Security Policy snap-in (SecPol.msc). 2. In the left pane, click **Application Control Policies** > **AppLocker** > **Executable Rules**. diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index a01fabb5ce..7cdf0d2dfd 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -134,6 +134,9 @@ This table provides info about the most common problems you might encounter whil
IssueMore information + +
Windows Autopilot device provisioning can fail with TPM attestation errors or ESP timeouts on devices where the real-time clock is off by a significant amount of time (e.g. several minutes or more).To fix this issue:
  1. Boot the device to the start of the out-of-box experience (OOBE). +
  2. Establish a network connection (wired or wireless). +
  3. Run the command w32tm /resync /force to sync the time with the default time server (time.windows.com).
+
Windows Autopilot for existing devices does not work for Windows 10, version 1903; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen.
 
This happens because Windows 10, version 1903 deletes the AutopilotConfigurationFile.json file. 		To fix this issue:
  1. Edit the Configuration Manager task sequence and disable the Prepare Windows for Capture step.
  2. Add a new Run command line step that runs c:\windows\system32\sysprep\sysprep.exe /oobe /reboot.
-More information +More information
TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate. (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don’t, so that validation will be removed). Download and install the KB4517211 update.
The following known issues are resolved by installing the August 30, 2019 KB4512941 update (OS Build 18362.329): diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 709a681130..260868ca64 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -142,13 +142,25 @@ The data transmitted at the Basic and Enhanced data diagnostic levels is quite s The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. +Solutions like Desktop Analytics or Microsoft Defender Advanced Threat Protection need Windows devices to reach diagnostics endpoints which enable organizations to leverage solutions based on diagnostics data. These solutions leverage Windows components like the Connected User Experiences and Telemetry service, Windows Defender Advanced Threat Protection service, Windows Error Reporting, and Online Crash Analysis. + +For a complete list of diagnostics endpoints leveraged by Desktop Analytics, see [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/enable-data-sharing). +For a complete list of diagnostics endpoints leveraged by Microsoft Defender Advanced Threat Protection, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + The following table defines the endpoints for Connected User Experiences and Telemetry component: -Windows release | Endpoint ---- | --- -Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| **Diagnostics data** - v10c.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com -Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data** - v10.events.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com -Windows 10, version 1709 or earlier | **Diagnostics data** - v10.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com +| Windows release | Endpoint | +| ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed | **Diagnostics data:** v10c.vortex-win.data.microsoft.com

**Functional:** v20.vortex-win.data.microsoft.com

**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,
for example: **de**.vortex-win.data.microsoft.com

**Settings:** settings-win.data.microsoft.com | +| Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data:** v10.events.data.microsoft.com

**Functional:** v20.vortex-win.data.microsoft.com

**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,
for example: **de**.vortex-win.data.microsoft.com

**Settings:** settings-win.data.microsoft.com | +| Windows 10, version 1709 or earlier | **Diagnostics data:** v10.vortex-win.data.microsoft.com

**Functional:** v20.vortex-win.data.microsoft.com

**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,
for example: **de**.vortex-win.data.microsoft.com

**Settings:** settings-win.data.microsoft.com | + +The following table defines **additional diagnostics endpoints** not covered by services in the links above: + +| Service | Endpoint | +| ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| Onedrive app for Windows 10 | https://vortex.data.microsoft.com/collect/v1 | + The following table defines the endpoints for other diagnostic data services: @@ -385,7 +397,7 @@ In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data - **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode. ->[!NOTE] +> [!NOTE] > Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump. With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will not include Office related diagnostic data. diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 819728ac85..31d91bd6a5 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -44,8 +44,8 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn ### Download the Diagnostic Data Viewer Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. - >[!Important] - >It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264). +> [!Important] +> It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264). ### Start the Diagnostic Data Viewer You can start this app from the **Settings** panel. @@ -118,17 +118,15 @@ When you're done reviewing your diagnostic data, you should turn of data viewing ## Modifying the size of your data history By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. - >[!Important] - >Note that if you have [Office diagnostic data viewing enabled](#view-office-diagnostic-data), the Office data history is fixed at 1 GB and cannot be modified. +> [!Important] +> Note that if you have [Office diagnostic data viewing enabled](#view-office-diagnostic-data), the Office data history is fixed at 1 GB and cannot be modified. **Modify the size of your data history** - To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your chosen size or time limit is reached. +To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your chosen size or time limit is reached. - >[!Important] - >Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine. - - ![Change the size of your data history through the app settings](images/ddv-change-db-size.png) +> [!Important] +> Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine. ## View additional diagnostic data in the View problem reports tool Available on Windows 1809 and higher, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer. diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index c6e50f98f3..41c5fa5a8a 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -1,6 +1,6 @@ --- +title: Enhanced diagnostic data required by Windows Analytics (Windows 10) description: Use this article to learn more about the limit enhanced diagnostic data events policy used by Desktop Analytics -title: Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy (Windows 10) keywords: privacy, diagnostic data ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md index 259561932e..fb8707befe 100644 --- a/windows/privacy/gdpr-win10-whitepaper.md +++ b/windows/privacy/gdpr-win10-whitepaper.md @@ -1,6 +1,6 @@ --- -title: Beginning your General Data Protection Regulation (GDPR) journey for Windows 10 (Windows 10) -description: Use this article to understand what GDPR is and about the products Microsoft provides to help you get started towards compliance. +title: General Data Protection Regulation (GDPR) for Windows 10 +description: Use this article to understand what GDPR is and which products Microsoft provides to help you get started towards compliance. keywords: privacy, GDPR ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index b9a39fb4e3..291b0a7d56 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -67,7 +67,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt 1. **Internet Explorer** The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer) 1. MDM Policy: [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites). Recommends websites based on the user’s browsing activity. **Set to Disabled** - 1. MDM Policy: [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter). Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to String** with Value: + 1. MDM Policy: [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter). Prevents the user from managing Windows Defender SmartScreen, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to String** with Value: 1. **\\** 1. MDM Policy: [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature). Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. **Set to Enabled** 1. MDM Policy: [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange). Determines whether users can change the default Home Page or not. **Set to String** with Value: @@ -90,7 +90,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt 1. MDM Policy: [Browser/AllowMicrosoftCompatbilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist). Specify the Microsoft compatibility list in Microsoft Edge. **Set to 0 (zero)** 1. MDM Policy: [Browser/AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager). Choose whether employees can save passwords locally on their devices. **Set to 0 (zero)** 1. MDM Policy: [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar). Choose whether the Address Bar shows search suggestions. **Set to 0 (zero)** - 1. MDM Policy: [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Choose whether SmartScreen is turned on or off. **Set to 0 (zero)** + 1. MDM Policy: [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Choose whether Windows Defender SmartScreen is turned on or off. **Set to 0 (zero)** 1. **Network Connection Status Indicator** 1. [Connectivity/DisallowNetworkConnectivityActiveTests](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests). Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)** diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 48a8bcd1ea..ef6d2bf3ee 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -417,7 +417,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
**Set Value to: Disabled**| | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
**Set Value to: Enabled**
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
**Set Value to: Enabled**| -| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
**Set Value to: Enabled** and then set **Select SmartScreen filtering mode** to **Off**.| +| Prevent managing Windows Defender SmartScreen | Choose whether employees can manage the Windows Defender SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.| | Registry Key | Registry path | @@ -426,7 +426,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| | Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | | Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | -| Prevent managing SmartScreen filter | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | +| Prevent managing Windows Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | There are more Group Policy objects that are used by Internet Explorer: @@ -577,7 +577,7 @@ Alternatively, you can configure the following Registry keys as described: | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** | | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**| -| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | +| Configure Windows Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<>**| | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: **1**| @@ -875,7 +875,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin - Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). -To turn off **Turn on SmartScreen Filter to check web content (URLs) that Microsoft Store apps use**: +To turn off **Turn on Windows Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**: - Turn off the feature in the UI. diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index d096e3ff63..3e1def041d 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -413,7 +413,7 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op |MpCmdRun.exe|HTTPS|go.microsoft.com | The following endpoints are used for Windows Defender Smartscreen reporting and notifications. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Windows Defender Smartscreen notifications will no appear. | Source process | Protocol | Destination | |----------------|----------|------------| diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 47ce5b00ee..04e1b3af64 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -1,6 +1,6 @@ --- +title: Windows 10 & Privacy Compliance Guide description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows 10. -title: Windows 10 & Privacy Compliance - A Guide for IT and Compliance Professionals keywords: privacy, GDPR, compliance ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index f6351c2c0b..5e8590a6eb 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -1,10 +1,10 @@ ### YamlMime:YamlDocument documentType: LandingData -title: Resolved issues in Windows 10, version 1809 and Windows Server 2019 +title: Resolved issues in Windows 10 version 1809 & Windows Server 2019 metadata: document_id: - title: Resolved issues in Windows 10, version 1809 and Windows Server 2019 + title: Resolved issues in Windows 10 version 1809 and Windows Server 2019 description: Resolved issues in Windows 10, version 1809 or Windows Server 2019 keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10 1809"] ms.localizationpriority: high diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 60d02adb71..6d52746433 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -1,5 +1,5 @@ --- -title: Considerations when using Windows Defender Credential Guard (Windows 10) +title: Advice while using Windows Defender Credential Guard (Windows 10) description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows 10. ms.prod: w10 ms.mktglfcycl: explore diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 9197e2d07d..013c2a4130 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -1,6 +1,6 @@ --- -title: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments -description: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments +title: Having enough Domain Controllers for Windows Hello for Business deployments +description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 4563787217..7478dfafe1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,6 +1,6 @@ --- -title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business) -description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business +title: Prepare & Deploy Windows AD FS (Windows Hello for Business) +description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy @@ -54,6 +54,7 @@ Windows Hello for Business on-premises deployments require a federation server f The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: * Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) * Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) +* Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com* You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. @@ -193,6 +194,9 @@ Sign-in the federation server with _domain administrator_ equivalent credentials ### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group +> [!NOTE] +> If you have a Windows Server 2016 domain controller in your domain, you can use the **Key Admins** group instead of **KeyCredential Administrators** and skip the **Configure Permissions for Key Registration** step. + The **KeyCredential Administrators** global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. @@ -363,9 +367,12 @@ Active Directory Federation Server used for Windows Hello for Business certifica Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. ### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service +> [!NOTE] +> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN) + Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script: ->[!TIP] +> [!TIP] > Make sure to change the $enrollmentService and $configNC variables before running the script. ```Powershell @@ -483,7 +490,7 @@ Before you continue with the deployment, validate your deployment progress by re * Confirm you properly configured the Windows Hello for Business authentication certificate template—to include: * Issuance requirements of an authorized signature from a certificate request agent. * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe - * The Windows Hello for Business Users group, or equivalent has the allow enroll and allow auto enroll permissions + * The Windows Hello for Business Users group, or equivalent has the allow enroll permissions * Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. * Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. * Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. @@ -496,6 +503,11 @@ Before you continue with the deployment, validate your deployment progress by re You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template. You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account. +> [!IMPORTANT] +> After following the previous steps, if you are unable to validate that the devices are, in fact, being registered automatically, there is a Group Policy at: +> **Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration >** "Register Domain Joined Computers As Devices". Set the policy to **Enabled** +> and the registration will happen automatically. + ### Event Logs Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 9a09812b07..d2d11cd393 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -24,7 +24,7 @@ ms.reviewer: - Certificate trust -The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step. +The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps. Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index ff7f5deec6..e3a382622c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -1,6 +1,6 @@ --- -title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business) -description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business +title: Validate and Deploy MFA for Windows Hello for Business +description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index cf4016e37e..300a074c68 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -41,196 +41,64 @@ When a user encounters an error when creating the work PIN, advise the user to t 5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](https://go.microsoft.com/fwlink/p/?LinkId=715697). If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance. - +| Hex | Cause | Mitigation | +| :--------- | :----------------------------------------------------------------- | :------------------------------------------ | +| 0x80090005 | NTE\_BAD\_DATA | Unjoin the device from Azure AD and rejoin. | +| 0x8009000F | The container or key already exists. | Unjoin the device from Azure AD and rejoin. | +| 0x80090011 | The container or key was not found. | Unjoin the device from Azure AD and rejoin. | +| 0x80090029 | TPM is not set up. | Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. | +| 0x8009002A | NTE\_NO\_MEMORY | Close programs which are taking up memory and try again. | +| 0x80090031 | NTE\_AUTHENTICATION\_IGNORED | Reboot the device. If the error occurs again after rebooting, [reset the TPM](https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650). | +| 0x80090035 | Policy requires TPM and the device does not have TPM. | Change the Windows Hello for Business policy to not require a TPM. | +| 0x80090036 | User canceled an interactive dialog. | User will be asked to try again. | +| 0x801C0003 | User is not authorized to enroll. | Check if the user has permission to perform the operation​. | +| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933). | +| 0x801C000F | Operation successful, but the device requires a reboot. | Reboot the device. | +| 0x801C0010 | The AIK certificate is not valid or trusted. | Sign out and then sign in again. | +| 0x801C0011 | The attestation statement of the transport key is invalid. | Sign out and then sign in again. | +| 0x801C0012 | Discovery request is not in a valid format. | Sign out and then sign in again. | +| 0x801C0015 | The device is required to be joined to an Active Directory domain. | ​Join the device to an Active Directory domain. | +| 0x801C0016 | The federation provider configuration is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. | +| 0x801C0017 | ​The federation provider domain is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. | +| 0x801C0018 | The federation provider client configuration URL is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. | +| 0x801C03E9 | Server response message is invalid | Sign out and then sign in again. | +| 0x801C03EA | Server failed to authorize user or device. | Check if the token is valid and user has permission to register Windows Hello for Business keys. | +| 0x801C03EB | Server response http status is not valid | Sign out and then sign in again. | +| 0x801C03EC | Unhandled exception from server. | sign out and then sign in again. | +| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed.

-or-

Token was not found in the Authorization header.

-or-

Failed to read one or more objects.

-or-

The request sent to the server was invalid. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin. +| 0x801C03EE | Attestation failed. | Sign out and then sign in again. | +| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. | +| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). +| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | +| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | +| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
HexCauseMitigation
0x801C044DAuthorization token does not contain device IDUnjoin the device from Azure AD and rejoin
0x80090036User canceled an interactive dialogUser will be asked to try again
0x80090011The container or key was not foundUnjoin the device from Azure AD and rejoin
0x8009000FThe container or key already existsUnjoin the device from Azure AD and rejoin
0x8009002ANTE_NO_MEMORYClose programs which are taking up memory and try again.
0x80090005NTE_BAD_DATAUnjoin the device from Azure AD and rejoin
0x80090029TPM is not set up.Sign on with an administrator account. Click Start, type "tpm.msc", and select tpm.msc Microsoft Common Console Document. In the Actions pane, select Prepare the TPM.
0x80090031NTE_AUTHENTICATION_IGNOREDReboot the device. If the error occurs again after rebooting, reset the TPM or run Clear-TPM
0x80090035Policy requires TPM and the device does not have TPM.Change the Windows Hello for Business policy to not require a TPM.
0x801C0003User is not authorized to enrollCheck if the user has permission to perform the operation​.
0x801C000ERegistration quota reached

Unjoin some other device that is currently joined using the same account or increase the maximum number of devices per user.

0x801C000FOperation successful but the device requires a rebootReboot the device.
0x801C0010The AIK certificate is not valid or trustedSign out and then sign in again.
0x801C0011The attestation statement of the transport key is invalidSign out and then sign in again.
0x801C0012Discovery request is not in a valid formatSign out and then sign in again.
0x801C0015The device is required to be joined to an Active Directory domain​Join the device to an Active Directory domain.
0x801C0016The federation provider configuration is emptyGo to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty.
0x801C0017​The federation provider domain is emptyGo to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty.
0x801C0018The federation provider client configuration URL is emptyGo to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL.
0x801C03E9Server response message is invalidSign out and then sign in again.
0x801C03EAServer failed to authorize user or device.Check if the token is valid and user has permission to register Windows Hello for Business keys.
0x801C03EBServer response http status is not validSign out and then sign in again.
0x801C03ECUnhandled exception from server.sign out and then sign in again.
0x801C03ED

Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed

-

-or-

-

Token was not found in the Authorization header

-

-or-

-

Failed to read one or more objects

-

-or-

The request sent to the server was invalid.

Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
0x801C03EEAttestation failedSign out and then sign in again.
0x801C03EFThe AIK certificate is no longer validSign out and then sign in again.
0x801C03F2Windows Hello key registration failed.ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to Duplicate Attributes Prevent Dirsync.
0x801C044DUnable to obtain user tokenSign out and then sign in again. Check network and credentials.
0x801C044EFailed to receive user creds inputSign out and then sign in again.
## Errors with unknown mitigation For errors listed in this table, contact Microsoft Support for assistance. -| Hex | Cause | +| Hex | Cause | |-------------|---------| -| 0x80072f0c | Unknown | -| 0x80070057 | Invalid parameter or argument is passed | -| 0x80090027 | Caller provided wrong parameter. If third-party code receives this error they must change their code. | -| 0x8009002D | NTE\_INTERNAL\_ERROR | -| 0x80090020 | NTE\_FAIL | -| 0x801C0001 | ​ADRS server response is not in valid format | -| 0x801C0002 | Server failed to authenticate the user | -| 0x801C0006 | Unhandled exception from server | -| 0x801C000C | Discovery failed | -| 0x801C001B | ​The device certificate is not found | -| 0x801C000B | Redirection is needed and redirected location is not a well known server | +| 0X80072F0C | Unknown | +| 0x80070057 | Invalid parameter or argument is passed. | +| 0x80090020 | NTE\_FAIL | +| 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. | +| 0x8009002D | NTE\_INTERNAL\_ERROR | +| 0x801C0001 | ​ADRS server response is not in a valid format. | +| 0x801C0002 | Server failed to authenticate the user. | +| 0x801C0006 | Unhandled exception from server. | +| 0x801C000B | Redirection is needed and redirected location is not a well known server. | +| 0x801C000C | Discovery failed. | +| 0x801C0013 | Tenant ID is not found in the token. | +| 0x801C0014 | User SID is not found in the token. | | 0x801C0019 | ​The federation provider client configuration is empty | -| 0x801C001A | The DRS endpoint in the federation provider client configuration is empty | -| 0x801C0013 | Tenant ID is not found in the token | -| 0x801C0014 | User SID is not found in the token | -| 0x801C03F1 | There is no UPN in the token | -| 0x801C03F0 | ​There is no key registered for the user | -| 0x801C03F1 | ​There is no UPN in the token | -| ​0x801C044C | There is no core window for the current thread | - +| 0x801C001A | The DRS endpoint in the federation provider client configuration is empty. | +| 0x801C001B | ​The device certificate is not found. | +| 0x801C03F0 | ​There is no key registered for the user. | +| 0x801C03F1 | ​There is no UPN in the token. | +| ​0x801C044C | There is no core window for the current thread. | + ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 1db3c21e10..015331499c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -51,7 +51,7 @@ In this task you will The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy. -Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute. +Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index c0d84c47c0..27c18d43e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -1,5 +1,5 @@ --- -title: Azure AD Join Single Sign-on Deployment Guides +title: Azure AD Join Single Sign-on Deployment description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: w10 @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Azure AD Join Single Sign-on Deployment Guides +# Azure AD Join Single Sign-on Deployment **Applies to** - Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index cd40458897..5304c0af57 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -1,5 +1,5 @@ --- -title: Hybrid Windows Hello for Business Prerequisites (Windows Hello for Business) +title: Hybrid Windows Hello for Business Prerequisites description: Prerequisites for Hybrid Windows Hello for Business Deployments keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index a6df7720f8..b186880166 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,5 +1,5 @@ --- -title: Configuring Hybrid Windows Hello for Business - Active Directory (AD) +title: Configure Hybrid Windows Hello for Business - Active Directory (AD) description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport, WHFB, ad ms.prod: w10 @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Configuring Windows Hello for Business: Active Directory +# Configure Windows Hello for Business: Active Directory **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 388da08d52..be3bc06968 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -51,13 +51,16 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. +> [!TIP] +> The adfssvc account is the AD FS service account. + Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. 3. Right-click **Windows Hello for Business Users** group 4. Click the **Members** tab and click **Add** -5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +5. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. 7. Restart the AD FS server. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 2e7fe96f8c..e2d7d4fc9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -1,5 +1,5 @@ --- -title: Configuring Hybrid Windows Hello for Business - Directory Synchronization +title: Configure Hybrid Windows Hello for Business Directory Synch description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect ms.prod: w10 diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 804d8a9ca6..9a5ce9f830 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -78,7 +78,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. > [!NOTE] -> The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. +> * The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. +> * If you are using a 3rd party CA, add the certificate to the NTAuth store. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. ### Enrollment Agent certificate template diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 653af360e6..351e8af565 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -1,5 +1,5 @@ --- -title: Windows Hello for Business Key Trust New Installation (Windows Hello for Business) +title: Windows Hello for Business Key Trust New Installation description: Windows Hello for Business Hybrid baseline deployment keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 149f51780f..ce98019039 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -1,6 +1,6 @@ --- -title: Configuring Hybrid key trust Windows Hello for Business - Directory Synchronization -description: Configuring Hybrid key trust Windows Hello for Business - Directory Synchronization +title: Hybrid Windows Hello for Business - Directory Synchronization +description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect, Windows Hello, AD Connect, key trust, key-trust ms.prod: w10 ms.mktglfcycl: deploy @@ -47,9 +47,9 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva > [!div class="checklist"] > * Configure group membership for Azure AD Connect ->[!div class="step-by-step"] -[< Configure Active Directory](hello-hybrid-key-whfb-settings-ad.md) -[Configure PKI >](hello-hybrid-key-whfb-settings-pki.md) +> [!div class="step-by-step"] +> [< Configure Active Directory](hello-hybrid-key-whfb-settings-ad.md) +> [Configure PKI >](hello-hybrid-key-whfb-settings-pki.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 9e2635b984..41d11386b2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -1,5 +1,5 @@ --- -title: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) +title: Configure Hybrid key trust Windows Hello for Business description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI, Windows Hello, key trust, key-trust ms.prod: w10 diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 122053e414..440ab1ea70 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -1,5 +1,5 @@ --- -title: Configuring Hybrid key trust Windows Hello for Business - Group Policy +title: Configure Hybrid Windows Hello for Business - Group Policy description: Configuring Hybrid key trust Windows Hello for Business - Group Policy keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, key trust, key-trust ms.prod: w10 diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 48f2e98a5d..5202ec8d19 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -1,5 +1,5 @@ --- -title: Configure Hybrid Windows Hello for Business key trust Settings (Windows Hello for Business) +title: Configure Hybrid Windows Hello for Business key trust Settings description: Configuring Windows Hello for Business Settings in Hybrid deployment keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index c1a9b60e79..b7dfbc3d78 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -29,13 +29,24 @@ Windows Hello addresses the following problems with passwords: - Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). - Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). ->[!div class="mx-tdBreakAll"] ->| | | | ->| :---: | :---: | :---: | ->| [![Overview Icon](images/hello_filter.png)](hello-overview.md)
[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
[Manage Windows Hello in your Organization](hello-manage-in-organization.md) | +> | | | | +> | :---: | :---: | :---: | +> | [![Overview Icon](images/hello_filter.png)](hello-overview.md)
[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
[Manage Windows Hello in your Organization](hello-manage-in-organization.md) | ## Prerequisites +> [!Important] +> 1. Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.
. +> **Requirements:**
+> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> +> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> **Requirements:**
+> Reset from settings - Windows 10, version 1703, Professional
+> Reset above lock screen - Windows 10, version 1709, Professional
+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 + ### Cloud Only Deployment * Windows 10, version 1511 or later @@ -57,7 +68,7 @@ The table shows the minimum requirements for each deployment. For key trust in a | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
and
Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | -| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/3rd Party MFA Adapter | +| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | | Azure Account | Azure Account | Azure Account | Azure Account | | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory | | Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | @@ -78,5 +89,5 @@ The table shows the minimum requirements for each deployment. | AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter | | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing | ->[!IMPORTANT] +> [!IMPORTANT] > For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers). diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index a6364bad59..5d99da0e10 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -1,6 +1,6 @@ --- -title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business) -description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business +title: Prepare & Deploy Windows Active Directory Federation Services +description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index f4e3ef2457..14785da0c9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -1,6 +1,6 @@ --- -title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business) -description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business +title: Validate and Deploy MFA for Windows Hello for Business +description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 73d306bba1..7dffe7b0a9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -64,11 +64,23 @@ The hybrid deployment model is for organizations that: * Have identities synchronized to Azure Active Directory using Azure Active Directory Connect * Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources +> [!Important] +> Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.
+> **Requirements:**
+> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 + ##### On-premises The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory. +> [!Important] +> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> **Requirements:**
+> Reset from settings - Windows 10, version 1703, Professional
+> Reset above lock screen - Windows 10, version 1709, Professional
+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 -It’s fundamentally important to understand which deployment model to use for a successful deployment. Some of aspects of the deployment may already be decided for you based on your current infrastructure. +It’s fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. #### Trust types diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index 702f62e6d4..d905fbf992 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -97,14 +97,14 @@ The smart card reader device name is constructed in the form <*VendorName*> | 607 | Reader object failed to start monitor thread:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | | 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | | 609 | Reader monitor failed to create overlapped event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | -| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This is a benign error that does not affect end use of a smart card and can be ignored.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card | +| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1  If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios.| | 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. | | 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code | | 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code | | 616 | Reader monitor '%2' received uncaught error code:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name | | 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name | | 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | -| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. This error may also occur if the event is queried before the smart card service is ready. In this case the error is benign and can be ignored.
%1 = Windows error code | +| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. | | 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | ## Smart card Plug and Play events diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md index 4ce0666579..71cc07649a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md @@ -37,7 +37,15 @@ If BitLocker is enabled on a drive before Group Policy has been applied to enfor For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). -The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**. +The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt: + +```PowerShell +$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive +$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } + +Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID +BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID +``` > [!IMPORTANT] > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy). diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 527daea7c6..5474e7faf1 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -73,7 +73,7 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do ### Using Security Center -Beginning with Wndows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**. +Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**. ![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png) diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 73692e6065..384c907c62 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -25,7 +25,7 @@ ms.author: dansimp The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings. -Windows 10 has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. The SmartScreen Filter warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. +Windows 10 has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. Those are just some of the ways that Windows 10 protects you from malware. However, those security features protect you only after Windows 10 starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden. @@ -80,7 +80,7 @@ All x86-based Certified For Windows 10 PCs must meet several requirements relat These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems: -- **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to . +- **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to . - **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems. - **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however. diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index bf7360d125..a6029ffb2a 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -1,5 +1,5 @@ --- -title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) +title: Make & verify an EFS Data Recovery Agent certificate (Windows 10) description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection ms.prod: w10 diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index d6f39a9895..8f850eed95 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -160,7 +160,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
All fields marked as “*”All files signed by any publisher. (Not recommended)All files signed by any publisher. (Not recommended and may not work)
Publisher only
->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +> [!NOTE] +> When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. + +> [!NOTE] +> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index 46f40cb732..b11eab1f7d 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -1,5 +1,5 @@ --- -title: Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) (Windows 10) +title: Recommended URLs for Windows Information Protection (Windows 10) description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral Resources, WIP and Enterprise Cloud Resources ms.prod: w10 diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md index 958ab7847d..94df767962 100644 --- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md @@ -1,5 +1,5 @@ --- -title: Using Outlook on the web with Windows Information Protection (WIP) (Windows 10) +title: Using Outlook on the web with WIP (Windows 10) description: Options for using Outlook on the web with Windows Information Protection (WIP). keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration, OWA, Outlook Web access ms.prod: w10 diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index a710de4335..5bb338c311 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -1,6 +1,5 @@ --- -title: -# Fine-tune Windows Information Policy (WIP) with WIP Learning +title: Fine-tune Windows Information Policy (WIP) with WIP Learning description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company. ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2 ms.reviewer: diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 0bc73d07bc..d50923659c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -603,9 +603,9 @@ #### [Family options](windows-defender-security-center/wdsc-family-options.md) -### [SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) -#### [SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md) -#### [Set up and use SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md) +### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) +#### [Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md) +#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md) ### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) @@ -1073,7 +1073,7 @@ ###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) ###### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md) ###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md) -###### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md) +###### [Network security: Configure encryption types allowed for Kerberos](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md) ###### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md) ###### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md) ###### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md) diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md index 148ab10880..0aaa3b6a99 100644 --- a/windows/security/threat-protection/auditing/event-1108.md +++ b/windows/security/threat-protection/auditing/event-1108.md @@ -1,5 +1,5 @@ --- -title: 1108(S) The event logging service encountered an error while processing an incoming event published from %1. (Windows 10) +title: The event logging service encountered an error (Windows 10) description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1. ms.pagetype: security ms.prod: w10 diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md index 75322ba7e9..fad5b7ff52 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -1,5 +1,5 @@ --- -title: Monitor the central access policies associated with files and folders (Windows 10) +title: Monitor central access policies for files or folders (Windows 10) description: This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed ms.reviewer: diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index 48dacf418f..4a9c0d7f29 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -1,5 +1,5 @@ --- -title: Monitor the central access policies that apply on a file server (Windows 10) +title: Monitor central access policies on a file server (Windows 10) description: This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c ms.reviewer: diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 56b249d3be..f60748b37b 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10) -description: Hardware and software system integrity hardening capabilites that can be deployed separately or in combination. +title: WDAC and virtualization-based code integrity (Windows 10) +description: Hardware and software system integrity-hardening capabilites that can be deployed separately or in combination with Windows Defender Application Control (WDAC). keywords: virtualization, security, malware, device guard ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 58f95ecbc5..92fb064c14 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- -title: Requirements and deployment planning guidelines for virtualization-based protection of code integrity (Windows 10) -description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. +title: Deployment guidelines for Windows Defender Device Guard (Windows 10) +description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and code integrity policies. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -21,7 +21,7 @@ ms.author: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. +Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 79047be15a..2c5734af1f 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -2,7 +2,7 @@ title: How Microsoft identifies malware and potentially unwanted applications ms.reviewer: description: Learn how Microsoft reviews software for unwanted behavior, advertising, privacy violations, and negative consumer opinion to determine if it is malware (malicious software) or potentially unwanted applications. -keywords: security, malware, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats, MMPC, Microsoft Malware Protection Center, PUA, potentially unwanted applications +keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -18,33 +18,31 @@ search.appverid: met150 # How Microsoft identifies malware and potentially unwanted applications -Microsoft aims to provide customers with the most delightful and productive Windows experience possible. To help achieve that, we try our best to ensure our customers are safe and in control of their devices. +Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. When you download, install, and run software, you have access to information and tools to do so safely. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. That information is then compared against criteria described in this article. -Microsoft gives you the information and tools you need when downloading, installing, and running software, as well as tools that protect you when we know that something unsafe is happening. Microsoft does this by identifying and analyzing software and online content against criteria described in this article. - -You can participate in this process by submitting software for analysis. Our analysts and intelligent systems can then help identify undesirable software and ensure they are covered by our security solutions. +You can participate in this process by [submitting software for analysis](submission-guide.md) to ensure undesirable software is covered by our security solutions. Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements. ## Malware -Malware is the overarching name for applications and other code, i.e. software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*. +Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*. ### Malicious software -Malicious software is an application or code that compromises user security. Malicious software might steal your personal information, lock your PC until you pay a ransom, use your PC to send spam, or download other malicious software. In general, malicious software tricks, cheats, or defrauds users, places users in vulnerable states, or performs other malicious activities. +Malicious software is an application or code that compromises user security. Malicious software may steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states. Microsoft classifies most malicious software into one of the following categories: -* **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your PC. +* **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your device. -* **Downloader:** A type of malware that downloads other malware onto your PC. It needs to connect to the internet to download files. +* **Downloader:** A type of malware that downloads other malware onto your device. It must connect to the internet to download files. -* **Dropper:** A type of malware that installs other malware files onto your PC. Unlike a downloader, a dropper doesn’t need to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself. +* **Dropper:** A type of malware that installs other malware files onto your device. Unlike a downloader, a dropper doesn’t have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself. -* **Exploit:** A piece of code that uses software vulnerabilities to gain access to your PC and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md). +* **Exploit:** A piece of code that uses software vulnerabilities to gain access to your device and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md). -* **Hacktool:** A type of tool that can be used to gain unauthorized access to your PC. +* **Hacktool:** A type of tool that can be used to gain unauthorized access to your device. * **Macro virus:** A type of malware that spreads through infected documents, such as Microsoft Word or Excel documents. The virus is run when you open an infected document. @@ -52,23 +50,23 @@ Microsoft classifies most malicious software into one of the following categorie * **Password stealer:** A type of malware that gathers your personal information, such as user names and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit. -* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your PC. It then displays a ransom note stating you must pay money, complete surveys, or perform other actions before you can use your PC again. [See more information about ransomware](ransomware-malware.md). +* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md). -* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your PC. It also tries to convince you to pay for its services. +* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services. -* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead it tries to look legitimate, tricking users into downloading and installing it. Once installed, trojans perform a variety of malicious activities, such as stealing personal information, downloading other malware, or giving attackers access to your PC. +* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate and tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device. -* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your PC. +* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device. -* **Worm:** A type of malware that spreads to other PCs. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate. +* **Worm:** A type of malware that spreads to other devices. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate. ### Unwanted software -Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your PC through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software". +Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software". #### Lack of choice -You must be notified about what is happening on your PC, including what software does and whether it is active. +You must be notified about what is happening on your device, including what software does and whether it is active. Software that exhibits lack of choice might: @@ -84,13 +82,13 @@ Software that exhibits lack of choice might: * Falsely claim to be software from Microsoft. -Software must not mislead or coerce you into making decisions about your PC. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might: +Software must not mislead or coerce you into making decisions about your device. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might: -* Display exaggerated claims about your PC’s health. +* Display exaggerated claims about your device’s health. -* Make misleading or inaccurate claims about files, registry entries, or other items on your PC. +* Make misleading or inaccurate claims about files, registry entries, or other items on your device. -* Display claims in an alarming manner about your PC's health and require payment or certain actions in exchange for fixing the purported issues. +* Display claims in an alarming manner about your device's health and require payment or certain actions in exchange for fixing the purported issues. Software that stores or transmits your activities or data must: @@ -98,7 +96,7 @@ Software that stores or transmits your activities or data must: #### Lack of control -You must be able to control software on your computer. You must be able to start, stop, or otherwise revoke authorization to software. +You must be able to control software on your device. You must be able to start, stop, or otherwise revoke authorization to software. Software that exhibits lack of control might: @@ -110,7 +108,7 @@ Software that exhibits lack of control might: * Modify or manipulate webpage content without your consent. -Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models will be considered non-extensible and should not be modified. +Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models are considered non-extensible and should not be modified. #### Installation and removal @@ -120,7 +118,7 @@ Software that delivers *poor installation experience* might bundle or download o Software that delivers *poor removal experience* might: -* Present confusing or misleading prompts or pop-ups while being uninstalled. +* Present confusing or misleading prompts or pop-ups when you try to uninstall it. * Fail to use standard install/uninstall features, such as Add/Remove Programs. @@ -150,25 +148,27 @@ Advertisements shown to you must: #### Consumer opinion -Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps us identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions. +Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions. ## Potentially unwanted application (PUA) Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This optional protection, available to enterprises, helps deliver more productive, performant, and delightful Windows experiences. +As an individual, you can also block downloads from PUA in the new Chromium-based Edge browser by going to **Settings** > **Privacy and services** and turning on **Block potentially unwanted apps**. + *PUAs are not considered malware.* Microsoft uses specific categories and the category definitions to classify software as a PUA. -* **Advertising software:** Software that displays advertisements or promotions, or prompts the user to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages. +* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages. * **Torrent software:** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies. -* **Cryptomining software:** Software that uses your computer resources to mine cryptocurrencies. +* **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies. -* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document. +* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. -* **Marketing software:** Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research. +* **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research. * **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 63ef1862ba..3659eaeffb 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -93,7 +93,7 @@ Microsoft provides comprehensive security capabilities that help protect against * [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access. -* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using Microsoft [SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites. +* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites. * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index 28718f36f6..fdf1e1e4bf 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -41,7 +41,7 @@ Microsoft uses an extensive [evaluation criteria](criteria.md) to identify unwan To prevent unwanted software infection, download software only from official websites, or from the Microsoft Store. Be wary of downloading software from third-party sites. -Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer). +Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer). Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index d1b7cfa967..0490c8a9a6 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -1,6 +1,6 @@ --- -title: Microsoft Baseline Security Analyzer (MBSA) removal and guidance on alternative solutions -description: This article documents the removal of MBSA and alternative solutions +title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) +description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions keywords: MBSA, security, removal ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index d342f2228f..405215c2aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -23,7 +23,7 @@ ms.date: 10/08/2019 **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query. @@ -31,7 +31,7 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example: -``` +```kusto // Finds PowerShell execution events that could involve a download. ProcessCreationEvents | where EventTime > ago(7d) @@ -42,7 +42,7 @@ ProcessCreationEvents or ProcessCommandLine has "Invoke-Shellcode" or ProcessCommandLine contains "http:" | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine -| top 100 by EventTime' +| top 100 by EventTime ``` This is how it will look like in Advanced hunting. @@ -52,7 +52,7 @@ This is how it will look like in Advanced hunting. ### Describe the query and specify the table to search The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization. -``` +```kusto // Finds PowerShell execution events that could involve a download. ProcessCreationEvents ``` @@ -62,19 +62,19 @@ The query itself will typically start with a table name followed by a series of ### Set the time range The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out. -``` +```kusto | where EventTime > ago(7d) ``` ### Search for specific executable files The time range is immediately followed by a search for files representing the PowerShell application. -``` +```kusto | where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") ``` ### Search for specific command lines Afterwards, the query looks for command lines that are typically used with PowerShell to download files. -``` +```kusto | where ProcessCommandLine has "Net.WebClient" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "Invoke-WebRequest" @@ -84,9 +84,9 @@ Afterwards, the query looks for command lines that are typically used with Power ### Select result columns and length Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process. -``` +```kusto | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine -| top 100 by EventTime' +| top 100 by EventTime ``` Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results. @@ -128,8 +128,8 @@ The **Get started** section provides a few simple queries using commonly used op ![Image of Advanced hunting window](images/atp-advanced-hunting.png) ->[!NOTE] ->Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository. +> [!NOTE] +> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository. ## Access comprehensive query language reference @@ -140,4 +140,4 @@ For detailed information about the query language, see [Kusto query language doc - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 00a8b85828..a8e4541750 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -44,13 +44,13 @@ The Automated investigation starts by analyzing the supported entities from the ### Details of an Automated investigation -As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Threats**, **Entities**, and **Log** tabs. +As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Evidence**, **Entities**, and **Log** tabs. In the **Alerts** tab, you'll see the alert that started the investigation. The **Machines** tab shows where the alert was seen. -The **Threats** tab shows the entities that were found to be malicious during the investigation. +The **Evidence** tab shows the entities that were found to be malicious during the investigation. During an Automated investigation, details about each analyzed entity is categorized in the **Entities** tab. You'll be able to see the determination for each entity type, such as whether it was determined to be malicious, suspicious, or clean. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index fafeee5fd2..a5cb971e01 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -1,5 +1,5 @@ --- -title: Onboard Windows 10 machines using Group Policy to Microsoft Defender ATP +title: Onboard Windows 10 devices to Microsoft Defender ATP via Group Policy description: Use Group Policy to deploy the configuration package on Windows 10 machines so that they are onboarded to the service. keywords: configure machines using group policy, machine management, configure Windows ATP machines, onboard Microsoft Defender Advanced Threat Protection machines, group policy search.product: eADQiWindows 10XVcnh diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index b268c9db63..5a8e0475ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -31,17 +31,19 @@ ms.date: 04/24/2018 Microsoft Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: +- Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior to the actual provisioning. +- The machine name is typically reused for new sessions. -- Instant early onboarding of a short living session - - A session should be onboarded to Microsoft Defender ATP prior to the actual provisioning. +VDI machines can appear in Microsoft Defender ATP portal as either: -- Machine name persistence - - The machine names are typically reused for new sessions. One may ask to have them as a single machine entry while others may prefer to have multiple entries per machine name. +- Single entry for each machine. +Note that in this case, the *same* machine name must be configured when the session is created, for example using an unattended answer file. +- Multiple entries for each machine - one for each session. -You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries. +The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries. >[!WARNING] -> For environments where there are low resource configurations, the VDI boot proceedure might slow the Microsoft Defender ATP sensor onboarding. +> For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender ATP sensor onboarding. 1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index 69c4df40de..a97e8031a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -48,7 +48,7 @@ For more information about optimizing ASR rule deployment in Microsoft 365 secur > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) -# Related topics +## Related topics * [Ensure your machines are configured properly](configure-machines.md) * [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index 484a763167..1f672b58a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -61,7 +61,7 @@ For more information, [read about using Intune device configuration profiles to >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) -# Related topics +## Related topics - [Ensure your machines are configured properly](configure-machines.md) - [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index c51725fb99..a91141c30b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -97,7 +97,7 @@ Machine configuration management monitors baseline compliance only of Windows 10 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) -# Related topics +## Related topics - [Ensure your machines are configured properly](configure-machines.md) - [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 45538af5d0..08b54bfbe4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -122,20 +122,7 @@ Once completed, you should see onboarded servers in the portal within an hour. ### Configure server proxy and Internet connectivity settings - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway. -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service: - -Agent Resource | Ports -:---|:--- -| *.oms.opinsights.azure.com | 443 | -| *.blob.core.windows.net | 443 | -| *.azure-automation.net | 443 | -| *.ods.opinsights.azure.com | 443 | -| winatp-gw-cus.microsoft.com | 443 | -| winatp-gw-eus.microsoft.com | 443 | -| winatp-gw-neu.microsoft.com | 443 | -| winatp-gw-weu.microsoft.com | 443 | -|winatp-gw-uks.microsoft.com | 443 | -|winatp-gw-ukw.microsoft.com | 443 | +- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). ## Windows Server, version 1803 and Windows Server 2019 diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index ffedb17951..b751dd036f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -1,5 +1,5 @@ --- -title: Help prevent ransomware and threats from encrypting and changing files +title: Prevent ransomware and threats from encrypting and changing files description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files. keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders search.product: eADQiWindows 10XVcnh diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 1c3591492a..703b8a3412 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -1,6 +1,6 @@ --- -title: Update data retention settings for Microsoft Defender Advanced Threat Protection -description: Update data retention settings by selecting between 30 days to 180 days. +title: Update how long data is stored by MDATP +description: Update data retention settings for Microsoft Defender Advanced Threat Protection (MDATP) by selecting between 30 days to 180 days. keywords: data, storage, settings, retention, update search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md index 16dea875b1..5e9a5f5e75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -130,7 +130,7 @@ h. Select  **Manage > Assignments**. In the  **Include**  tab, select  * In terminal, run: ```bash - mdatp --edr --early-preview true + mdatp --edr --earlypreview true ``` For versions earlier than 100.78.0, run: @@ -158,4 +158,4 @@ After a successful deployment and onboarding of the correct version, check that * Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. -If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment). \ No newline at end of file +If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment). diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index 4bf9ad18d4..e47d2c93c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -49,7 +49,7 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment. Here is an example query: diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md index 87b7a01359..138788ba60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/files.md @@ -23,7 +23,7 @@ ms.topic: article Represent a file entity in Microsoft Defender ATP. -# Methods +## Methods Method|Return Type |Description :---|:---|:--- [Get file](get-file-information.md) | [file](files.md) | Get a single file @@ -32,7 +32,7 @@ Method|Return Type |Description [file statistics](get-file-statistics.md) | Statistics summary | Retrieves the prevalence for the given file. -# Properties +## Properties Property | Type | Description :---|:---|:--- sha1 | String | Sha1 hash of the file content diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png index d3f1166d66..09b816dd70 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png and b/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index eada51bd1c..56539b10cf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -138,7 +138,7 @@ More details about certain events are provided in the **Additional information** - Active threat detected - the threat detection occurred while the threat was running - Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed - Remediation successful - the detected threat was stopped and cleaned -- Warning bypassed by user - the SmartScreen warning was dismissed and overridden by a user +- Warning bypassed by user - the Windows Defender SmartScreen warning was dismissed and overridden by a user - Suspicious script detected - a potentially malicious script was found running - The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index 3d3a959ecb..608409befc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -26,6 +26,9 @@ You can add tags on machines using the following ways: - Using the portal - Setting a registry key value +>[!NOTE] +>There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine page. + To add machine tags using API, see [Add or remove machine tags API](add-or-remove-machine-tags.md). ## Add and manage machine tags using the portal @@ -78,3 +81,4 @@ Use the following registry key entry to add a tag on a machine: >[!NOTE] >The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. + diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index c7a7c7bf2b..a4227c1113 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -21,7 +21,7 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -# Methods +## Methods Method|Return Type |Description :---|:---|:--- [List machines](get-machines.md) | [machine](machine.md) collection | List set of [machine](machine.md) entities in the org. @@ -31,7 +31,7 @@ Method|Return Type |Description [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine. [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP. -# Properties +## Properties Property | Type | Description :---|:---|:--- id | String | [machine](machine.md) identity. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md index 9d587e1cfb..551174a844 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md @@ -1,4 +1,6 @@ --- +title: Perform a Machine Action via the Microsoft Defender ATP API +description: This page focuses on performing a machine action via the Microsoft Defender Advanced Threat Protection (MDATP) API. ms.date: 08/28/2017 ms.reviewer: manager: dansimp @@ -7,5 +9,6 @@ author: mjcaparas ms.prod: w10 title: Note --- + >[!Note] > This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 1521bb3b89..4b1bc1f541 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -102,7 +102,7 @@ You'll also have access to the following sections that help you see details of t - Investigation graph - Alerts - Machines -- Key findings +- Evidence - Entities - Log - Pending actions @@ -138,7 +138,7 @@ Selecting a machine using the checkbox brings up the machine details pane where Clicking on an machine name brings you the machine page. -### Key findings +### Evidence Shows details related to threats associated with this investigation. ### Entities diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index d006defd48..ed62718fa4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -106,9 +106,8 @@ When you add an indicator hash for a file, you can choose to raise an alert and Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. - -## Create indicators for IPs and URLs/domains -Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs through SmartScreen for Microsoft browsers and Network Protection for non-Microsoft browsers and calls made outside the browser. +## Create indicators for IPs and URLs/domains (preview) +Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. The threat intelligence data set for this has been managed by Microsoft. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md index 1d178278d5..04bb26271d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md @@ -27,13 +27,13 @@ There might be scenarios where you need to suppress alerts from appearing in the You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off. -## Turn a suppression rule on or off 1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. 2. Select a rule by clicking on the check-box beside the rule name. -3. Click **Turn rule on** or **Turn rule off**. +3. Click **Turn rule on**, **Edit rule**, or **Delete rule**. When making changes to a rule, you can choose to release alerts that it has already suppressed, regardless whether or not these alerts match the new criteria. + ## View details of a suppression rule diff --git a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md index db44e6fc9c..eb022df5f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md @@ -1,4 +1,6 @@ --- +title: Microsoft Defender ATP Pre-release Disclaimer +description: Disclaimer for pre-release version of Microsoft Defender ATP. ms.date: 08/28/2017 ms.reviewer: manager: dansimp @@ -8,5 +10,5 @@ ms.prod: w10 title: "Prerelease" --- ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 5430c0d17a..6a3f13571d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -157,7 +157,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation'). +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation'). >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say **Release from isolation**, and then you take the same steps as isolating the machine. diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md index 75423bc86d..1ac2ee7415 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md @@ -184,10 +184,9 @@ You can take the following actions to increase the overall security score of you * Turn on Microsoft Defender AG on compatible machines * Turn on managed mode - For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). -### Windows Defender SmartScreen optimization +### Windows Defender SmartScreen optimization A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen. @@ -202,22 +201,22 @@ A well-configured machine complies to a minimum baseline configuration setting. The following settings must be configured with the following settings: * Check apps and files: **Warn** or **Block** -* SmartScreen for Microsoft Edge: **Warn** or **Block** -* SmartScreen for Microsoft store apps: **Warn** or **Off** +* Microsoft Defender SmartScreen for Microsoft Edge: **Warn** or **Block** +* Microsoft Defender SmartScreen for Microsoft store apps: **Warn** or **Off** You can take the following actions to increase the overall security score of your organization: - Set **Check app and files** to **Warn** or **Block** -- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block** -- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off** +- Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block** +- Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off** For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). * Set **Check app and files** to **Warn** or **Block** -* Set **SmartScreen for Microsoft Edge** to **Warn** or **Block** -* Set **SmartScreen for Microsoft store apps** to **Warn** or **Off** +* Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block** +* Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off** -For more information, see [Microsoft Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). +For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). ### Windows Defender Firewall optimization diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index ec0e0ed4cc..f634b03320 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -66,6 +66,9 @@ Area | Description **Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions. **Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list. +> [!NOTE] +> Machines with no alerts seen in the last 30 days do not count towards the exposure score of Threat & Vulnerability Management. + See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal. ## Related topics diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index a9b824cade..3e5cd564fb 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -1,7 +1,7 @@ --- manager: dansimp ms.author: dansimp -title: Override Process Mitigation Options to help enforce app-related security policies (Windows 10) +title: Override Process Mitigation Options (Windows 10) description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies. keywords: Process Mitigation Options, Mitigation Options, Group Policy Mitigation Options ms.prod: w10 diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 1198ca299a..355b58c60f 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -84,7 +84,7 @@ As an IT professional, you can ask application developers and software vendors t Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads. -For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. +For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen/windows-defender-smartscreen-overview.md). diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index f9421d02f6..8d134aaa46 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/26/2018 +ms.date: 11/21/2019 ms.reviewer: --- @@ -27,6 +27,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group The Security Compliance Toolkit consists of: - Windows 10 security baselines + - Windows 10 Version 1909 (November 2019 Update) - Windows 10 Version 1903 (May 2019 Update) - Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1803 (April 2018 Update) diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index 94c7732647..f6beb6795e 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -1,5 +1,5 @@ --- -title: Accounts Limit local account use of blank passwords to console logon only (Windows 10) +title: Accounts Limit local account use of blank passwords (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Limit local account use of blank passwords to console logon only security policy setting. ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index efc1e8ea6f..45bae7d793 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -1,5 +1,5 @@ --- -title: Devices Restrict CD-ROM access to locally logged-on user only (Windows 10) +title: Restrict CD-ROM access to locally logged-on user (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting. ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md index 91a78717ea..0115f58fc6 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md @@ -1,5 +1,5 @@ --- -title: Domain controller Refuse machine account password changes (Windows 10) +title: Refuse machine account password changes policy (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting. ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9 ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index 82dc9c1898..dcf829294a 100644 --- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -1,5 +1,5 @@ --- -title: Enable computer and user accounts to be trusted for delegation (Windows 10) +title: Trust computer and user accounts for delegation (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enable computer and user accounts to be trusted for delegation security policy setting. ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 456a194ed3..c1da92162e 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -1,5 +1,5 @@ --- -title: Interactive logon Message text for users attempting to log on (Windows 10) +title: Interactive Logon Message text (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Message text for users attempting to log on security policy setting. ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index a3a1d550e4..2f0c68363e 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -1,5 +1,5 @@ --- -title: Microsoft network client Send unencrypted password to third-party SMB servers (Windows 10) +title: Microsoft network client Send unencrypted password (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Send unencrypted password to third-party SMB servers security policy setting. ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017 ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index 130fb31904..51a7a62dde 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -1,5 +1,5 @@ --- -title: Microsoft network server Attempt S4U2Self to obtain claim information (Windows 10) +title: Microsoft network server Attempt S4U2Self (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Microsoft network server Attempt S4U2Self to obtain claim information security policy setting. ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index 42270f6a74..56ba9ce742 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -1,5 +1,5 @@ --- -title: Network access Do not allow anonymous enumeration of SAM accounts and shares (Windows 10) +title: Network access Do not allow anonymous enumeration (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts and shares security policy setting. ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73 ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md index 3951aa3864..0e3279dc6e 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -1,5 +1,5 @@ --- -title: Network access Let Everyone permissions apply to anonymous users (Windows 10) +title: Let Everyone permissions apply to anonymous users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Let Everyone permissions apply to anonymous users security policy setting. ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353 ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 40dcdcacb1..af0955f3fe 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -30,7 +30,8 @@ Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Su When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. ->**Note:**  The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**. +> [!Note] +> The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**. This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later. @@ -40,6 +41,9 @@ This policy is not configured by default on domain-joined devices. This would di This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. +> [!Note] +> KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fails. To resolve this, enable PKU2U on the Server. + - **Disabled** This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index d3d0816760..c5496a79f8 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -1,5 +1,5 @@ --- -title: Network security Configure encryption types allowed for Kerberos Win7 only (Windows 10) +title: Network security Configure encryption types allowed for Kerberos description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting. ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index ddad0a8565..c8d671e6b6 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -1,5 +1,5 @@ --- -title: Network security Restrict NTLM NTLM authentication in this domain (Windows 10) +title: Network security Restrict NTLM in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM NTLM authentication in this domain security policy setting. ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8 ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index c2a02e239d..0e229ebce6 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -1,5 +1,5 @@ --- -title: Network security Restrict NTLM Outgoing NTLM traffic to remote servers (Windows 10) +title: Network security Restrict NTLM Outgoing traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Outgoing NTLM traffic to remote servers security policy setting. ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1 ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md index e814cda2fd..b3e5bb9c6c 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md @@ -1,5 +1,5 @@ --- -title: Shutdown Clear virtual memory pagefile - security policy setting (Windows 10) +title: Shutdown Clear virtual memory pagefile (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting. ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index fc1b6be023..f055b88d86 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -1,5 +1,5 @@ --- -title: SMBv1 Microsoft network client Digitally sign communications (always) (Windows 10) +title: Always sign SMBv1 network client communications (Windows 10) description: For SMBv1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting. ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index c6c7912ae9..92e19e7cda 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -1,5 +1,5 @@ --- -title: User Account Control Behavior of the elevation prompt for standard users (Windows 10) +title: Behavior of the elevation prompt for standard users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for standard users security policy setting. ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index 7683b3beec..47e4c3b995 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -1,5 +1,5 @@ --- -title: User Account Control Only elevate UIAccess applications that are installed in secure locations (Windows 10) +title: Only elevate UIAccess app installed in secure location (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate UIAccess applications that are installed in secure locations security policy setting. ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c ms.reviewer: diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md index 6361e34ee2..9c85a319b8 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -1,5 +1,5 @@ --- -title: User Account Control Run all administrators in Admin Approval Mode (Windows 10) +title: UAC Run all administrators in Admin Approval Mode (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Run all administrators in Admin Approval Mode security policy setting. ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf ms.reviewer: diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 51ff05189a..69291f7a17 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -573,6 +573,11 @@ Here are the minimum steps for WEF to operate: + + + + + ``` @@ -654,5 +659,6 @@ You can get more info with the following links: - [Event Queries and Event XML](https://msdn.microsoft.com/library/bb399427.aspx) - [Event Query Schema](https://msdn.microsoft.com/library/aa385760.aspx) - [Windows Event Collector](https://msdn.microsoft.com/library/windows/desktop/bb427443.aspx) +- [4625(F): An account failed to log on](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625) diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index eede2665f7..6e9ba266d1 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -194,7 +194,7 @@ The table below outlines how Windows 10 Mobile mitigates specific malware threat

Users access a dangerous website without knowledge of the risk.

-

The SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.

+

The Windows Defender SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.

Malware exploits a vulnerability in a browser add-on.

diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index b5d9f68991..17897257a2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -43,20 +43,20 @@ MpCmdRun.exe -scan -2 | Command | Description | |:----|:----| -| \-? **or** -h | Displays all available options for this tool | -| \-Scan [-ScanType [0\|1\|2\|3]] [-File \ [-DisableRemediation] [-BootSectorScan]] [-Timeout \] [-Cancel] | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. | -| \-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing | -| \-GetFiles | Collects support information | -| \-GetFilesDiagTrack | Same as Getfiles but outputs to temporary DiagTrack folder | -| \-RemoveDefinitions [-All] | Restores the installed Security intelligence to a previous backup copy or to the original default set | -| \-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically downloaded Security intelligence | -| \-RemoveDefinitions [-Engine] | Restores the previous installed engine | -| \-SignatureUpdate [-UNC \| -MMPC] | Checks for new Security intelligence updates | -| \-Restore [-ListAll \| [[-Name \] [-All] \| [-FilePath \]] [-Path \]] | Restores or lists quarantined item(s) | -| \-AddDynamicSignature [-Path] | Loads dynamic Security intelligence | -| \-ListAllDynamicSignatures | Lists the loaded dynamic Security intelligence | -| \-RemoveDynamicSignature [-SignatureSetID] | Removes dynamic Security intelligence | -| \-CheckExclusion -path \ | Checks whether a path is excluded | +| `-?` **or** `-h` | Displays all available options for this tool | +| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. | +| `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing | +| `-GetFiles` | Collects support information | +| `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder | +| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set | +| `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence | +| `-RemoveDefinitions [-Engine]` | Restores the previous installed engine | +| `-SignatureUpdate [-UNC \| -MMPC]` | Checks for new Security intelligence updates | +| `-Restore [-ListAll \| [[-Name ] [-All] \| [-FilePath ]] [-Path ]]` | Restores or lists quarantined item(s) | +| `-AddDynamicSignature [-Path]` | Loads dynamic Security intelligence | +| `-ListAllDynamicSignatures` | Lists the loaded dynamic Security intelligence | +| `-RemoveDynamicSignature [-SignatureSetID]` | Removes dynamic Security intelligence | +| `-CheckExclusion -path ` | Checks whether a path is excluded | ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index a562fd5f60..0bd81387b5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -60,7 +60,6 @@ Because your protection is a cloud service, computers must have access to the in | Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | | Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| - ## Validate connections between your network and the cloud After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index b62d657934..06ca413d66 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -44,7 +44,7 @@ To configure these settings: Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled -Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled +Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition Windows Defender SmartScreen, which scans files before and during downloading | Enabled Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index 3dfe9a2e82..b5a79ca055 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -43,11 +43,11 @@ This guide will show you how to configure your VMs for optimal protection and pe You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf) which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI. ->[!IMPORTANT] +> [!IMPORTANT] > While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows. ->[!NOTE] +> [!NOTE] > There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607. @@ -89,7 +89,7 @@ Open the Intune management portal either by searching for Intune on https://port 1. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**. 1. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices. 1. The profile will now be deployed to the impacted devices. Note that this may take some time. - + #### Use Group Policy to enable the shared security intelligence feature: 1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit. 1. In the **Group Policy Management Editor** go to **Computer configuration**. @@ -97,7 +97,7 @@ Open the Intune management portal either by searching for Intune on https://port 1. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates** 1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**. 1. Deploy the GPO to the VMs you want to test. - + #### Use PowerShell to enable the shared security intelligence feature: Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs: @@ -106,10 +106,10 @@ Set-MpPreference -SharedSignaturesPath \\\wdav-update ``` See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \ will be. - + ### Download and unpackage the latest updates Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those). - + ```PowerShell $vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-' $vdmpathtime = Get-Date -format "yMMddHHmmss" @@ -177,8 +177,8 @@ Sometimes, Windows Defender Antivirus notifications may be sent to or persist ac This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). ->[!IMPORTANT] ->Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. +> [!IMPORTANT] +> Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. 1. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting: @@ -205,4 +205,4 @@ On Windows Server 2016, Windows Defender Antivirus will automatically deliver th - [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) -- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) +- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index c9ade7db82..0013143d29 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -52,7 +52,7 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium 1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off > [!TIP] -> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). #### Blocking URLs with Windows Defender SmartScreen @@ -62,7 +62,7 @@ Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsof Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. -Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md#create-indicators-for-ips-and-urlsdomains) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. +Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md#create-indicators-for-ips-and-urlsdomains-preview) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. ### Windows Defender Antivirus diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 1bc4cdbd31..328b3fc5a0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -43,7 +43,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca 2. Select **All services > Intune**. 3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). 4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. -5. On the **Cloud-delivered protection** switch, select **Not configured**. +5. On the **Cloud-delivered protection** switch, select **Enable**. 6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. 7. In the **Submit samples consent** dropdown, select one of the following: diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index d1fde8548c..2d37313936 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -27,7 +27,7 @@ Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intu With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from “every app is Microsoft-verified" to “every app is verified by Microsoft or your organization”. -# Policy Authorization Process +## Policy Authorization Process ![Policy Authorization](images/wdac-intune-policy-authorization.png) The general steps for expanding the S mode base policy on your devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. 1. Generate a supplemental policy with WDAC tooling @@ -54,6 +54,11 @@ The general steps for expanding the S mode base policy on your devices are to ge Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete ``` This deletes the ‘audit mode’ qualifier. + - Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy: + + ```powershell + Add-SignerRule -FilePath -CertificatePath -User -Update` + ``` - Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) ```powershell @@ -64,12 +69,7 @@ The general steps for expanding the S mode base policy on your devices are to ge Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA. - Once your policy is signed, you must authorize the signing certificate you used to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. Use Add-SignerRule to add the signing certificate to the WDAC policy: - - ```powershell - Add-SignerRule -FilePath -CertificatePath -User -Update` - ``` - Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML + Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML. 3. Deploy the signed supplemental policy using Microsoft Intune @@ -78,11 +78,11 @@ The general steps for expanding the S mode base policy on your devices are to ge > [!Note] > When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](https://docs.microsoft.com/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number. -# Standard Process for Deploying Apps through Intune +## Standard Process for Deploying Apps through Intune ![Deploying Apps through Intune](images/wdac-intune-app-deployment.png) Refer to [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management) for guidance on the existing procedure of packaging signed catalogs and app deployment. -# Optional: Process for Deploying Apps using Catalogs +## Optional: Process for Deploying Apps using Catalogs ![Deploying Apps using Catalogs](images/wdac-intune-app-catalogs.png) Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don’t want to allow as well. @@ -93,7 +93,7 @@ The basic process is to generate a catalog file for each app using Package Inspe > [!Note] > Every time an app updates, you will need to deploy an updated catalog. Because of this, IT Pros should try to avoid using catalog files for applications that auto-update and direct users not to update applications on their own. -# Sample Policy +## Sample policy Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Registry Editor. It also demonstrates how to specify your organization's code signing and policy signing certificates. ```xml @@ -176,7 +176,7 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis ``` -# Policy Removal +## Policy removal > [!Note] > This feature currently has a known a policy deletion bug, with a fix expected in the 2D update in late February 2020. Devices of users who are unenrolled will still have their WDAC policies removed. In the mentime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode. diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index 039a888196..7591c17136 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -1,5 +1,5 @@ --- -title: Allow COM object registration in a Windows Defender Application Control policy (Windows 10) +title: Allow COM object registration in a WDAC policy (Windows 10) description: You can allow COM object registration in a Windows Defender Application Control policy. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index 3b75aaec82..099c30bac7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -1,5 +1,5 @@ --- -title: Determine which apps are digitally signed on a reference device (Windows 10) +title: Find digitally signed apps on a reference device (Windows 10) description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8 ms.reviewer: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index 44a181aa71..0e40237b7b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -1,5 +1,5 @@ --- -title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10) +title: Document Group Policy structure & AppLocker rule enforcement (Windows 10) description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 ms.reviewer: diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index a866996a6f..b86dfe2687 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -1,6 +1,6 @@ --- -title: Audit Windows Defender Application Control (WDAC) policies (Windows 10) -description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +title: Audit Windows Defender Application Control policies (Windows 10) +description: Windows Defender Application Control (WDAC) restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index 7bbbc5f8e5..781b9fd9be 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -1,6 +1,6 @@ --- -title: Deploy Windows Defender Application Control (WDAC) policies by using Group Policy (Windows 10) -description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +title: Deploy WDAC policies via Group Policy (Windows 10) +description: Windows Defender Application Control (WDAC) restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index e6b57b9722..022007f730 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -1,6 +1,6 @@ --- -title: Manage packaged apps with Windows Defender Application Control (Windows 10) -description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +title: Manage packaged apps with WDAC (Windows 10) +description: Windows Defender Application Control (WDAC) restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index 01d8f1abb4..ef1a7fdc46 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -1,6 +1,6 @@ --- -title: Merge Windows Defender Application Control (WDAC) policies (Windows 10) -description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +title: Merge Windows Defender Application Control policies (Windows 10) +description: Windows Defender Application Control (WDAC) restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 2d05216e90..f58c81c02c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -1,6 +1,6 @@ --- -title: Plan for Windows Defender Application Control policy management (Windows 10) -description: Plan for Windows Defender Application Control policy management. +title: Plan for WDAC policy management (Windows 10) +description: How to plan for Windows Defender Application Control (WDAC) policy management. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index 183701e0a9..22a50b0c24 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -1,5 +1,5 @@ --- -title: Querying Application Control events centrally using Advanced hunting (Windows 10) +title: Query Application Control events with Advanced Hunting (Windows 10) description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 18194e489d..22df45d2a2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -99,7 +99,7 @@ Users with administrator privileges or malware running as an administrator user Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG. -Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. it is straightforward to authorize modern apps with signer rules in the WDAC policy. +Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business, it is straightforward to authorize modern apps with signer rules in the WDAC policy. The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run. diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 94432cdc5e..8e16e1695e 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -1,5 +1,5 @@ --- -title: Frequently asked questions - Windows Defender Application Guard (Windows 10) +title: FAQ - Windows Defender Application Guard (Windows 10) description: Learn about the commonly asked questions and answers for Windows Defender Application Guard. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 125c5b3514..6f9c6ff4ff 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -1,5 +1,5 @@ --- -title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10) +title: Testing scenarios with Windows Defender Application Guard (Windows 10) description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index 7dbb40b803..2ab6468f1e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -1,7 +1,7 @@ --- title: Account protection in the Windows Security app description: Use the Account protection section to manage security for your account and sign in to Microsoft. -keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide +keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide, Windows Defender SmartScreen, SmartScreen Filter, Windows SmartScreen search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 1a7b1eae79..939db827c5 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -1,7 +1,7 @@ --- title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10) description: A list of all available setttings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings. -keywords: SmartScreen Filter, Windows SmartScreen +keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -35,12 +35,12 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen At least Windows Server 2012, Windows 8 or Windows RT -This policy setting turns on Windows Defender SmartScreen.

If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen. +This policy setting turns on Windows Defender SmartScreen.

If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Windows Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen. Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This setting helps protect PCs by allowing users to install apps only from the Microsoft Store. SmartScreen must be enabled for this feature to work properly.

If you enable this setting, your employees can only install apps from the Microsoft Store.

If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.

If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Microsoft Store. +This setting helps protect PCs by allowing users to install apps only from the Microsoft Store. Windows Defender SmartScreen must be enabled for this feature to work properly.

If you enable this setting, your employees can only install apps from the Microsoft Store.

If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.

If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Microsoft Store. Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen @@ -60,23 +60,23 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter Internet Explorer 9 or later -This policy setting prevents the employee from managing SmartScreen Filter.

If you enable this policy setting, the employee isn't prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.

If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on SmartScreen Filter during the first-run experience. +This policy setting prevents the employee from managing Windows Defender SmartScreen.

If you enable this policy setting, the employee isn't prompted to turn on Windows Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.

If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience. Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings Internet Explorer 8 or later -This policy setting determines whether an employee can bypass warnings from SmartScreen Filter.

If you enable this policy setting, SmartScreen Filter warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings. +This policy setting determines whether an employee can bypass warnings from Windows Defender SmartScreen.

If you enable this policy setting, Windows Defender SmartScreen warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass Windows Defender SmartScreen warnings. Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet Internet Explorer 9 or later -This policy setting determines whether the employee can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.

If you enable this policy setting, SmartScreen Filter warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings. +This policy setting determines whether the employee can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.

If you enable this policy setting, Windows Defender SmartScreen warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass Windows Defender SmartScreen warnings. ## MDM settings If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.

-For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer). +For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer). @@ -115,8 +115,8 @@ For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplor
  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
  • Data type. Integer
  • Allowed values:
      -
    • 0 . Turns off SmartScreen in Windows for app and file execution.
      • -
    • 1. Turns on SmartScreen in Windows for app and file execution.
    • +
  • 0 . Turns off Windows Defender SmartScreen in Windows for app and file execution.
    • +
  • 1. Turns on Windows Defender SmartScreen in Windows for app and file execution.
    • @@ -127,8 +127,8 @@ For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplor
  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
  • Data type. Integer
  • Allowed values:
      -
    • 0 . Employees can ignore SmartScreen warnings and run malicious files.
      • -
    • 1. Employees can't ignore SmartScreen warnings and run malicious files.
    • +
  • 0 . Employees can ignore Windows Defender SmartScreen warnings and run malicious files.
    • +
  • 1. Employees can't ignore Windows Defender SmartScreen warnings and run malicious files.
    • @@ -139,8 +139,8 @@ For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplor
  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
  • Data type. Integer
  • Allowed values:
      -
    • 0 . Employees can ignore SmartScreen warnings.
      • -
    • 1. Employees can't ignore SmartScreen warnings.
    • +
  • 0 . Employees can ignore Windows Defender SmartScreen warnings.
    • +
  • 1. Employees can't ignore Windows Defender SmartScreen warnings.
    • @@ -151,8 +151,8 @@ For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplor
  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
  • Data type. Integer
  • Allowed values:
      -
    • 0 . Employees can ignore SmartScreen warnings for files.
      • -
    • 1. Employees can't ignore SmartScreen warnings for files.
    • +
  • 0 . Employees can ignore Windows Defender SmartScreen warnings for files.
    • +
  • 1. Employees can't ignore Windows Defender SmartScreen warnings for files.
    • Setting
    diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index 475ce2cff3..d22f241c9b 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -1,7 +1,7 @@ --- title: Windows Defender SmartScreen overview (Windows 10) description: Conceptual info about Windows Defender SmartScreen. -keywords: SmartScreen Filter, Windows SmartScreen +keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -10,7 +10,7 @@ author: mjcaparas ms.author: macapara audience: ITPro ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/27/2019 ms.reviewer: manager: dansimp --- @@ -24,34 +24,34 @@ manager: dansimp Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files. -**SmartScreen determines whether a site is potentially malicious by:** +**Windows Defender SmartScreen determines whether a site is potentially malicious by:** -- Analyzing visited webpages, looking for indications of suspicious behavior. If SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. +- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender Smartscreen determines that a page is suspicious, it will show a warning page to advise caution. -- Checking visited sites against a dynamic list of reported phishing and malicious software sites. If SmartScreen finds a match, it will show a warning indicating that the site might be malicious. +- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious. -**SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** +**Windows Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** -- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If SmartScreen finds a match, it will show a warning indicating that the site might be malicious. +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious. -- Checking downloaded files against a list of files that are well-known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution. +- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution. - > [!NOTE] - > Before Windows 10, version 1703, this feature was called _the SmartScreen Filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser. + >[!NOTE] + >Before Windows 10, version 1703, this feature was called _the SmartScreen filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser. ## Benefits of Windows Defender SmartScreen Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: -- **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) +- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) -- **Reputation-based URL and app protection.** SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee. +- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee. -- **Operating system integration.** SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. +- **Operating system integration.** Windows Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. -- **Improved heuristics and diagnostic data.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files. +- **Improved heuristics and diagnostic data.** Windows Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files. -- **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). +- **Management through Group Policy and Microsoft Intune.** Windows Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). - **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). @@ -59,20 +59,27 @@ Windows Defender SmartScreen provide an early warning system against websites th When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). -## Viewing Windows event logs for SmartScreen +## Viewing Windows event logs for Windows Defender SmartScreen +Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. -SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. +Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it: + +``` +wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true +``` > [!NOTE] > For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1). + EventID | Description -|- -1000 | Application SmartScreen Event -1001 | Uri SmartScreen Event -1002 | User Decision SmartScreen Event +1000 | Application Windows Defender SmartScreen Event +1001 | Uri Windows Defender SmartScreen Event +1002 | User Decision Windows Defender SmartScreen Event ## Related topics +- [Windows Defender SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - [Threat protection](../index.md) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index ca7c0039c1..9d10a82e3a 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -1,7 +1,7 @@ --- title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10) description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Security to set Windows Defender SmartScreen for individual devices. -keywords: SmartScreen Filter, Windows SmartScreen +keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -39,28 +39,28 @@ Starting with Windows 10, version 1703 your employees can use Windows Security t - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. - - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. - - In the **SmartScreen for Microsoft Edge** area: + - In the **Windows Defender SmartScreen for Microsoft Edge** area: - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. - - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. - - In the **SmartScreen from Microsoft Store apps** area: + - In the **Windows Defender SmartScreen from Microsoft Store apps** area: - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue. - - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - ![Windows Security, SmartScreen controls](images/windows-defender-smartscreen-control.png) + ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control.png) -## How SmartScreen works when an employee tries to run an app -Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. +## How Windows Defender SmartScreen works when an employee tries to run an app +Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. -By default, your employees can bypass SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). +By default, your employees can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). ## How employees can report websites as safe or unsafe You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index 4cbc411cdd..a7def9d5fd 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -1,5 +1,5 @@ --- -title: Windows Defender System Guard How a hardware-based root of trust helps protect Windows 10 (Windows 10) +title: How a Windows Defender System Guard helps protect Windows 10 description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md index 0f576ccc0f..8aba164682 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md @@ -1,5 +1,5 @@ --- -title: Windows Defender System Guard How a hardware-based root of trust helps protect Windows 10 (Windows 10) +title: How a Windows Defender System Guard helps protect Windows 10 description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index 02be1db95f..49d318d5fe 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -1,6 +1,6 @@ --- -title: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone (Windows 10) -description: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone +title: Create Rules for Standalone Isolated Server Zone Clients (Windows 10) +description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index ea78e8de16..537198bd08 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -54,3 +54,6 @@ To complete these procedures, you must be a member of the Domain Administrators - To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**. 6. Click **OK** twice. + +### Troubleshooting Slow Log Ingestion +If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this will result in more resource usage due to the increased resource usage for log rotation. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index 5dae7a9636..61f12fe05d 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -1,5 +1,5 @@ --- -title: Configure the Workstation Authentication Certificate Template (Windows 10) +title: Configure the Workstation Authentication Template (Windows 10) description: Configure the Workstation Authentication Certificate Template ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6 ms.reviewer: diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index 83f35fe206..d67461d012 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,6 +1,6 @@ --- -title: Designing a Windows Defender Firewall with Advanced Security Strategy (Windows 10) -description: Designing a Windows Defender Firewall Strategy +title: Designing a Windows Defender Firewall Strategy (Windows 10) +description: Designing a Windows Defender Firewall with Advanced Security Strategy ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 992c8390e8..0c27975e1b 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,5 +1,5 @@ --- -title: Gathering Information about Your Current Network Infrastructure (Windows 10) +title: Gathering Info about Your Network Infrastructure (Windows 10) description: Gathering Information about Your Current Network Infrastructure ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 ms.reviewer: diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 9bdbf322d4..5e3a16c452 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -1,6 +1,6 @@ --- -title: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals (Windows 10) -description: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals +title: Identify Goals for your WFAS Deployment (Windows 10) +description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) Deployment Goals ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 126a5f0dc2..b055c8d636 100644 --- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -1,5 +1,5 @@ --- -title: Modify GPO Filters to Apply to a Different Zone or Version of Windows (Windows 10) +title: Modify GPO Filters (Windows 10) description: Modify GPO Filters to Apply to a Different Zone or Version of Windows ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80 ms.reviewer: diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 9e395fc16f..bce220a506 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -1,5 +1,5 @@ --- -title: Open the Group Policy Management Console to Windows Defender Firewall (Windows 10) +title: Open a GPO to Windows Defender Firewall (Windows 10) description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760 ms.reviewer: diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index 8909c58454..e8ec3acdbe 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Planning to Deploy Windows Defender Firewall with Advanced Security (Windows 10) +title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows 10) description: Planning to Deploy Windows Defender Firewall with Advanced Security ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e ms.reviewer: diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index 1a0ea617b9..26796b6814 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -1,6 +1,6 @@ --- -title: Understanding the Windows Defender Firewall with Advanced Security Design Process (Windows 10) -description: Understanding the Windows Defender Firewall with Advanced Security Design Process +title: Understand WFAS Deployment (Windows 10) +description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index 05befcbc72..d91723c3d2 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security Deployment Guide (Windows 10) +title: Deploy Windows Defender Firewall with Advanced Security (Windows 10) description: Windows Defender Firewall with Advanced Security Deployment Guide ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56 ms.reviewer: