diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c2fc8e0e73..ffffa7e53e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,11 @@ { "redirections": [ { +"source_path": "windows/application-management/msix-app-packaging-tool-walkthrough.md", +"redirect_url": "https://docs.microsoft.com/windows/msix/mpt-overview", +"redirect_document_id": true +}, +{ "source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md", "redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility", "redirect_document_id": true @@ -5416,6 +5421,26 @@ "redirect_document_id": true }, { +"source_path": "devices/hololens/hololens-microsoft-layout-app.md", +"redirect_url": "/hololens/hololens-microsoft-dynamics-365-layout-app", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-microsoft-dynamics-365-layout-app.md", +"redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/layout/", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-microsoft-remote-assist-app.md", +"redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-public-preview-apps.md", +"redirect_url": "https://docs.microsoft.com/dynamics365/#pivot=mixed-reality-apps", +"redirect_document_id": true +}, +{ "source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md", "redirect_url": "/surface-hub/provisioning-packages-for-surface-hub", "redirect_document_id": true diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml index 8be9af2e9d..4d51332890 100644 --- a/browsers/edge/group-policies/index.yml +++ b/browsers/edge/group-policies/index.yml @@ -202,7 +202,7 @@ sections: - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/sync-browser-settings-gp - html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the the Sync your Settings toggle.

+ html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle.

image: @@ -228,4 +228,4 @@ sections: src: https://docs.microsoft.com/media/common/i_policy.svg - title: All group policies \ No newline at end of file + title: All group policies diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index e1fa685f30..bec5bec56b 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -10,8 +10,5 @@ ## [Share HoloLens with multiple people](hololens-multiple-users.md) ## [Configure HoloLens using a provisioning package](hololens-provisioning.md) ## [Install apps on HoloLens](hololens-install-apps.md) -## [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) -### [Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) -### [Microsoft Layout app](hololens-microsoft-layout-app.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) ## [Change history for Microsoft HoloLens documentation](change-history-hololens.md) \ No newline at end of file diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 95f7f92bed..d3b18496cd 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -9,13 +9,21 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2018 +ms.date: 10/08/2018 --- # Change history for Microsoft HoloLens documentation This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). +## October 2018 + +New or changed topic | Description +--- | --- +[Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Removed, and redirected to [Mixed reality apps](https://docs.microsoft.com/dynamics365/#pivot=mixed-reality-apps) +[Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) | Removed, and redirected to [Overview of Dynamics 365 Remote Assist](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/) +[Microsoft Dynamics 365 Layout app](hololens-microsoft-dynamics-365-layout-app.md) | Removed, and redirected to [Overview of Dynamics 365 Layout](https://docs.microsoft.com/dynamics365/mixed-reality/layout/) + ## July 2018 New or changed topic | Description diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 77e90ddb18..f7fe891a58 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -27,7 +27,7 @@ Select **Confirm -> Restart Now** to finish up. After your device has rebooted, ## New features for HoloLens -The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes). +The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes-october-2018). ### For everyone diff --git a/devices/hololens/hololens-microsoft-layout-app.md b/devices/hololens/hololens-microsoft-layout-app.md deleted file mode 100644 index 4f5540e858..0000000000 --- a/devices/hololens/hololens-microsoft-layout-app.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: Microsoft Layout -description: How to get and deploy the Microsoft Layout app throughout your organization -ms.prod: hololens -ms.sitesec: library -author: alhopper-msft -ms.author: alhopper -ms.topic: article -ms.localizationpriority: medium -ms.date: 05/21/2018 ---- -# Microsoft Layout - -Bring designs from concept to completion with confidence and speed. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical space or virtual reality and edit with stakeholders in real time. With Microsoft Layout, see ideas in context, saving valuable time and money. - -## Device options and technical requirements - -Below are the device options, and technical requirements, to use and deploy Microsoft Layout throughout your organization. - -### Device options - -Microsoft Layout works with a HoloLens, or with a Windows Mixed Reality headset with motion controllers. - -#### HoloLens requirements - -| OS requirements | Details | -|:----------------------------------|:-----------------------------------------------------------| -| Build 10.0.17134.77 or above | See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens) for instructions on upgrading to this build. | - -#### Windows Mixed Reality headset requirements - -| Requirements | Details | -|:----------------------------------------------|:-----------------------------------------------------------| -| Windows 10 PC with build 16299.0 or higher | The Windows 10 PC hardware must be able to support the headset. See [Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) for specific hardware requirements. We recommend following the **Windows Mixed Reality Ultra** hardware guidelines. | -| Motion controllers | Motion controllers are hardware accessories that allow users to take action in mixed reality. See [Motion controllers](https://docs.microsoft.com/en-us/windows/mixed-reality/motion-controllers) to learn more. | - -### Technical requirements - -Have the following technical requirements in place to start using Microsoft Layout. - -| Requirement | Details | Learn more | -|:----------------------------------|:------------------|:------------------| -| Azure Active Directory (Azure AD) | Required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can also install Layout on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) | -| Network connectivity | Internet access is required to download the app, and utilize all of its features. There are no bandwidth requirements. | | -| Apps for sharing | Video calling or screen sharing requires a separate app, such as Microsoft Remote Assist on HoloLens, or Skype or Skype for Business on Windows Mixed Reality headsets.

A Windows 10 PC that meets the Windows Mixed Reality Ultra specifications is also required for video calling or screen sharing when using Layout with a Windows Mixed Reality headset. | [Remote Assist](hololens-microsoft-remote-assist-app.md)

[Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) | -| Import Tool for Microsoft Layout | The Import Tool for Microsoft Layout is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, so they can be viewed and edited from the HoloLens or mixed reality headset. The Import Tool is also required to transfer Visio space dimensions to the HoloLens or Windows Mixed Reality headset. | [Import Tool for Microsoft Layout](#get-and-deploy-the-import-tool-for-microsoft-layout) | - -## Get and deploy Microsoft Layout - -Microsoft Layout is available from the Microsoft Store for Business for free for a limited time: - -1. Go to the [Microsoft Layout](https://businessstore.microsoft.com/en-us/store/details/app/9NSJN53K3GFJ) app in the Microsoft Store for Business. -1. Click **Get the app**. Microsoft Layout is added to the **Products and Services** tab for your private store. -1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps. - -For a limited time, users can also [Get Microsoft Layout from the Microsoft Store](https://www.microsoft.com/store/productId/9NSJN53K3GFJ) for free. - -### Get and deploy the Import Tool for Microsoft Layout - -The **Import Tool for Microsoft Layout** is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, for viewing and editing on Microsoft HoloLens or a Windows Mixed Reality headset. - -The companion app is available in both the Microsoft Store for Business, and the Microsoft Store, for free for a limited time: - -* [Get the Microsoft Layout Import Tool](https://businessstore.microsoft.com/en-us/store/details/app/9N88Q3RXPLP0) from the Microsoft Store for Business. See [Distribute apps to your employees from Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business) for instructions on using the Microsoft Store for Business, and/or MDM, to deploy Windows 10 apps throughout your organization. -* Alternately, have your users [Get the Microsoft Layout Import Tool](https://www.microsoft.com/store/productId/9N88Q3RXPLP0) from the Microsoft Store to install the app on their Windows 10 PC. - -## Use Microsoft Layout - -For guidance on using the features of the Microsoft Layout app, please see [Set up and use Microsoft Layout](https://support.microsoft.com/help/4294437). - -## Questions and support - -You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). \ No newline at end of file diff --git a/devices/hololens/hololens-microsoft-remote-assist-app.md b/devices/hololens/hololens-microsoft-remote-assist-app.md deleted file mode 100644 index 221c650ada..0000000000 --- a/devices/hololens/hololens-microsoft-remote-assist-app.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Microsoft Remote Assist -description: How to get and deploy the Microsoft Remote Assist app throughout your organization -ms.prod: hololens -ms.sitesec: library -author: alhopper-msft -ms.author: alhopper -ms.topic: article -ms.localizationpriority: medium -ms.date: 05/22/2018 ---- -# Microsoft Remote Assist - -Collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. Firstline workers can share what they see with any expert on Microsoft Teams, while staying hands on to solve problems and complete tasks together, faster. Backed by enterprise-level security, Microsoft Remote Assist enables communication with peace of mind. - -## Technical requirements - -Below are the technical requirements to deploy and use Microsoft Remote Assist throughout your organization. - -### Device requirements - -| Device | OS requirements | Details | -|:---------------------------|:----------------------------------|:-----------------------------------------------------------| -| HoloLens | Build 10.0.14393.0 or above | See [Manage updates to HoloLens](https://docs.microsoft.com/en-us/HoloLens/hololens-updates) for instructions on using Windows Update for Business, MDM, and Windows Server Update Service (WSUS) to deploy updates to HoloLens. | -| Windows 10 PC (optional) | Any Windows 10 build | A Windows 10 PC can collaborate with the HoloLens using Microsoft Teams. | - -> [!Note] -> HoloLens build 10.0.14393.0 is the minimum that supports Remote Assist. We recommend updating the HoloLens to newer versions when they are available. - -### Licensing & product requirements - -| Product required | Details | Learn more | -|:----------------------------------|:------------------|:------------------| -| Azure Active Directory (Azure AD) | Required to log users into the Remote Assist app through Microsoft Teams. Also required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can alternately install Remote Assist on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) | -| Microsoft Teams | Microsoft Teams facilitates communication in Remote Assist. Microsoft Teams must be installed on any device that will make calls to the HoloLens. | [Overview of Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/teams-overview) | -| Microsoft Office 365 | Because Microsoft Teams is part of Office 365, each user who will make calls from their PC/phone to the HoloLens will need an Office 365 license. | [Office 365 licensing for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/office-365-licensing) | - -### Network requirements - -1.5 MB/s is the recommended bandwidth for optimal performance of Microsoft Remote Assist. Though audio/video calls may be possible in environments with reduced bandwidth, you may experience HoloLens feature degradation, limiting the user experience. To test your company’s network bandwidth, follow these steps: - - 1. Have a Teams user video call another Teams user. - 2. Add another separate video call between a 3rd and 4th user, and another for a 5th and 6th user. - 3. Continue adding video callers to stress test your network bandwidth until confident that multiple users can successfully connect on video calls at the same time. - -See [Preparing your organization's network for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/prepare-network) to learn more. - -## Get and deploy Microsoft Remote Assist - -Microsoft Remote Assist is available from the Microsoft Store for Business for free for a limited time: - -1. Go to the [Microsoft Remote Assist](https://businessstore.microsoft.com/en-us/store/details/app/9PPJSDMD680S) app in the Microsoft Store for Business. -1. Click **Get the app**. Microsoft Remote Assist is added to the **Products and Services** tab for your private store. -1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps. - -For a limited time, users can also [Get Microsoft Remote Assist from the Microsoft Store](https://www.microsoft.com/store/productId/9PPJSDMD680S) for free. - -## Use Microsoft Remote Assist - -For guidance on using the features of the Microsoft Remote Assist app, please see [Set up and use Microsoft Remote Assist](https://support.microsoft.com/en-us/help/4294812). - -## Questions and support - -You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). diff --git a/devices/hololens/hololens-public-preview-apps.md b/devices/hololens/hololens-public-preview-apps.md deleted file mode 100644 index e3a966f008..0000000000 --- a/devices/hololens/hololens-public-preview-apps.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Preview new mixed reality apps for HoloLens -description: Here's how to download and distribute new mixed reality apps for HoloLens, free for a limited time during public preview -ms.prod: hololens -ms.sitesec: library -author: alhopper -ms.author: alhopper -ms.topic: article -ms.localizationpriority: medium -ms.date: 05/21/2018 ---- -# Preview new mixed reality apps for HoloLens - -Microsoft has just announced two new mixed reality apps coming to HoloLens: Microsoft Remote Assist and Microsoft Layout. - -The gap between the real and digital world limits our ability to take advantage of new technologies and transform how we work, learn, create, communicate, and live. **Mixed reality is here to close that gap**. - -Mixed reality has the potential to help customers and businesses across the globe do things that until now, have never been possible. Mixed reality helps businesses and employees complete crucial tasks faster, safer, more efficiently, and create new ways to connect to customers and partners. - -Ready to get started? Check out the links below to learn more about how you can download and deploy Microsoft's new commercial-focused mixed reality apps. - -## In this section - -| Topic | Description | -| --- | --- | -| [Microsoft Remote Assist](hololens-microsoft-remote-assist-app.md) | Microsoft Remote Assist enables collaboration in mixed reality to solve problems faster. Firstline workers can collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. They can share what they see with an expert on Microsoft Teams, while staying hands-on to solve problems and complete tasks together, faster. | -| [Microsoft Layout](hololens-microsoft-layout-app.md ) | Bring designs from concept to completion with confidence and speed using Microsoft Layout. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical or virtual space and edit in real time. With Microsoft Layout, you can see ideas in context, saving valuable time and money. | - -## Questions and support - -You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). \ No newline at end of file diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 786b38a1e3..2f5741df7e 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -32,7 +32,6 @@ ms.date: 07/27/2018 [Share HoloLens with multiple people](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. | | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging | | [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens | -| [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Download and deploy new mixed reality apps for HoloLens, free for a limited time during public preview | | [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens | | [Change history for Microsoft HoloLens documentation](change-history-hololens.md) | See new and updated topics in the HoloLens documentation library. | diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md index 5e6469aab1..06e75a666a 100644 --- a/devices/surface-hub/surface-hub-start-menu.md +++ b/devices/surface-hub/surface-hub-start-menu.md @@ -145,7 +145,7 @@ This example shows a link to a website and a link to a .pdf file. TileID="2678823080" DisplayName="Bing" Arguments="https://www.bing.com/" - Square150x150LogoUri="ms-appdata:///local/PinnedTiles/2678823080/lowres.png" + Square150x150LogoUri="ms-appx:///" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="false" @@ -164,7 +164,10 @@ This example shows a link to a website and a link to a .pdf file. TileID="6153963000" DisplayName="cstrtqbiology.pdf" Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x45b7376e -pinnedTimeHigh 0x01d2356c -securityFlags 0x00000000 -tileType 0x00000000 -url 0x0000003a https://www.ada.gov/regs2010/2010ADAStandards/Guidance_2010ADAStandards.pdf" - Square150x150LogoUri="ms-appdata:///local/PinnedTiles/2678823080/lowres.png" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" + Square150x150LogoUri="ms-appx:///" + Wide310x150LogoUri="ms-appx:///" + ShowNameOnSquare150x150Logo="true" + ShowNameOnWide310x150Logo="true" BackgroundColor="#ff4e4248" Size="4x2" Row="4" @@ -177,6 +180,11 @@ This example shows a link to a website and a link to a .pdf file. ``` +>[!NOTE] +>Microsoft Edge tile logos won't appear on secondary tiles because they aren't stored in Surface Hub. +> +>The default value for `ForegroundText` is light; you don't need to include `ForegroundText` in your XML unless you're changing the value to dark. + ## More information - [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/) diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md index 2406c075e7..58d620b6a8 100644 --- a/devices/surface/battery-limit.md +++ b/devices/surface/battery-limit.md @@ -19,7 +19,7 @@ Battery Limit option is a UEFI setting that changes how the Surface device batte Setting the device on Battery Limit changes the protocol for charging the device battery. When Battery Limit is enabled, the battery charge will be limited to 50% of its maximum capacity. The charge level reported in Windows will reflect this limit. Therefore, it will show that the battery is charged up to 50% and will not charge beyond this limit. If you enable Battery Limit while the device is above 50% charge, the Battery icon will show that the device is plugged in but discharging until the device reaches 50% of its maximum charge capacity. -Adding the Battery Limit option to Surface UEFI will require a [Surface UEFI firmware update](update.md), which will be made available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [support article](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each device and supported devices. Currently, Battery Limit is only supported on Surface Pro 4 and Surface Pro 3. However, the setting will be available in the future on other Surface device models. +Adding the Battery Limit option to Surface UEFI will require a [Surface UEFI firmware update](update.md), which will be made available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each device and supported devices. Currently, Battery Limit is only supported on Surface Pro 4 and Surface Pro 3. However, the setting will be available in the future on other Surface device models. ## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 86bde3c803..0e0ff5dcc7 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/02/2018 +ms.date: 10/15/2018 --- # Change history for Surface documentation @@ -19,6 +19,7 @@ This topic lists new and updated topics in the Surface documentation library. New or changed topic | Description --- | --- [Battery Limit setting](battery-limit.md) | New +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface GO | ## May 2018 diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index a023fdb141..116df9446d 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 09/13/2018 +ms.date: 10/15/2018 ms.author: jdecker ms.topic: article --- @@ -39,6 +39,11 @@ Recent additions to the downloads for Surface devices provide you with options t >A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. +## Surface GO + +Download the following updates for [Surface GO from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57439). +* SurfaceGO_Win10_17134_1802010_6.msi - Cumulative firmware and driver update package for Windows 10 + ## Surface Book 2 diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 3ba289e3e6..fece916499 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -26,6 +26,8 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d Compatible Surface devices include: +* Surface Pro 6 +* Surface Laptop 2 * Surface Go * Surface Book 2 * Surface Pro with LTE Advanced (Model 1807) @@ -148,6 +150,14 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### Version 3.2.69.0 +*Release Date: 12 October 2018* + +This version of Surface Data Eraser adds support for the following: + +- Surface Pro 6 +- Surface Laptop 2 + ### Version 3.2.68.0 This version of Microsoft Surface Data Eraser adds support for the following: diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 445be071c9..b8ee7359dc 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -117,6 +117,15 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app >[!Note] >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater. +### Version 2.23.139.0 +*Release Date: 10 October 2018* + +This version of Surface Dock Updater adds support for the following: + +- Add support for Surface Pro 6 +- Add support for Surface Laptop 2 + + ### Version 2.22.139.0 *Release Date: 26 July 2018* diff --git a/education/index.md b/education/index.md index 974987214c..391a979d1f 100644 --- a/education/index.md +++ b/education/index.md @@ -25,7 +25,7 @@ ms.date: 10/30/2017
  • - +
    diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 16b671865d..817c97711f 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -10,7 +10,7 @@ ms.pagetype: edu ms.localizationpriority: medium author: lenewsad ms.author: lanewsad -ms.date: 07/13/2018 +ms.date: 10/17/2018 --- # What's in my provisioning package? @@ -107,6 +107,22 @@ Set up School PCs uses the Universal app install policy to install school-releva * OneNote * Sway +## Provisioning time estimates +The time it takes to install a package on a device depends on the: + +* Strength of network connection +* Number of policies and apps withim the package +* Additional configurations made to the device + +Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes pre-installed apps, through CleanPC, will take much longer to provision. + +|Configurations |Connection type |Estimated provisioning time | +|---------|---------|---------| +|Default settings only | Wi-Fi | 3 to 5 minutes | +|Default settings + apps | Wi-Fi | 10 to 15 minutes | +|Default settings + remove pre-installed apps (CleanPC) | Wi-Fi | 60 minutes | +|Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes | + ## Next steps Learn more about setting up devices with the Set up School PCs app. * [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index b71c991d7c..90429edde2 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -154,23 +154,26 @@ To set up a test account through Windows Configuration Designer, follow these st 4. Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-apply-package) to apply the package that you created. -### Set up a test account in Group Policy -To set up a test account using Group Policy, first create a Powershell script that configures the test account and assessment URL, and then create a scheduled task to run the script. +### Set up a tester account in Group Policy +To set up a tester account using Group Policy, first create a Powershell script that configures the tester account and assessment URL, and then create a scheduled task to run the script. #### Create a PowerShell script -This sample PowerShell script configures the test account and the assessment URL. Edit the sample to: +This sample PowerShell script configures the tester account and the assessment URL. Edit the sample to: - Use your assessment URL for **$obj.LaunchURI** -- Use your test account for **$obj.TesterAccount** -- Use your test account for **-UserName** +- Use your tester account for **$obj.TesterAccount** +- Use your tester account for **-UserName** - ``` - $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; - $obj.LaunchURI='http://www.foo.com'; - $obj.TesterAccount='TestAccount'; - $obj.put() - Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount - ``` +>[!NOTE] +>The account that you specify for the tester account must already exist on the device. + +``` +$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; +$obj.LaunchURI='http://www.foo.com'; +$obj.TesterAccount='TestAccount'; +$obj.put() +Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount +``` #### Create a scheduled task in Group Policy 1. Open the Group Policy Management Console. diff --git a/mdop/appv-v5/how-to-create-and-use-a-project-template.md b/mdop/appv-v5/how-to-create-and-use-a-project-template.md index 32a7d63c07..89e44e559b 100644 --- a/mdop/appv-v5/how-to-create-and-use-a-project-template.md +++ b/mdop/appv-v5/how-to-create-and-use-a-project-template.md @@ -19,8 +19,6 @@ You can use an App-V 5.0 project template to save commonly applied settings asso **Note**   You can, and often should apply an App-V 5.0 project template during a package upgrade. For example, if you sequenced an application with a custom exclusion list, it is recommended that an associated template is created and saved for later use while upgrading the sequenced application. -  - App-V 5.0 project templates differ from App-V 5.0 Application Accelerators because App-V 5.0 Application Accelerators are application-specific, and App-V 5.0 project templates can be applied to multiple applications. Use the following procedures to create and apply a new template. @@ -29,25 +27,20 @@ Use the following procedures to create and apply a new template. 1. To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. -2. **Note**   +**Note**   If the virtual application package is currently open in the App-V 5.0 Sequencer console, skip to step 3 of this procedure. -   - - To open the existing virtual application package that contains the settings you want to save with the App-V 5.0 project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**. +2. To open the existing virtual application package that contains the settings you want to save with the App-V 5.0 project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**. 3. In the App-V 5.0 Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V 5.0 project template. Click Save. - - The new App-V 5.0 project template is saved in the directory specified in step 3 of this procedure. +The new App-V 5.0 project template is saved in the directory specified in step 3 of this procedure. **To apply a project template** -1. **Important**   +**Important**   Creating a virtual application package using a project template in conjunction with a Package Accelerator is not supported. -   - - To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. +1. To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. 2. To create or upgrade a new virtual application package by using an App-V 5.0 project template, click **File** / **New From Template**. @@ -62,9 +55,9 @@ Use the following procedures to create and apply a new template. [Operations for App-V 5.0](operations-for-app-v-50.md) -  - -  + + + diff --git a/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell.md b/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell.md index c6f0c89d68..ded98a3926 100644 --- a/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell.md +++ b/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell.md @@ -24,9 +24,9 @@ Use the following procedure to configure the App-V 5.0 client configuration. `$config = Get-AppvClientConfiguration` - `Set-AppcClientConfiguration $config` + `Set-AppvClientConfiguration $config` - `Set-AppcClientConfiguration –Name1 MyConfig –Name2 “xyz”` + `Set-AppvClientConfiguration –AutoLoad 2` **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell51.md b/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell51.md index 4bf8017105..af53d695b0 100644 --- a/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell51.md +++ b/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell51.md @@ -24,9 +24,9 @@ Use the following procedure to configure the App-V 5.1 client configuration. `$config = Get-AppvClientConfiguration` - `Set-AppcClientConfiguration $config` + `Set-AppvClientConfiguration $config` - `Set-AppcClientConfiguration –Name1 MyConfig –Name2 “xyz”` + `Set-AppvClientConfiguration –AutoLoad 2` **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md b/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md index 349e62903b..78e6044a28 100644 --- a/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md +++ b/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md @@ -51,7 +51,7 @@ After installing Microsoft BitLocker Administration and Monitoring (MBAM) with C To view the configuration baselines with System Center 2012 Configuration Manager: Click the **Assets and Compliance** workspace, **Compliance Settings**, **Configuration Baselines**. -5. Use the Configuration Manager console to confirm that that the following new configuration items are displayed: +5. Use the Configuration Manager console to confirm that the following new configuration items are displayed: - BitLocker Fixed Data Drives Protection diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md index 9709bdc21e..d383fa3117 100644 --- a/store-for-business/TOC.md +++ b/store-for-business/TOC.md @@ -24,6 +24,7 @@ ### [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) ### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) ### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) +### [Working with solution providers in Microsoft Store for Business](work-with-partner-microsoft-store-business.md) ## [Device Guard signing portal](device-guard-signing-portal.md) ### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) ### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) diff --git a/store-for-business/images/msfb-find-partner.png b/store-for-business/images/msfb-find-partner.png new file mode 100644 index 0000000000..23759cfb5f Binary files /dev/null and b/store-for-business/images/msfb-find-partner.png differ diff --git a/store-for-business/images/msfb-provider-list.png b/store-for-business/images/msfb-provider-list.png new file mode 100644 index 0000000000..2fbafca80f Binary files /dev/null and b/store-for-business/images/msfb-provider-list.png differ diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 890829a7d5..d0c8a17014 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -47,7 +47,7 @@ While not required, you can use a management tool to distribute and manage apps. ## Proxy configuration -If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy sever to block traffic, your configuration needs to allow these URLs: +If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs: - login.live.com - login.windows.net diff --git a/store-for-business/work-with-partner-microsoft-store-business.md b/store-for-business/work-with-partner-microsoft-store-business.md new file mode 100644 index 0000000000..bb86f6ed46 --- /dev/null +++ b/store-for-business/work-with-partner-microsoft-store-business.md @@ -0,0 +1,79 @@ +--- +title: Work with solution providers in Microsoft Store for Business and Education (Windows 10) +description: You can work with Microsoft-certified solution providers to purchase and manage products and services for your organization or school. +keywords: partner, solution provider +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +ms.author: TrudyHa +ms.topic: conceptual +ms.date: 10/12/2018 +--- + +# Working with solution providers in Microsoft Store for Business + +You can work with Microsoft-certified solution providers to purchase and manage products and services for your organization or school. There's a few steps involved in getting the things set up. + +The process goes like this: +- Admins find and contact a solution provider using **Find a solution provider** in Microsoft Store for Business. +- Solution providers send a request from Partner center to customers to become their solution provider. +- Customers accept the invitation in Microsoft Store for Business and start working with the solution provider. +- Customers can manage setting for the relationship with Partner in Microsoft Store for Business. + +## What can a solution provider do for my organization or school? + +There are several ways that a solution provider can work with you. Solution providers will choose one of these when they send their request to work as a partner with you. + +| Solution provider function | Description | +| ------ | ------------------- | +| Reseller | Solution providers sell Microsoft products to your organization or school. | +| Delegated administrator | Solution provider manages products and services for your organization or school. In Azure Active Directory (AD), the Partner will be a Global Administrator for tenant. This allows them to manage services like creating user accounts, assigning and managing licenses, and password resets. | +| Reseller & delegated administrator | This is a team of two solution providers. You'll receive one partner invitation, but there will be two Solution providers listed on the request. One will sell products, and the other will manage them for you. | +| Partner | You can give your solution provider a user account in your tenant, and they work on your behalf with other Microsoft services. | +| Microsoft Products & Services Agreement (MPSA) partner | If you've worked with multiple solution providers through the MPSA program, you can allow partners to see purchases made by each other. | +| OEM PC partner | Solution providers can upload device IDs for PCs that you're [managing with Autopilot](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). | +| Line-of-business (LOB) partner | Solution providers can develop, submit, and manage LOB apps specific for your organization or school. | + +## Find a solution provider + +You can find partner in Microsoft Store for Business and Education. + +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com/). +2. Select **Find a solution provider**. + + ![Image shows Find a solution provider option in Microsoft Store for Business.](images/msfb-find-partner.png) + +3. Refine the list, or search for a solution provider. + + ![Image shows Find a solution provider option in Microsoft Store for Business.](images/msfb-provider-list.png) + +4. When you find a solution provider you're interested in working with, click **Contact**. +5. Complete and send the form. + +The solution provider will get in touch with you. You'll have a chance to learn more about them. If you decide to work with the solution provider, they will send you an email invitation from Partner Center. + +## Work with a solution provider + +Once you've found a solution provider and decided to work with them, they'll send you an invitation to work together from Partner Center. In Microsoft Store for Business or Education, you'll need to accept the invitation. After that, you can manage their permissions. + +**To accept a solution provider invitation** +1. **Follow email link** - You'll receive an email with a link accept the solution provider invitation. The link will take you to Microsoft Store for Business or Education. +2. **Accept invitation** - On **Accept Partner Invitation**, select **Authorize** to accept the invitation, accept terms of the Microsoft Cloud Agreement, and start working with the solution provider. + +## Delegate admin privileges + +Depending on the request made by the solution provider, part of accepting the invitation will include agreeing to give delegated admin privileges to the solution provider. This will happen when the solution provider request includes acting as a delegated administrator. For more information, see [Delegated admin privileges in Azure AD](https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges#delegated-admin-privileges-in-azure-ad). + +If you don't want to delegate admin privileges to the solution provider, you'll need to cancel the invitation instead of accepting it. + +If you delegate admin privileges to a solution provider, you can remove that later. + +**To remove delegate admin privileges** +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com/). +2. Select **Partner** +3. Choose the Partner you want to manage. +4. Select **Remove Delegated Permissions**. + +The solution provider will still be able to work with you, for example, as a Reseller. \ No newline at end of file diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index a57f6f1a55..110f01c7b0 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -5,7 +5,6 @@ ## [Understand apps in Windows 10](apps-in-windows-10.md) ## [Add apps and features in Windows 10](add-apps-and-features.md) ## [Repackage win32 apps in the MSIX format](msix-app-packaging-tool.md) -### [Learn how to repackage win32 apps in the MSIX format](msix-app-packaging-tool-walkthrough.md) ## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md) ### [Getting Started with App-V](app-v/appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md) diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index b6515bbde1..5ee9f992a3 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -131,53 +131,58 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a ## Provisioned Windows apps -Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803. +Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809. + +``` +> Get-AppxProvisionedPackage -Online | Select-Object DisplayName, PackageName +``` + +| Package name | App name | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? | +|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| +| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | | Yes | +| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App | +| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.SkreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | +| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.VP9VideoExtensions | | | | | x | No | +| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | | x | x | No | +| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No | +| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | | x | x | No | +| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | +| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | -| Name | Full name | 1703 | 1709 | 1803 | Uninstall through UI? | -|---------------------------------|----------------------------------------|:------:|:------:|:------:|:---------------------------:| -| 3D Builder | Microsoft.3DBuilder | x | | | Yes | -| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No | -| App Installer | Microsoft.DesktopAppInstaller | x | x | x | Via Settings App | -| Calculator | Microsoft.WindowsCalculator | x | x | x | No | -| Camera | Microsoft.WindowsCamera | x | x | x | No | -| Feedback Hub | Microsoft.WindowsFeedbackHub | x | x | x | Yes | -| Get Help | Microsoft.GetHelp | | x | x | No | -| Get Office/My Office | Microsoft.Microsoft OfficeHub | x | x | x | Yes | -| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes | -| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes | -| Groove | Microsoft.ZuneMusic | x | x | x | No | -| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No | -| Maps | Microsoft.WindowsMaps | x | x | x | No | -| Messaging | Microsoft.Messaging | x | x | x | No | -| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | x | x | x | No | -| Movies & TV | Microsoft.ZuneVideo | x | x | x | No | -| OneNote | Microsoft.Office.OneNote | x | x | x | Yes | -| Paid Wi-FI | Microsoft.OneConnect | x | x | x | Yes | -| Paint 3D | Microsoft.MSPaint | x | x | x | No | -| People | Microsoft.People | x | x | x | No | -| Photos | Microsoft.Windows.Photos | x | x | x | No | -| Print 3D | Microsoft.Print3D | | x | x | No | -| Solitaire | Microsoft.Microsoft SolitaireCollection| x | x | x | Yes | -| Sticky Notes | Microsoft.MicrosoftStickyNotes | x | x | x | No | -| Store | Microsoft.WindowsStore | x | x | x | No | -| Sway | Microsoft.Office.Sway | * | x | x | Yes | -| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No | -| Wallet | Microsoft.Wallet | x | x | x | No | -| Weather | Microsoft.BingWeather | x | x | x | Yes | -| Xbox | Microsoft.XboxApp | x | x | x | No | -| | Microsoft.OneConnect | x | x | x | No | -| | Microsoft.DesktopAppInstaller | | | x | No | -| | Microsoft.StorePurchaseApp | x | x | x | No | -| | Microsoft.WebMediaExtensions | | | x | No | -| | Microsoft.Xbox.TCUI | | x | x | No | -| | Microsoft.XboxGameOverlay | x | x | x | No | -| | Microsoft.XboxGamingOverlay | | | x | No | -| | Microsoft.XboxIdentityProvider | x | x | x | No | -| | Microsoft.XboxSpeech ToTextOverlay | x | x | x | No | --- - >[!NOTE] >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. - - ---- +--- \ No newline at end of file diff --git a/windows/application-management/msix-app-packaging-tool-walkthrough.md b/windows/application-management/msix-app-packaging-tool-walkthrough.md deleted file mode 100644 index b85a15753e..0000000000 --- a/windows/application-management/msix-app-packaging-tool-walkthrough.md +++ /dev/null @@ -1,160 +0,0 @@ ---- -title: Learn how to repackage your existing win32 applications to the MSIX format. This walkthrough provides in-depth detail on how the MSIX app packaging tool can be used. -description: Learn how to use the MSIX packaging tool with this in-depth walkthrough. -keywords: ["MSIX", "application", "app", "win32", "packaging tool"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: medium -ms.author: mikeblodge -ms.topic: article -ms.date: 08/027/2018 ---- - -# MSIX Packaging tool walkthrough - -Learn how to repackage your legacy win32 application installers to MSIX, without the need for making code changes to your apps. The MSIX Packaging Tool allows you to modernize your app to take adavantage of Microsoft Store or Microsoft Store for Business to deploy apps on Windows 10 in S mode. - -## Terminology - - -|Term |Definition | -|---------|---------| -|MPT | MSIX Packaging Tool. An enterprise grade tool that allows to package apps in the enterprise easily as MSIX without app code changes. | -|PSF | Package Support Framework. An open source framework to allow the packaging tool and the IT Admin to apply targeted fixes to the app in order to bypass some of the modern environment constrains. Some fixes will be added automatically by the tool and some will be added manually. | -|Modification Package | MSIX package to stores app preferences/settings and add-ins, decoupled from the main package. | -|Installer | Application installer can be an MSI, EXE, App-V , ClickOnce. | -|Project template file | Template file that saves the settings and parameters used for a certain package conversion. Information captured in the template includes general Tooling packaging options, settings in the options menus like exclusion lists, package deployment settings, application install location, package manifest information like Package Family Name, publisher, version and package properties like capabilities and advanced enterprise features. | - -## Creating an Application package - -![Create a package](images/welcomescreen.png) - -When the tool is first launched, you will be prompted to provide consent to sending telemtry data. It's important to note that the diagnostic data you share only comes from the app and is never used to identify or contact you. This just helps us fix things faster for you. - -![creating an application package](images/Selectinstaller.png) - -Creating an Application package is the most commonly used option. This is where you will create an MSIX package from an installer, or by manual installation of application payload. -- If an installer is being used, browse to and select the desired application installer and click **Next**. - - This field accepts a valid existing file path. - - The field can be empty if you are manually packaging. -- If there is no installer (manual packaging) click **Next**. - -*Optionally* -- Check the box under "Use Existing MSIX Package", browse, and select an existing MSIX package you'd like to update. -- Check the box under "Use installer Preferences" and enter the desired argument in the provided field. This field accepts any string. - -### Packaging method -![selecting the package environment](images/selectenvironmentthiscomputer.png) -- Select the packaging environment by selecting one of the radio buttons: - - "Create package on an existing virtual machine" if you plan to do the package creation on a VM. Click **Next**. (You will be presented with user and password fields to provide credentials for the VM if there are any). - - "Create package on this computer" if you plan to package the application on the current machine where the tool is installed. Click **Next**. - -### Create package on this computer - -![Create a package on this computer](images/packageinfo.png) - -You've selected to package your application on the current machine where the tool is installed. Nice job! Provide the information pertaining to the app. The tool will try to auto-fill these fields based on the information available from the installer. You will always have a choice to update the entries as needed. If the field as an asterisk*, it's required, but you already knew that. Inline help is provided if the entry is not valid. - -- Package name: - - Required and corresponds to package identity Name in the manifest to describe the contents of the package. - - Must match the Name subject information of the certificate used to sign a package. - - Is not shown to the end user. - - Is case-sensitive and cannot have a space. - - Can accept string between 3 and 50 characters in length that consists of alpha-numeric, period, and dash characters. - - Cannot end with a period and be one of these: "CON", "PRN", "AUX", "NUL", "COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7", "COM8", "COM9", "LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", and "LPT9." -- Package display name: - - Required and corresponds to package in the manifest to display a friendly package name to the user, in start menu and settings pages. - - Field accepts A string between 1 and 256 characters in length and is localizable. -- Publisher name - - Required and corresponds to package that describes the publisher information. - - The Publisher attribute must match the publisher subject information of the certificate used to sign a package. - - This field accepts a string between 1 and 8192 characters in length that fits the regular expression of a distinguished name : "(CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")(, ((CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")))*". -- Publisher display name - - Reuqired and corresponds to package in the manifest to display a friendly publisher name to the user, in App installer and settings pages. - - Field accepts A string between 1 and 256 characters in length and is localizable. -- Version - - Required and corresponds to package in the manifest to describe the The version number of the package. - - This field accepts a version string in quad notation, "Major.Minor.Build.Revision". -- Install location - - This is the location that the installer is going to copy the application payload to (usually Programs Files folder). - - This field is optional but recommended. - - Browse to and select a folder path. - - Make sure this filed matches Installers Install location while you go through the application install operation. - -### Prepare computer - -![prepare your computer](images/preparecomputer.png) - -- You are provided with options to prepare the computer for packaging. -- MSIX Packaging Tool Driver is required and the tool will automatically try to enable it if it is not enabled. - > [!NOTE] - > MSIX Packaging tool driver monitors the system to capture the changes that an installer is making on the system which allows MSIX Packaging Tool to create a package based on those changes. - - The tool will first check with DISM to see if the driver is installed. -- [Optional] Check the box for “Windows Search is Active” and select “disable selected” if you choose to disable the search service. - - This is not required, only recommended. - - Once disabled, the tool will update the status field to “disabled” -- [Optional] Check the box for “Windows Update is Active” and select “disable selected” if you choose to disable the Update service. - - This is not required, only recommended. - - Once disabled, the tool will update the status field to “disabled” -- “Pending reboot” checkbox is disabled by default. You'll need to manually restart the machine and then launch the tool again if you are prompted that pending operations need a reboot. - - This not required, only recommended. -When you're done preparing the machine, click **Next**. - -### Installation - -![Installation phase for capturing the install operations](images/installation.png) - -- This is installation phase where the tool is monitoring and capturing the application install operations. -- If you've provided an installer, the tool will launch the installer and you'll need to go through the installer wizard to install the application. - - Make sure the installation path matches what was defined earlier in the package information page. - - You'll need to create a shortcut in desktop for the newly installed application. - - Once you're done with the application installation wizard, make sure you finish or close on the installation wizard. - - If you need to run multiple installers you can do that manually at this point. - - If the app needs other pre-reqs, you need to install them now. - - If the application needs .Net 3.5/20, add the optional feature to Windows. -- If installer was not provided, manually copy the application binaries to the install location that you've defined earlier in package information. -- When you've completed installing the application, click **Next**. - -### Manage first launch tasks - -![Managing first launch tasks](images/managefirstlaunchtasks.png) - -- This page shows application executables that the tool captured. -- We recommended launching the application at least once to capture any first launch tasks. -- If there are multiple applications, check the box that corresponds to the main entry point. -- If you don't see the application .exe here, manually browse to and run it. -- Click **Next** - -![pop up asking for confirmation you are done monitoring](images/donemonitoring..png) - -You'll be prompted with a pop up asking for confirmation that you're finished with application installation and managing first launch tasks. -- If you're done, click **Yes, move on**. -- If you're not done, click **No, I'm not done**. You'll be taken back to the last page to where you can launch applications, install or copy other files, and dlls/executables. - -### Package support report - -![Package support, runtime fixes that might be appliciable to the app](images/packagesupport.png) - -- Here you'll have a chance to add PSF runtime fixes that might be applicable to the application. *(not supported in preview)* - - The tool will make some suggestions and apply fixes that it thinks are applicable. - - You'll have the opportunity to add, remove or edit PSF runtime fixes - - You can see a list of PSFs provided by the community from Github. - - You'll also see a packaging report on this page. The report will call out noteworthy items for example: - - If certain restricted capabilities like allowElevation is added - - If certain files were excluded from the package. - - Etc -Once done, click **Next**. - -## Create package - -![Creating the new package](images/createpackage.png) - -- Provide a location to save the MSIX package. -- By default, packages are saved in local app data folder. -- You can define the default save location in Settings menu. -- If you'd like to continue to edit the content and properties of the package before saving the MSIX package, you can select “Package editor” and be taken to package editor. -- If you prefer to sign the package with a pre-made certificate for testing, browse to and select the certificate. -- Click **Create** to create the MSIX package. - -You'll be presented with the pop up when the package is created. This pop up will include the name, publisher, and save location of the newly created package. You can close this pop up and get redirected to the welcome page. You can also select package editor to see and modify the package content and properties. diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index c4e31dc19c..1500f26da8 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -8,42 +8,19 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: mikeblodge ms.topic: article -ms.date: 09/21/2018 +ms.date: 10/16/2018 --- # Repackage existing win32 applications to the MSIX format -The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon). +The MSIX Packaging Tool is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store. > Prerequisites: -- Participation in the Windows Insider Program +- Participate in the Windows Insider Program or update to Windows 10 October 2018 Update (version 1809) - Minimum Windows 10 build 17701 - Admin privileges on your PC account -- A valid MSA alias (to access the app from the Store) - -## What's new -v1.2018.915.0 -- Updated UI to improve clarity and experience -- Ability to generate a template file for use with a command line -- Ability to add/remove entry points -- Ability to sign your package from package editor -- File extension handling - -v1.2018.821.0 -- Command Line Support -- Ability to use existing local virtual machines for packaging environment. -- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues. -- Minor updates to the UI for added clarity. - -v1.2018.807.0 -- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu. -- Fixed an issue where signing with password protected certificates would fail in the tool. -- Fixed an issue where the tool was crashing when editing an existing MSIX package. -- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures. -- Minor UI tweaks to add clarity. -- Minor updates to the logs to add clarity. - +- A valid Micorsoft account (MSA) alias to access the app from the Store ## Installing the MSIX Packaging Tool @@ -51,7 +28,7 @@ v1.2018.807.0 2. Open the product description page. 3. Click the install icon to begin installation. -This is an early preview build and not all features are supported. Here is what you can expect to be able to do with this preview: +Here is what you can expect to be able to do with this tool: - Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon. - Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon. @@ -99,7 +76,8 @@ Requirements: AllowTelemetry="true" ApplyAllPrepareComputerFixes="true" GenerateCommandLineFile="true" - AllowPromptForPassword="false" > + AllowPromptForPassword="false" + EnforceMicrosoftStoreVersioningRequirements="false"> @@ -200,6 +178,7 @@ Here is the complete list of parameters that you can use in the Conversion templ |Settings:: ApplyAllPrepareComputerFixes |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used. | |Settings:: GenerateCommandLineFile |[optional] Copies the template file input to the SaveLocation directory for future use. | |Settings:: AllowPromptForPassword |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified. | +|Settings:: EnforceMicrosoftStoreVersioningRequirements|[optional] Instructs the tool to enforce the package versioning scheme required for deployment from Microsoft Store and Microsoft Store for Business.| |ExclusionItems |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements. | |ExclusionItems::FileExclusion |[optional] A file to exclude for packaging. | |ExclusionItems::FileExclusion::ExcludePath |Path to file to exclude for packaging. | @@ -250,8 +229,7 @@ Open Feedback Hub. Alternatively, launch the tool and select the **Settings** ge - Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. ## Known issues -1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. -2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. -3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. - - +- MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. +- Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. +- Setting **EnforceMicrosoftStoreVersioningRequirements=true**, when using the command line interface, will throw an error, even if the vesrion is set correctly. To work around this issue, use **EnforceMicrosoftStoreVersioningRequirements=false** in the conversion template file. +- Adding files to MSIX packages in package editor does not add the file to the folder that the user right-clicks. To work around this issue, ensure that the file being added is in the correct classic app location. For example if you want to add a file in the VFS\ProgramFilesx86\MyApp folder, copy the file locally to your C:\Program Files (86)\MyApp location first, then in the package editor right-click **Package files**, and then click **Add file**. Browse to the newly copied file, then click **Save**. \ No newline at end of file diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index b7f6316a52..082c384d37 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -50,6 +50,10 @@ These tools were included in previous versions of Windows and the associated doc >[!TIP]   >If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.  +## Related topics + +[Diagnostic Data Viewer](https://docs.microsoft.com/windows/privacy/diagnostic-data-viewer-overview) +   diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 1aa38eb7ba..7c666a3977 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -23,6 +23,9 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ![Remote Desktop Connection client](images/rdp.png) +>[!TIP] +>Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics) + ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 3225ed9730..9890c9db97 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -61,22 +61,11 @@ First, you create a default user profile with the customizations that you want, 3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -3. For devices running Windows 10, use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the following applications: - - - Microsoft.windowscommunicationsapps_8wekyb3d8bbwe - - Microsoft.BingWeather_8wekyb3d8bbwe - - Microsoft.DesktopAppInstaller_8wekyb3d8bbwe - - Microsoft.Getstarted_8wekyb3d8bbwe - - Microsoft.Windows.Photos_8wekyb3d8bbwe - - Microsoft.WindowsCamera_8wekyb3d8bbwe - - Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe - - Microsoft.WindowsStore_8wekyb3d8bbwe - - Microsoft.XboxApp_8wekyb3d8bbwe - - Microsoft.XboxIdentityProvider_8wekyb3d8bbwe - - Microsoft.ZuneMusic_8wekyb3d8bbwe +3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10). + >[!NOTE] - >Uninstalling these apps will decrease sign-in time. If your deployment needs any of these apps, you can leave them installed. + >It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. 3. At a command prompt, type the following command and press **ENTER**. diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 10bf5bf5c8..170d3d38f2 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -17,7 +17,7 @@ ### [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) ### [Register your free Azure Active Directory subscription](register-your-free-azure-active-directory-subscription.md) ## [Enterprise app management](enterprise-app-management.md) -## [Device update management](device-update-management.md) +## [Mobile device management (MDM) for device updates](device-update-management.md) ## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md) ## [Management tool for the Microsoft Store for Business](management-tool-for-windows-store-for-business.md) ### [REST API reference for Microsoft Store for Business](rest-api-reference-windows-store-for-business.md) diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 6562fc73d0..680d7840ab 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -187,7 +187,7 @@ The following snippet shows the policy web service response. ``` HTTP/1.1 200 OK Date: Fri, 03 Aug 2012 20:00:00 GMT -Server: +Server: Content-Type: application/soap+xml Content-Length: xxxx diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 128a41801d..f3c9fd3fc3 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -2,18 +2,18 @@ title: ClientCertificateInstall CSP description: ClientCertificateInstall CSP ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7 -ms.author: maricia +ms.author: pashort ms.topic: article ms.prod: w10 ms.technology: windows -author: MariciaAlforque -ms.date: 11/03/2017 +author: shortpatti +ms.date: 10/16/2018 --- # ClientCertificateInstall CSP -The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. +The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block. @@ -90,7 +90,7 @@ The following image shows the ClientCertificateInstall configuration service pro

    Supported operations are Get, Add, and Replace. **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType** -

    Optional. Used to specify whtether the PFX certificate password is encrypted with the MDM certificate by the MDM sever. +

    Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server.

    The data type is int. Valid values: diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 977dd79898..b95fc98b5b 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -626,7 +626,7 @@ Supported operations are Get, Add, Delete noreplace 3 - Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30. + Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30. The min value is 0 which means no retry. Supported operations are Get, Add, Delete, Replace. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 350ea6ad5e..bac0f13074 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2744,11 +2744,17 @@ The following list shows the configuration service providers supported in Window - [DMAcc CSP](dmacc-csp.md) - [DMClient CSP](dmclient-csp.md) - [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md) +- [HealthAttestation CSP](healthattestation-csp.md) +- [NetworkProxy CSP](networkproxy-csp.md) - [Policy CSP](policy-configuration-service-provider.md) - [Provisioning CSP (Provisioning only)](provisioning-csp.md) +- [Reboot CSP](reboot-csp.md) +- [RemoteWipe CSP](remotewipe-csp.md) 1 - [RootCATrustedCertificates CSP](rootcacertificates-csp.md) +- [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) - [Update CSP](update-csp.md) - [VPNv2 CSP](vpnv2-csp.md) - [WiFi CSP](wifi-csp.md) - + Footnotes: +- 1 - Added in Windows 10, version 1809 diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 84e3a07225..82cf5ef7d9 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -1,5 +1,5 @@ --- -title: Device update management +title: Mobile device management MDM for device updates description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777 keywords: mdm,management,administrator @@ -12,7 +12,7 @@ ms.date: 11/15/2017 --- -# Device update management +# Mobile device management (MDM) for device updates >[!TIP] >If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq). diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 4d654c47d2..9842a88a1e 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -332,11 +332,11 @@ Sample syncxml to provision the firewall settings to evaluate

    Value type is bool. Supported operations are Add, Get, Replace, and Delete.

    **FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList** -

    Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.

    +

    Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    **FirewallRules/_FirewallRuleName_/Status** -

    Provides information about the specific verrsion of the rule in deployment for monitoring purposes.

    +

    Provides information about the specific version of the rule in deployment for monitoring purposes.

    Value type is string. Supported operation is Get.

    **FirewallRules/_FirewallRuleName_/Name** diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index a5e489976e..72b31a82e2 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -61,7 +61,7 @@ When an organization wants to move to MDM to manage devices, they should prepare - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) - [Enterprise app management](enterprise-app-management.md) -- [Device update management](device-update-management.md) +- [Mobile device management (MDM) for device updates](device-update-management.md) - [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md) - [OMA DM protocol support](oma-dm-protocol-support.md) - [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6f425c85b1..0a4599051d 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -5020,13 +5020,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) - [Experience/AllowCortana](#experience-allowcortana) - [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) -- [Privacy/AllowCrossDeviceClipboard](#privacy-allowcrossdeviceclipboard) - [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) -- [Privacy/LetAppsAccessGazeInput](#privacy-letappsaccessgazeinput) -- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](#privacy-letappsaccessgazeinput-forceallowtheseapps) -- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](#privacy-letappsaccessgazeinput-forcedenytheseapps) -- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](#privacy-letappsaccessgazeinput-userincontroloftheseapps) -- [Privacy/UploadUserActivities](#privacy-uploaduseractivities) - [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - [Settings/AllowDateTime](#settings-allowdatetime) @@ -5040,6 +5034,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Update/UpdateServiceUrl](#update-updateserviceurl) + ## Policies that can be set using Exchange Active Sync (EAS) diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 4349340530..480f8257ed 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -1055,7 +1055,7 @@ If you choose to completely wipe a device when lost or when an employee leaves t A better option than wiping the entire device is to use Windows Information Protection to clean corporate-only data from a personal device. As explained in the Apps chapter, all corporate data will be tagged and when the device is unenrolled from your MDM system of your choice, all enterprise encrypted data, apps, settings and profiles will immediately be removed from the device without affecting the employee’s existing personal data. A user can initiate unenrollment via the settings screen or unenrollment action can be taken by IT from within the MDM management console. Unenrollment is a management event and will be reported to the MDM system. -**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that that will also make the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process. +**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that will also make the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process. **Settings for personal or corporate device retirement** - **Allow manual MDM unenrollment** Whether users are allowed to delete the workplace account (i.e., unenroll the device from the MDM system) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 3483fedd7a..f14d66e522 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -17,6 +17,12 @@ ms.date: 10/02/2018 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## October 2018 + +New or changed topic | Description +--- | --- +[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) and [Set up a single-app kiosk](kiosk-single-app.md) | Added event log path for auto-logon issues. + ## RELEASE: Windows 10, version 1809 The topics in this library have been updated for Windows 10, version 1809. The following new topic has been added: diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index 2317f9ef8e..603ee4e60e 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -6,7 +6,7 @@ keywords: ["group policy", "start menu", "start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: coreyp +author: coreyp-at-msft ms.author: coreyp ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/images/enable-assigned-access-log.png b/windows/configuration/images/enable-assigned-access-log.png new file mode 100644 index 0000000000..d16f04c43a Binary files /dev/null and b/windows/configuration/images/enable-assigned-access-log.png differ diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 346ce64c96..7932dafc17 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -38,6 +38,12 @@ Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, a Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

    **NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. +## Enable logging + +Logs can help you [troubleshoot issues](multi-app-kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. + +![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) + ## Automatic logon In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 9f16d7bc3b..4af964b132 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 10/09/2018 --- # Set up a single-app kiosk @@ -185,7 +185,7 @@ Clear-AssignedAccess >[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. @@ -200,7 +200,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des ![step three](images/three.png) ![account management](images/account-management.png)

    Enable account management if you want to configure settings on this page.

    **If enabled:**

    You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

    To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

    Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

    **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

    To create a local administrator account, select that option and enter a user name and password.

    **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. ![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png) ![step four](images/four.png) ![add applications](images/add-applications.png)

    You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

    **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. ![add an application](images/add-applications-details.png) ![step five](images/five.png) ![add certificates](images/add-certificates.png)

    To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.![add a certificate](images/add-certificates-details.png) -![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

    You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

    If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

    In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.![Configure kiosk account and app](images/kiosk-account-details.png) +![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

    You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

    If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.)

    In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.![Configure kiosk account and app](images/kiosk-account-details.png) ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

    On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png) ![finish](images/finish.png)

    You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.![Protect your package](images/finish-details.png) diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md index 6857cf8aac..d724cae559 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/multi-app-kiosk-troubleshoot.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 10/09/2018 ms.author: jdecker ms.topic: article --- @@ -34,7 +34,14 @@ For example: 1. [Verify that the provisioning package is applied successfully](kiosk-validate.md). 2. Verify that the account (config) is mapped to a profile in the configuration XML file. 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. +4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. +![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) + + +## Automatic logon issues + +Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. ## Apps configured in AllowedList are blocked diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 27bc5fc49f..eb3d236c32 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -25,6 +25,9 @@ ms.date: 4/16/2018 IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. +> [!Important] +> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date. + ## Options to configure access to Microsoft Store @@ -80,8 +83,7 @@ You can also use Group Policy to manage access to Microsoft Store. 4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**. > [!Important] -> Enabling **Turn off Store application** policy turns off app updates from Microsoft Store. - +> Enabling **Turn off Store application** policy turns off app updates from Microsoft Store. ## Block Microsoft Store using management tool diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 7ac31a3a1f..d6ca23c105 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -96,4 +96,4 @@ You can also [customize UE-V to synchronize settings](uev-deploy-uev-for-custom- ## Have a suggestion for UE-V? -Add or vote on suggestions on the [User Experience Virtualization feedback site](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization).
    For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). +For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md index ae8d42c8ee..ff12b64898 100644 --- a/windows/configuration/wcd/wcd-assignedaccess.md +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -30,7 +30,7 @@ Enter the account and the application you want to use for Assigned access, using **Example**: ``` -"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" +{"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} ``` ## MultiAppAssignedAccessSettings diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 00f8037780..b22277a8f5 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -20,7 +20,7 @@ ms.date: 06/19/2018 - Windows 10 -> **Looking for consumer information?** See [Customize the Start menu](https://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) +> **Looking for consumer information?** [See what's on the Start menu](https://support.microsoft.com/help/17195/windows-10-see-whats-on-the-menu) Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 6577188cbc..56f7b039b0 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -218,9 +218,17 @@ ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) +### [Get started with Windows Update](update/windows-update-overview.md) +#### [How Windows Update works](update/how-windows-update-works.md) +#### [Windows Update log files](update/windows-update-logs.md) +#### [How to troubleshoot Windows Update](update/windows-update-troubleshooting.md) +#### [Common Windows Update errors](update/windows-update-errors.md) +#### [Windows Update error code reference](update/windows-update-error-reference.md) +#### [Other Windows Update resources](update/windows-update-resources.md) ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) +#### [Whitepaper: Windows Updates using forward and reverse differentials](update/PSFxWhitepaper.md) ### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) #### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md) #### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md) diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index ded250b312..6ea42e8bc1 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -21,7 +21,7 @@ This topic provides a brief overview of Microsoft 365 and describes how to use a [Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). -For Windows 10 deployment, Microsoft 365 includes a fantasic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: +For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: - Windows Autopilot - In-place upgrade diff --git a/windows/deployment/images/UC_00_marketplace_search - Copy.PNG b/windows/deployment/images/UC_00_marketplace_search - Copy.PNG new file mode 100644 index 0000000000..dcdf25d38a Binary files /dev/null and b/windows/deployment/images/UC_00_marketplace_search - Copy.PNG differ diff --git a/windows/deployment/images/UC_00_marketplace_search.PNG b/windows/deployment/images/UC_00_marketplace_search.PNG new file mode 100644 index 0000000000..dcdf25d38a Binary files /dev/null and b/windows/deployment/images/UC_00_marketplace_search.PNG differ diff --git a/windows/deployment/images/UC_01_marketplace_create - Copy.PNG b/windows/deployment/images/UC_01_marketplace_create - Copy.PNG new file mode 100644 index 0000000000..4b34311112 Binary files /dev/null and b/windows/deployment/images/UC_01_marketplace_create - Copy.PNG differ diff --git a/windows/deployment/images/UC_01_marketplace_create.PNG b/windows/deployment/images/UC_01_marketplace_create.PNG new file mode 100644 index 0000000000..4b34311112 Binary files /dev/null and b/windows/deployment/images/UC_01_marketplace_create.PNG differ diff --git a/windows/deployment/images/UC_02_workspace_create - Copy.PNG b/windows/deployment/images/UC_02_workspace_create - Copy.PNG new file mode 100644 index 0000000000..ed3eeeebbb Binary files /dev/null and b/windows/deployment/images/UC_02_workspace_create - Copy.PNG differ diff --git a/windows/deployment/images/UC_02_workspace_create.PNG b/windows/deployment/images/UC_02_workspace_create.PNG new file mode 100644 index 0000000000..ed3eeeebbb Binary files /dev/null and b/windows/deployment/images/UC_02_workspace_create.PNG differ diff --git a/windows/deployment/images/UC_03_workspace_select - Copy.PNG b/windows/deployment/images/UC_03_workspace_select - Copy.PNG new file mode 100644 index 0000000000..d00864b861 Binary files /dev/null and b/windows/deployment/images/UC_03_workspace_select - Copy.PNG differ diff --git a/windows/deployment/images/UC_03_workspace_select.PNG b/windows/deployment/images/UC_03_workspace_select.PNG new file mode 100644 index 0000000000..d00864b861 Binary files /dev/null and b/windows/deployment/images/UC_03_workspace_select.PNG differ diff --git a/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG b/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG new file mode 100644 index 0000000000..3ea9f57531 Binary files /dev/null and b/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG differ diff --git a/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG b/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG new file mode 100644 index 0000000000..3ea9f57531 Binary files /dev/null and b/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG differ diff --git a/windows/deployment/images/UC_tile_assessing - Copy.PNG b/windows/deployment/images/UC_tile_assessing - Copy.PNG new file mode 100644 index 0000000000..2709763570 Binary files /dev/null and b/windows/deployment/images/UC_tile_assessing - Copy.PNG differ diff --git a/windows/deployment/images/UC_tile_assessing.PNG b/windows/deployment/images/UC_tile_assessing.PNG new file mode 100644 index 0000000000..2709763570 Binary files /dev/null and b/windows/deployment/images/UC_tile_assessing.PNG differ diff --git a/windows/deployment/images/UC_tile_filled - Copy.PNG b/windows/deployment/images/UC_tile_filled - Copy.PNG new file mode 100644 index 0000000000..f7e1bab284 Binary files /dev/null and b/windows/deployment/images/UC_tile_filled - Copy.PNG differ diff --git a/windows/deployment/images/UC_tile_filled.PNG b/windows/deployment/images/UC_tile_filled.PNG new file mode 100644 index 0000000000..f7e1bab284 Binary files /dev/null and b/windows/deployment/images/UC_tile_filled.PNG differ diff --git a/windows/deployment/images/UC_workspace_DO_status - Copy.PNG b/windows/deployment/images/UC_workspace_DO_status - Copy.PNG new file mode 100644 index 0000000000..fa7550f0f5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_DO_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_DO_status.PNG b/windows/deployment/images/UC_workspace_DO_status.PNG new file mode 100644 index 0000000000..fa7550f0f5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_DO_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_FU_status - Copy.PNG b/windows/deployment/images/UC_workspace_FU_status - Copy.PNG new file mode 100644 index 0000000000..14966b1d8a Binary files /dev/null and b/windows/deployment/images/UC_workspace_FU_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_FU_status.PNG b/windows/deployment/images/UC_workspace_FU_status.PNG new file mode 100644 index 0000000000..14966b1d8a Binary files /dev/null and b/windows/deployment/images/UC_workspace_FU_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_SU_status - Copy.PNG b/windows/deployment/images/UC_workspace_SU_status - Copy.PNG new file mode 100644 index 0000000000..3564c9b6e5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_SU_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_SU_status.PNG b/windows/deployment/images/UC_workspace_SU_status.PNG new file mode 100644 index 0000000000..3564c9b6e5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_SU_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG b/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG new file mode 100644 index 0000000000..40dcaef949 Binary files /dev/null and b/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_WDAV_status.PNG b/windows/deployment/images/UC_workspace_WDAV_status.PNG new file mode 100644 index 0000000000..40dcaef949 Binary files /dev/null and b/windows/deployment/images/UC_workspace_WDAV_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_home.PNG b/windows/deployment/images/UC_workspace_home.PNG new file mode 100644 index 0000000000..4269eb8c4d Binary files /dev/null and b/windows/deployment/images/UC_workspace_home.PNG differ diff --git a/windows/deployment/images/UC_workspace_needs_attention - Copy.png b/windows/deployment/images/UC_workspace_needs_attention - Copy.png new file mode 100644 index 0000000000..be8033a9d6 Binary files /dev/null and b/windows/deployment/images/UC_workspace_needs_attention - Copy.png differ diff --git a/windows/deployment/images/UC_workspace_needs_attention.png b/windows/deployment/images/UC_workspace_needs_attention.png new file mode 100644 index 0000000000..be8033a9d6 Binary files /dev/null and b/windows/deployment/images/UC_workspace_needs_attention.png differ diff --git a/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG b/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG new file mode 100644 index 0000000000..beb04cdc18 Binary files /dev/null and b/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_overview_blade.PNG b/windows/deployment/images/UC_workspace_overview_blade.PNG new file mode 100644 index 0000000000..beb04cdc18 Binary files /dev/null and b/windows/deployment/images/UC_workspace_overview_blade.PNG differ diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md index 6d5df32e07..68efc2b293 100644 --- a/windows/deployment/planning/windows-10-1809-removed-features.md +++ b/windows/deployment/planning/windows-10-1809-removed-features.md @@ -32,7 +32,6 @@ We're removing the following features and functionalities from the installed pro |Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| -|Trusted Platform Module (TPM) management console|The information previously available in the TPM management console is now available on the [**Device security**](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security) page in the [Windows Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).| |Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).| ## Features we’re no longer developing diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md new file mode 100644 index 0000000000..4126e2c7cf --- /dev/null +++ b/windows/deployment/update/PSFxWhitepaper.md @@ -0,0 +1,203 @@ +--- +title: Windows Updates using forward and reverse differentials +description: A technique to produce compact software updates optimized for any origin and destination revision pair +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: Jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 10/18/2018 +--- + +# Windows Updates using forward and reverse differentials + + +Windows 10 monthly quality updates are cumulative, containing all previously +released fixes to ensure consistency and simplicity. For an operating system +platform like Windows 10, which stays in support for multiple years, the size of +monthly quality updates can quickly grow large, thus directly impacting network +bandwidth consumption. + +Today, this problem is addressed by using express downloads, where differential +downloads for every changed file in the update are generated based on selected +historical revisions plus the base version. In this paper, we introduce a new +technique to build compact software update packages that are applicable to any +revision of the base version, and then describe how Windows 10 quality updates +uses this technique. + +## General Terms + +The following general terms apply throughout this document: + +- *Base version*: A major software release with significant changes, such as + Windows 10, version 1809 (Windows 10 Build 17763.1) + +- *Revision*: Minor releases in between the major version releases, such as + KB4464330 (Windows 10 Build 17763.55) + +- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that + contain full binaries or files + +## Introduction + +In this paper, we introduce a new technique that can produce compact software +updates optimized for any origin/destination revision pair. It does this by +calculating forward the differential of a changed file from the base version and +its reverse differential back to the base version. Both forward and reverse +differentials are then packaged as an update and distributed to the endpoints +running the software to be updated. The update package contents can be symbolized as follows: + +![Symbolic representation of update package contents. a box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png) + +The endpoints that have the base version of the file (V0) hydrate the target +revision (VN) by applying a simple transformation: + +![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png) + +The endpoints that have revision N of the file (VN), hydrate the target revision +(VR) by applying the following set of transformations: + +![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png) + +The endpoints retain the reverse differentials for the software revision they +are on, so that it can be used for hydrating and applying next revision update. + +By using a common baseline, this technique produces a single update package with +numerous advantages: + +- Compact in size + +- Applicable to all baselines + +- Simple to build + +- Efficient to install + +- Redistributable + +Historically, download sizes of Windows 10 quality updates (Windows 10, version +1803 and older supported versions of Windows 10) are optimized by using express +download. Express download is optimized such that updating Windows 10 systems +will download the minimum number of bytes. This is achieved by generating +differentials for every updated file based on selected historical base revisions +of the same file + its base or RTM version. + +For example, if the October monthly quality update has updated Notepad.exe, +differentials for Notepad.exe file changes from September to October, August to +October, July to October, June to October, and from the original feature release +to October are generated. All these differentials are stored in a Patch Storage +File (PSF, also referred to as “express download files”) and hosted or cached on +Windows Update or other update management or distribution servers (for example, +Windows Server Update Services (WSUS), System Center Configuration Manager, or a +non-Microsoft update management or distribution server that supports express +updates). A device leveraging express updates uses network protocol to determine +optimal differentials, then downloads only what is needed from the update +distribution endpoints. + +The flipside of express download is that the size of PSF files can be very large +depending on the number of historical baselines against which differentials were +calculated. Downloading and caching large PSF files to on-premises or remote +update distribution servers is problematic for most organizations, hence they +are unable to leverage express updates to keep their fleet of devices running +Windows 10 up to date. Secondly, due to the complexity of generating +differentials and size of the express files that need to be cached on update +distribution servers, it is only feasible to generate express download files for +the most common baselines, thus express updates are only applicable to selected +baselines. Finally, calculation of optimal differentials is expensive in terms +of system memory utilization, especially for low-cost systems, impacting their +ability to download and apply an update seamlessly. + +In the following sections, we describe how Windows 10 quality updates will +leverage this technique based on forward and reverse differentials for newer +releases of Windows 10 and Windows Server to overcome the challenges with +express downloads. + +## High-level Design + +### Update packaging + +Windows 10 quality update packages will contain forward differentials from +quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM +(∆N→RTM) for each file that has changed since RTM. By using the RTM version as +the baseline, we ensure that all devices will have an identical payload. Update +package metadata, content manifests, and forward and reverse differentials will +be packaged into a cabinet file (.cab). This .cab file, and the applicability +logic, will also be wrapped in Microsoft Standalone Update (.msu) format. + +There can be cases where new files are added to the system during servicing. +These files will not have RTM baselines, thus forward and reverse differentials +cannot be used. In these scenarios, null differentials will be used to handle +servicing. Null differentials are the slightly compressed and optimized version +of the full binaries. Update packages can have either +forward or reverse differentials, or null differential of any given binary in +them. The following image symbolizes the content of a Windows 10 quality update installer: + +![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containg four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png) + +### Hydration and installation + +Once the usual applicability checks are performed on the update package and are +determined to be applicable, the Windows component servicing infrastructure will +hydrate the full files during pre-installation and then proceed with the usual +installation process. + +Below is a high-level sequence of activities that the component servicing +infrastructure will run in a transaction to complete installation of the update: + +- Identify all files that are required to install the update. + +- Hydrate each of necessary files using current version (VN) of the file, + reverse differential (VN--->RTM) of the file back to quality update RTM/base + version and forward differential (VRTM--->R) from feature update RTM/base + version to the target version. Also, use null differential hydration to + hydrate null compressed files. + +- Stage the hydrated files (full file), forward differentials (under ‘f’ + folder) and reverse differentials (under ‘r’ folder) or null compressed + files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). + +- Resolve any dependencies and install components. + +- Clean up older state (VN-1); the previous state VN is retained for + uninstallation and restoration or repair. + +### **Resilient Hydration** + +To ensure resiliency against component store corruption or missing files that +could occur due to susceptibility of certain types of hardware to file system +corruption, a corruption repair service has been traditionally used to recover +the component store automatically (“automatic corruption repair”) or on demand +(“manual corruption repair”) using an online or local repair source. This +service will continue to offer the ability to repair and recover content for +hydration and successfully install an update, if needed. + +When corruption is detected during update operations, automatic corruption +repair will start as usual and use the Baseless Patch Storage File published to +Windows Update for each update to fix corrupted manifests, binary differentials, +or hydrated or full files. Baseless patch storage files will contain reverse and +forward differentials and full files for each updated component. Integrity of +the repair files will be hash verified. + +Corruption repair will use the component manifest to detect missing files and +get hashes for corruption detection. During update installation, new registry +flags for each differential staged on the machine will be set. When automatic +corruption repair runs, it will scan hydrated files using the manifest and +differential files using the flags. If the differential cannot be found or +verified, it will be added to the list of corruptions to repair. + +### Lazy automatic corruption repair + +“Lazy automatic corruption repair” runs during update operations to detect +corrupted binaries and differentials. While applying an update, if hydration of +any file fails, "lazy" automatic corruption repair automatically starts, +identifies the corrupted binary or differential file, and then adds it to the +corruption list. Later, the update operation continues as far as it can go, so +that "lazy" automatic corruption repair can collect as many corrupted files to fix +as possible. At the end of the hydration section, the update fails, and +automatic corruption repair starts. Automatic corruption repair runs as usual +and at the end of its operation, adds the corruption list generated by "lazy" +automatic corruption repair on top of the new list to repair. Automatic +corruption repair then repairs the files on the corruption list and installation +of the update will succeed on the next attempt. diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index 3e28db2683..890e0c33bb 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -57,7 +57,7 @@ Clicking the header of the Frequently Crashing Devices blade opens a reliability Notice the filters in the left pane; they allow you to filter the crash rate shown to a particular operating system version, device model, or other parameter. >[!NOTE] ->Use caution when interpreting results filtered by model or operating system version. This is very useful for troubleshooting, but might not be accurate for *comparisons* because the crashes displayed could be of different types. The overall goal for working with crash data is to ensure that most devices have the same driver versions and that that version has a low crash rate. +>Use caution when interpreting results filtered by model or operating system version. This is very useful for troubleshooting, but might not be accurate for *comparisons* because the crashes displayed could be of different types. The overall goal for working with crash data is to ensure that most devices have the same driver versions and that the version has a low crash rate. >[!TIP] >Once you've applied a filter (for example setting OSVERSION=1607) you will see the query in the text box change to append the filter (for example, with “(OSVERSION=1607)”). To undo the filter, remove that part of the query in the text box and click the search button to the right of the text box to run the adjusted query.” diff --git a/windows/deployment/update/images/PSF1.png b/windows/deployment/update/images/PSF1.png new file mode 100644 index 0000000000..3476cf6c11 Binary files /dev/null and b/windows/deployment/update/images/PSF1.png differ diff --git a/windows/deployment/update/images/PSF2.png b/windows/deployment/update/images/PSF2.png new file mode 100644 index 0000000000..1da8698dff Binary files /dev/null and b/windows/deployment/update/images/PSF2.png differ diff --git a/windows/deployment/update/images/PSF3.png b/windows/deployment/update/images/PSF3.png new file mode 100644 index 0000000000..79be89cea3 Binary files /dev/null and b/windows/deployment/update/images/PSF3.png differ diff --git a/windows/deployment/update/images/PSF4.png b/windows/deployment/update/images/PSF4.png new file mode 100644 index 0000000000..20f9a1a887 Binary files /dev/null and b/windows/deployment/update/images/PSF4.png differ diff --git a/windows/deployment/update/images/UC_00_marketplace_search.PNG b/windows/deployment/update/images/UC_00_marketplace_search.PNG new file mode 100644 index 0000000000..dcdf25d38a Binary files /dev/null and b/windows/deployment/update/images/UC_00_marketplace_search.PNG differ diff --git a/windows/deployment/update/images/UC_01_marketplace_create.PNG b/windows/deployment/update/images/UC_01_marketplace_create.PNG new file mode 100644 index 0000000000..4b34311112 Binary files /dev/null and b/windows/deployment/update/images/UC_01_marketplace_create.PNG differ diff --git a/windows/deployment/update/images/UC_02_workspace_create.PNG b/windows/deployment/update/images/UC_02_workspace_create.PNG new file mode 100644 index 0000000000..ed3eeeebbb Binary files /dev/null and b/windows/deployment/update/images/UC_02_workspace_create.PNG differ diff --git a/windows/deployment/update/images/UC_03_workspace_select.PNG b/windows/deployment/update/images/UC_03_workspace_select.PNG new file mode 100644 index 0000000000..d00864b861 Binary files /dev/null and b/windows/deployment/update/images/UC_03_workspace_select.PNG differ diff --git a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG new file mode 100644 index 0000000000..3ea9f57531 Binary files /dev/null and b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG differ diff --git a/windows/deployment/update/images/UC_tile_assessing.PNG b/windows/deployment/update/images/UC_tile_assessing.PNG new file mode 100644 index 0000000000..2709763570 Binary files /dev/null and b/windows/deployment/update/images/UC_tile_assessing.PNG differ diff --git a/windows/deployment/update/images/UC_tile_filled.PNG b/windows/deployment/update/images/UC_tile_filled.PNG new file mode 100644 index 0000000000..f7e1bab284 Binary files /dev/null and b/windows/deployment/update/images/UC_tile_filled.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_DO_status.PNG b/windows/deployment/update/images/UC_workspace_DO_status.PNG new file mode 100644 index 0000000000..fa7550f0f5 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_DO_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_FU_status.PNG b/windows/deployment/update/images/UC_workspace_FU_status.PNG new file mode 100644 index 0000000000..14966b1d8a Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_FU_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_SU_status.PNG b/windows/deployment/update/images/UC_workspace_SU_status.PNG new file mode 100644 index 0000000000..3564c9b6e5 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_SU_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG new file mode 100644 index 0000000000..40dcaef949 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_needs_attention.png b/windows/deployment/update/images/UC_workspace_needs_attention.png new file mode 100644 index 0000000000..be8033a9d6 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_needs_attention.png differ diff --git a/windows/deployment/update/images/UC_workspace_overview_blade.PNG b/windows/deployment/update/images/UC_workspace_overview_blade.PNG new file mode 100644 index 0000000000..beb04cdc18 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_overview_blade.PNG differ diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index ae2fc715ad..595bed72af 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -45,3 +45,5 @@ Typically, the improvements are reliability, security, and performance improveme * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. +* Search to install latest available [Servicing stack update for Windows 10](https://support.microsoft.com/en-us/search?query=servicing%20stack%20update%20Windows%2010). + diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 9c77b0f094..c29062acb5 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 03/27/2018 +ms.date: 10/04/2018 keywords: oms, operations management suite, optimization, downloads, updates, log analytics ms.localizationpriority: medium --- @@ -15,9 +15,7 @@ ms.localizationpriority: medium # Delivery Optimization in Update Compliance The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. ->[!Note] ->Delivery Optimization Status is currently in development. See the [Known Issues](#known-issues) section for issues we are aware of and potential workarounds. - +![DO status](images/UC_workspace_DO_status.png) ## Delivery Optimization Status @@ -27,7 +25,7 @@ The Delivery Optimization Status section includes three blades: - The **Content Distribution (%)** blade shows the percentage of bandwidth savings for each category - The **Content Distribution (GB)** blade shows the total amount of data seen from each content type broken down by the download source (peers vs non-peers). -![DO status](images/uc-DO-status.png) + ## Device Configuration blade @@ -46,8 +44,3 @@ The download sources that could be included are: - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used) - HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. -## Known Issues -Delivery Optimization is currently in development. The following issues are known: - -- DO Download Mode is not accurately portrayed in the Device Configuration blade. There is no workaround at this time. - diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 0235ac8cea..1bc0919648 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -5,20 +5,20 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/18/2017 +author: Jaimeo +ms.author: jaimeo +ms.date: 10/04/2018 --- # Feature Update Status -![The Feature Update Status report](images/uc-featureupdatestatus.png) +![The Feature Update Status report](images/UC_workspace_FU_status.png) -The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels). +The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). ## Overall Feature Update Status -The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/en-us/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and OS Version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. +The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/en-us/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. ## Deployment Status by Servicing Channel @@ -31,4 +31,3 @@ Refer to the following list for what each state means: * Devices that have failed the given feature update installation are counted as **Update failed**. * If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. -Clicking on any row will navigate to the query relevant to that feature update. These queries are attached to [Perspectives](update-compliance-perspectives.md) that contain detailed deployment data for that update. diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 89e5ebf0c7..37d565f4d1 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -8,76 +8,65 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 08/21/2018 +ms.date: 10/04/2018 ms.localizationpriority: medium --- # Get started with Update Compliance - ->[!IMPORTANT] ->**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). - -This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. +This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. Steps are provided in sections that follow the recommended setup process: -1. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite. -2. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) to your organization’s devices. -3. [Use Update Compliance to monitor Windows Updates](#use-update-compliance-to-monitor-windows-updates) once your devices are enrolled. +1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites). +2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription). +3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). +4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates, Windows Defender Antivirus status, and Delivery Optimization. +## Update Compliance prerequisites +Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: +1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. +2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them. +3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. +4. To show device names for versions of Windows 10 starting with 1803 in Windows Analytics you must opt in. For details about this, see the "AllowDeviceNameinTelemetry (in Windows 10)" entry in the table in the [Distributing policies at scale](windows-analytics-get-started.md#deploying-windows-analytics-at-scale) section of [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). +5. To use the Windows Defender Status, devices must be E3-licensed and have Cloud Protection enabled. E5-licensed devices will not appear here. For E5 devices, you should use [Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) instead. For more information on Windows 10 Enterprise licensing, see [Windows 10 Enterprise: FAQ for IT Professionals](https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-enterprise-faq-itpro). -## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics +## Add Update Compliance to your Azure subscription +Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: -Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. ->[!IMPORTANT] ->Update Compliance is a free solution for Azure subscribers. +> [!NOTE] +> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. -If you are already using OMS, skip to step **6** to add Update Compliance to your workspace. +2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. ->[!NOTE] ->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace. +![Update Compliance marketplace search results](images/UC_00_marketplace_search.png) +3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure. -If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance: +![Update Compliance solution creation](images/UC_01_marketplace_create.png) -1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. - ![Operations Management Suite bar with sign-in button](images/uc-02a.png) - -2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. - ![OMS Sign-in dialog box for account name and password](images/uc-03a.png) - -3. Create a new OMS workspace. - ![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png) - -4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**. - ![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png) - -5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace. - ![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png) - -6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. - ![OMS workspace with Solutions Gallery tile highlighted](images/uc-07a.png) - -7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace. - ![Workspace showing Solutions Gallery](images/uc-08a.png) - -8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens. - ![OMS workspace with new Update Compliance tile on the right side highlighted](images/uc-09a.png) - -9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below. - ![Series of blades showing Connected Sources, Windows Diagnostic Data, and Upgrade Analytics solution with Subscribe button](images/uc-10a.png) - -After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices. +4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. + - If you already have another Windows Analytics solution, you should use the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **Free**. ->[!NOTE] ->You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic. +![Update Compliance workspace creation](images/UC_02_workspace_create.png) + +5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. + +![Update Compliance workspace selection](images/UC_03_workspace_select.png) + +6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. + +![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png) ## Enroll devices in Windows Analytics +Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are two key steps for enrollment: +1. Deploy your Commercial ID (from the Update Compliance Settings page) to your Windows 10 devices (typically by using Group Policy, [Mobile Device Management](https://docs.microsoft.com/en-us/windows/client-management/windows-10-mobile-and-mdm), [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/core/understand/introduction) or similar). +2. Ensure the Windows Diagnostic Data setting on devices is set to at least Basic (typically using Group Policy or similar). For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). -Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - - -## Use Update Compliance to monitor Windows Updates - -Once your devices are enrolled, you can start to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md). +After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 2719e89d62..218a8cf0e9 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -8,51 +8,39 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 02/09/2018 +ms.date: 10/04/2018 ms.localizationpriority: medium --- -# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance +# Monitor Windows Updates with Update Compliance ## Introduction -With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md). +Update Compliance is a [Windows Analytics solution](windows-analytics-overview.md) that enables organizations to: -Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). +* Monitor Windows 10 Professional, Education, and Enterprise security, quality, and feature updates. +* View a report of device and update issues related to compliance that need attention. +* See the status of Windows Defender Antivirus signatures and threats. +* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md). -Update Compliance uses the Windows diagnostic data that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution. +Update Compliance is offered through the Azure portal, and is available free for devices that meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). -Update Compliance provides the following: - -- Dedicated drill-downs for devices that might need attention -- An inventory of devices, including the version of Windows they are running and their update status -- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices -- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later) -- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries -- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure +Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal). See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: - [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. - [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. -Click the following link to see a video demonstrating Update Compliance features. - -[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube-nocookie.com/embed/1cmF5c_R8I4) - ## Update Compliance architecture The Update Compliance architecture and data flow is summarized by the following five-step process: **(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
    **(2)** Diagnostic data is analyzed by the Update Compliance Data Service.
    -**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your OMS workspace.
    +**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your Azure Log Analytics workspace.
    **(4)** Diagnostic data is available in the Update Compliance solution.
    -**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.
    -These steps are illustrated in following diagram: - -![Update Compliance architecture](images/uc-01-wdav.png) >[!NOTE] >This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index c22ccf1812..33ca94987b 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -5,34 +5,39 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/13/2017 +author: Jaimeo +ms.author: jaimeo +ms.date: 10/04/2018 --- -# Need Attention! +# Needs attention! +![Needs attention section](images/UC_workspace_needs_attention.png) -![Need Attention! report](images/uc-needattentionoverview.png) - -The “Need Attention!” section provides a breakdown of all device issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade is shown within this section that contains queries that provide values but do not fit within any other main section. +The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. >[!NOTE] ->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers may not add up. +>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. -The different issues are broken down by Device Issues and Update Issues, which are iterated below: +The different issues are broken down by Device Issues and Update Issues: ## Device Issues -* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices may be more vulnerable and should be investigated and updated. -* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer be serviced, and may be vulnerable. These devices should be updated to a supported version of Windows 10. +* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. +* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. ## Update Issues -* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors may be transient, but should be investigated further to be sure. +* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. +* **Cancelled**: This issue occurs when a user cancels the update process. +* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. +* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. * **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. -Clicking on any of the issues will navigate you to the Log Search view with all devices that have the given issue. +Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. + +>[!NOTE] +>This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. ## List of Queries -The List of Queries blade resides within the “Need Attention!” section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. \ No newline at end of file +The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index 969c2e6d55..bf7d1d6795 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -5,28 +5,25 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/13/2017 +author: Jaimeo +ms.author: jaimeo +ms.date: 10/04/2018 --- # Security Update Status -![The Security Update Status report](images/uc-securityupdatestatus.png) +![The Security Update Status report](images/UC_workspace_SU_status.png) -The Security Update Status section provides information about [quality updates](waas-quick-start.md#definitions) across all devices. The section tile within the O[verview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update to provide the most essential data without needing to navigate into the section. However, within the section the Overall Quality Update Status blade also considers whether devices are up-to-date on non-security updates. +The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows 10 version and the deployment progress toward the latest two security updates. ->[!NOTE] ->It is possible for the percentage of devices on the latest security update to differ from devices that are up-to-date on all quality updates. This is because some devices may have non-security updates that are applicable to them. - -The **Overall Quality Update Status** blade provides a visualization of devices that are and are not up-to-date on the latest quality updates (not just security updates). Below the visualization are all devices further broken down by OS Version and a count of how many are up-to-date and not up-to-date. Within the “Not up-to-date” column, the count of update failures is also given. +The **Overall Security Update Status** blade provides a visualization of devices that are and do not have the latest security updates. Below the visualization are all devices further broken down by operating system version and a count of devices that are up to date and not up to date. The **Not up to date** column also provides a count of update failures. The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization. -What follows is a breakdown of the different deployment states reported by devices: +The various deployment states reported by devices are as follows: * **Installed** devices are devices that have completed installation for the given update. -* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using WU for Business Settings. -* Devices that have **Update Failed**, failed updating at some point during the installation process of the given security update. -* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. +* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using Windows Update for Business Settings. +* Devices that have **Update Issues** have failed to update at some point during the installation process of the given security update or have not seen progress for a period of seven days. +* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. This is most often devices that have not scanned for an update in some time, or devices not being managed through Windows Update. -The rows of each tile in this section are interactive; clicking on them will navigate you to the query that is representative of that row and section. These queries are also attached to [Perspectives](update-compliance-perspectives.md) with detailed deployment data for that update. \ No newline at end of file +The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section. diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 2bcc3b064e..d9b61d93cf 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/13/2017 +ms.date: 10/04/2018 ms.localizationpriority: medium --- @@ -18,64 +18,72 @@ In this section you'll learn how to use Update Compliance to monitor your device Update Compliance: -- Uses diagnostic data gathered from user devices to form an all-up view of Windows 10 devices in your organization. -- Enables you to maintain a high-level perspective on the progress and status of updates across all devices. -- Provides a workflow that can be used to quickly identify which devices require attention. -- Enables you to track deployment compliance targets for updates. -- Summarizes Windows Defender Antivirus status for devices that use it. +- Provides detailed deployment data for Windows 10 security, quality, and feature updates. +- Reports when devices have issues related to updates that need attention. +- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). +- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md). +- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. ->[!NOTE] ->Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices. +## The Update Compliance tile +After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you’ll see this tile: -In Update Compliance, data is separated into vertically-sliced sections. Each section is referred to as a blade. Within a blade, there may or may not be multiple tiles, which serve to represent the data in different ways. Blades are summarized by their title in the upper-left corner above it. Every number displayed in OMS is the direct result of one or more queries. Clicking on data in blades will often navigate you to the query view, with the query used to produce that data. Some of these queries have perspectives attached to them; when a perspective is present, an additional tab will load in the query view. These additional tabs provide blades containing more information relevant to the results of the query. +![Update Compliance tile no data](images/UC_tile_assessing.png) -## The Update Compliance Tile +When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: -After Update Compliance has successfully been added from the solution gallery, you’ll see this tile: -![Empty Update Compliance Tile](images/uc-emptyworkspacetile.png) +![Update Compliance tile with data](images/UC_tile_filled.png) -When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that is associated with the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: +The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed. -![Filled Update Compliance Tile](images/uc-filledworkspacetile.png) +## The Update Compliance workspace -The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was updated. +![Update Compliance workspace view](images/UC_workspace_needs_attention.png) -## The Update Compliance Workspace +When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. -![Update Compliance workspace view](images/uc-filledworkspaceview.png) +### Overview blade -Upon clicking the tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview Blade providing a hub from which to navigate to different reports of your device’s data. +![The Overview blade](images/UC_workspace_overview_blade.png) -### Overview Blade - -![The Overview Blade](images/uc-overviewblade.png) - -Update Compliance’s overview blade provides a summarization of all the data Update Compliance focuses on. It functions as a hub from which different sections can be navigated to. The total number of devices detected by Update Compliance are counted within the title of this blade. What follows is a distribution for all devices as to whether they are up to date on: -* Quality updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. +Update Compliance’s overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: +* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. * AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. -The blade also provides the time at which your Update Compliance workspace was refreshed. +The blade also provides the time at which your Update Compliance workspace was [refreshed](#data-latency). -Below the “Last Updated” time, a list of the different sections follows that can be clicked on to view more information, they are: -* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It counts the number of devices encountering issues and need attention; clicking into this provides blades that summarize the different issues that devices are encountering, and provides a List of Queries that Microsoft finds useful. -* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Clicking into this section provides blades that summarize the overall status of Quality updates across all devices; including deployment. -* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Clicking into this section provides blades that summarize the overall feature update status across all devices, with an emphasis on deployment progress. -* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Clicking into this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus. +The following is a breakdown of the different sections available in Update Compliance: +* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates. +* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. +* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment. +* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Selecting this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus or devices that do not meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites) to be assessed. +* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. -Use [Perspectives](update-compliance-perspectives.md) for data views that provide deeper insight into your data. -## Utilizing Log Analytics +## Update Compliance data latency +Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows: -Update Compliance is built upon the Log Analytics platform that is integrated into Operations Management Suite. All data within the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance. +Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate that each data type is sent and how long it takes to be ready for Update Compliance varies, roughly outlined below. +| Data Type | Refresh Rate | Data Latency | +|--|--|--| +|WaaSUpdateStatus | Once per day |4 hours | +|WaaSInsiderStatus| Once per day |4 hours | +|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours | +|WDAVStatus|On signature update|24 hours | +|WDAVThreat|On threat detection|24 hours | +|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours | +|WUDOStatus|Once per day|12 hours | + +This means you should generally expect to see new data every 24-36 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh). + +## Using Log Analytics + +Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance. See below for a few topics related to Log Analytics: * Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). * To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards). -* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to utilize it to always stay informed about the most critical issues you care about. - ->[!NOTE] ->You can use the Feedback Hub App on Windows 10 devices to [provide feedback about Update Compliance](feedback-hub://?referrer=itProDocs&tabid=2&contextid=797) and other Windows Analytics solutions. +* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. ## Related topics diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index c0f974d0c0..aaf6b63c0c 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -7,25 +7,29 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 05/17/2018 +ms.date: 10/04/2018 --- # Windows Defender AV Status -![The Windows Defender AV Status report](images/uc-windowsdefenderavstatus.png) +![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. >[!NOTE] ->Customers with E5 licenses can monitor the Windows Defender AV status by using the Windows Defender ATP portal. For more information about monitoring devices with this portal, see [Onboard Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). +>Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx). -The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Clicking any of these statuses will navigate you to a Log Search view containing the query. +# Windows Defender AV Status sections +The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. -The **Threat Status** blade provides a visualization of, for devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Clicking either of these will navigate to the respective query in Log Search for further investigation. +The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. -Here are some important terms to consider when utilizing the Windows Defender AV Status section of Update Compliance: -* **Signature out of date** devices are devices with signature older than 14 days. -* **No real-time protection** devices are devices who are using Windows Defender AV but have turned off Real-time protection. +Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: +* **Signature out of date** devices are devices with a signature older than 14 days. +* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. * **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. -* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This can be due to reason like disk full, network error, operation aborted, etc. Manual intervention may be needed from IT team. -* **Not assessed** devices are devices where either a third-party AV solution is used or it has been more than 7 days since the device recently disappeared. +* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. +* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. + +## Windows Defender data latency +Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. \ No newline at end of file diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 9cfb7ab6bf..3e82500cc3 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -74,7 +74,7 @@ As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting * Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC). >[!IMPORTANT] ->With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For nmore information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). +>With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For more information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). >[!NOTE] >For additional information, see the section about [Servicing Channels](#servicing-channels). diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index bb2378b3a9..ed003254cc 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -8,7 +8,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 05/29/2018 +ms.date: 10/17/2018 --- # Quick guide to Windows as a service @@ -35,6 +35,8 @@ Some new terms have been introduced as part of Windows as a service, so you shou See [Overview of Windows as a service](waas-overview.md) for more information. +For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md). + ## Key Concepts Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers. diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index 0d7862c02a..2a37f7db2f 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -5,7 +5,7 @@ keywords: Device Health, oms, Azure, portal, operations management suite, add, m ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 09/12/2018 +ms.date: 10/05/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -26,14 +26,21 @@ Go to the [Azure portal](https://portal.azure.com), select **All services**, and ### Permissions +It's important to understand the difference between Azure Active Directory and an Azure subscription: + +**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (AD) is a separate service which sits by itself and is used by all of Azure and also Office 365. + +An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices. + + >[!IMPORTANT] ->Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked Azure subscription or Azure resource group. +>Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked *Azure subscription* or Azure resource group. To check the Log Analytics workspaces you can access, select **Log Analytics**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to: [![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png) -If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspaces's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states). +If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspace's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states). When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page. diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 9539a482fc..30f586c3f1 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/01/2018 +ms.date: 10/08/2018 ms.localizationpriority: medium --- @@ -41,7 +41,7 @@ Microsoft uses a unique commercial ID to map information from user computers to ## Enable data sharing -To enable data sharing, configure your proxy sever to whitelist the following endpoints. You might need to get approval from your security group to do this. +To enable data sharing, configure your proxy server to whitelist the following endpoints. You might need to get approval from your security group to do this. | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| @@ -53,7 +53,7 @@ To enable data sharing, configure your proxy sever to whitelist the following en | `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | | `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | | `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | -| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health. **Note:** WER does *not* use login.live.com to access Microsoft Account consumer services such as Xbox Live. WER uses an anti-spoofing API at that address to enhance the integrity of error reports. | +| `https://login.live.com` | This endpoint is required by Device Health to ensure data integrity and provides a more reliable device identity for all of the Windows Analytics solutions on Windows 10. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. | | `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | | `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index e5eab8199a..35d32c83e9 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 09/26/2018 +ms.date: 10/10/2018 ms.localizationpriority: medium --- @@ -45,7 +45,7 @@ Upgrade Readiness is offered as a *solution* which you link to a new or existing 1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. >[!NOTE] - > Upgrade Readiness is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. + > Upgrade Readiness is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. 2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution. ![Azure portal page highlighting + Create a resource and with Upgrade Readiness selected](../images/UR-Azureportal1.png) diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 8bc47524c0..bef52aab7a 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -22,7 +22,7 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi ## Proof-of-concept environment -For the purposes of this topic, we will use four machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). +For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). ![figure 1](../images/upgrademdt-fig1-machines.png) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index d494ef7054..1632f15877 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/18 --- diff --git a/windows/deployment/windows-autopilot/configure-autopilot.md b/windows/deployment/windows-autopilot/configure-autopilot.md index 320afb60dd..7bdfb8857c 100644 --- a/windows/deployment/windows-autopilot/configure-autopilot.md +++ b/windows/deployment/windows-autopilot/configure-autopilot.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/18 --- diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index ca44b1c9f9..17268284ab 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft +author: greg-lindsay ms.author: greg-lindsay ms.date: 07/13/18 --- diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index 2f7e82b15e..45d96d4f4b 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- @@ -42,7 +42,7 @@ The Enrollment Status page tracks a subset of the available MDM CSP policies tha Presently the following types of policies are not tracked: -- Intune Management Extentions PowerShell scripts. +- Intune Management Extensions PowerShell scripts. - Office 365 ProPlus installations. - System Center Configuration Manager apps, packages, and task sequences. diff --git a/windows/deployment/windows-autopilot/rip-and-replace.md b/windows/deployment/windows-autopilot/existing-devices.md similarity index 62% rename from windows/deployment/windows-autopilot/rip-and-replace.md rename to windows/deployment/windows-autopilot/existing-devices.md index 0f85771ec9..be48f47d26 100644 --- a/windows/deployment/windows-autopilot/rip-and-replace.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -1,19 +1,19 @@ ---- -title: Rip and Replace -description: Listing of Autopilot scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 ---- - -# Rip and replace - -**Applies to: Windows 10** - -DO NOT PUBLISH. Just a placeholder for now, coming with 1809. \ No newline at end of file +--- +title: Autopilot for existing devices +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greglin +ms.date: 10/11/2018 +--- + +# Autopilot for existing devices + +**Applies to: Windows 10** + +Placeholder. Content coming. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md index 4868e24cd2..4b3d210f36 100644 --- a/windows/deployment/windows-autopilot/profiles.md +++ b/windows/deployment/windows-autopilot/profiles.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/18 --- diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index deba1e8e5e..5e6d1bd137 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index 2ea0af92da..d03b5ca36e 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md index 91d9bbf472..1310d1aab1 100644 --- a/windows/deployment/windows-autopilot/user-driven-aad.md +++ b/windows/deployment/windows-autopilot/user-driven-aad.md @@ -7,13 +7,13 @@ ms.mktglfcycl: deploy ms.localizationpriority: low ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greglin +ms.date: 10/11/2018 --- # Windows Autopilot user-driven mode for Azure Active Directory **Applies to: Windows 10** -DO NOT PUBLISH. This eventually will contain the AAD-specific instuctions currently in user-driven.md. +Placeholder. Content coming. diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md index 091783afa4..8a55a84cc1 100644 --- a/windows/deployment/windows-autopilot/user-driven-hybrid.md +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: low ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greglin +ms.date: 10/11/2018 --- @@ -17,4 +17,4 @@ ms.date: 06/01/2018 **Applies to: Windows 10** -DO NOT PUBLISH. This eventually will contain the AD-specific (hybrid) instuctions. This will be in preview at a later point in time. +Placeholder. Content coming. diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index bb9b722bb6..b3ffeb0cd7 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md index 810bdf70be..33f04c305b 100644 --- a/windows/deployment/windows-autopilot/windows-10-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-10-autopilot.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 08/22/2018 --- diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md index 919b0f5efa..7cdf271f76 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md index 8cd71d80c3..c14fc72ee3 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md index 6ed585912e..d44ee7fbfe 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 1ffd9e4582..237de23838 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md index b8259e9016..2d8e2d0506 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md index 7efd53c9f0..8b900be698 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md index 4417198067..8cd3d090a5 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index b832512df1..619ad5926c 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index 39eb571f2a..01cad0042d 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp +author: greg-lindsay +ms.author: greglin ms.date: 06/01/2018 --- diff --git a/windows/hub/index.md b/windows/hub/index.md index 531d071af4..16c86b4a0f 100644 --- a/windows/hub/index.md +++ b/windows/hub/index.md @@ -71,10 +71,12 @@ The Windows 10 operating system introduces a new way to build, deploy, and servi These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. - [Read more about Windows as a Service](/windows/deployment/update/waas-overview) +- [Read how much space does Windows 10 take](https://www.microsoft.com/en-us/windows/windows-10-specifications) ## Related topics [Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009) +   diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 3c72b3297d..9a9140a764 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -334,7 +334,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -670,7 +670,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -4388,7 +4388,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 2a059112f5..f1ca2eae5e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 09/10/2018 +ms.date: 10/10/2018 --- @@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: + - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) @@ -76,9 +77,9 @@ The following fields are available: - **SystemProcessorNx** The count of the number of this particular object type present on this device. - **SystemProcessorPrefetchW** The count of SystemProcessorPrefetchW objects present on this machine. - **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine. -- **SystemTouch** The count of SystemTouch objects present on this machine. +- **SystemTouch** The count of the number of this particular object type present on this device. - **SystemWim** The count of SystemWim objects present on this machine. -- **SystemWindowsActivationStatus** The count of SystemWindowsActivationStatus objects present on this machine. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. @@ -358,7 +359,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -705,7 +706,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1544,14 +1545,14 @@ This event provides information on about security settings used to help keep Win The following fields are available: - **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. -- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **CGRunning** Is Credential Guard running? - **DGState** This field summarizes the Device Guard state. - **HVCIRunning** Is HVCI running? - **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. - **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. - **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. -- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. +- **SecureBootCapable** Is this device capable of running Secure Boot? +- **VBSState** Is virtualization-based security enabled, disabled, or running? ### Census.Speech @@ -2956,6 +2957,19 @@ The following fields are available: ## Sediment events +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + ### Microsoft.Windows.Sediment.OSRSS.UrlState This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. @@ -3579,14 +3593,14 @@ The following fields are available: - **BIOSVendor** The vendor of the BIOS. - **BiosVersion** The version of the BIOS. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install? +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **ClientVersion** The version number of the software distribution client. - **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** Mobile operator that device is currently connected to. -- **DeviceModel** What is the device model. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeviceModel** The device model. - **DriverPingBack** Contains information about the previous driver and system state. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. @@ -3602,21 +3616,21 @@ The following fields are available: - **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update? -- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process? -- **IsFirmware** Is this update a firmware update? -- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart? +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. - **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device? - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **MergedUpdate** Was the OS update and a BSP update merged for installation? +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. - **PackageFullName** The package name of the content being installed. - **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdatePause** Are quality OS updates paused on the device? +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. - **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. @@ -3626,8 +3640,8 @@ The following fields are available: - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID which represents a given MSI installation -- **UpdateId** Unique update ID +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. - **UpdateID** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. - **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. @@ -3995,7 +4009,7 @@ The following fields are available: - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. - **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each update. +- **UpdateId** Unique ID for each Update. - **UserSession** Indicates whether install was invoked by user actions. @@ -4014,7 +4028,7 @@ The following fields are available: - **CV** Correlation vector. - **DetectorVersion** Most recently run detector version for the current campaign. - **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user. -- **key1** Interaction data for the UI +- **key1** UI interaction data - **key10** UI interaction data - **key11** UI interaction data - **key12** UI interaction data @@ -4025,7 +4039,7 @@ The following fields are available: - **key17** UI interaction data - **key18** UI interaction data - **key19** UI interaction data -- **key2** Interaction data for the UI +- **key2** UI interaction data - **key20** UI interaction data - **key21** Interaction data for the UI - **key22** UI interaction data @@ -4036,13 +4050,13 @@ The following fields are available: - **key27** UI interaction data - **key28** UI interaction data - **key29** UI interaction data -- **key3** Interaction data for the UI +- **key3** UI interaction data - **key30** UI interaction data -- **key4** Interaction data for the UI +- **key4** UI interaction data - **key5** UI interaction data - **key6** UI interaction data -- **key7** Interaction data for the UI -- **key8** Interaction data for the UI +- **key7** UI interaction data +- **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. - **schema** UI interaction type. @@ -4194,9 +4208,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled - **TestId** A string to uniquely identify a group of events. - **WuId** Windows Update client ID. @@ -4352,7 +4366,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -4388,17 +4402,17 @@ This event provides the results from the WaaSMedic engine The following fields are available: - **detectionSummary** Result of each applicable detection that was run. -- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **featureAssessmentImpact** Windows as a Service (WaaS) Assessment impact on feature updates - **hrEngineResult** Indicates the WaaSMedic engine operation error codes -- **insufficientSessions** Device not eligible for diagnostics. -- **isManaged** Device is managed for updates. -- **isWUConnected** Device is connected to Windows Update. -- **noMoreActions** No more applicable diagnostics. -- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **insufficientSessions** True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise +- **isManaged** Indicates the device is managed for updates +- **isWUConnected** Indicates the device is connected to Windows Update +- **noMoreActions** All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions +- **qualityAssessmentImpact** Windows as a Service (WaaS) Assessment impact for quality updates - **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. -- **usingBackupFeatureAssessment** Relying on backup feature assessment. -- **usingBackupQualityAssessment** Relying on backup quality assessment. -- **versionString** Version of the WaaSMedic engine. +- **usingBackupFeatureAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client +- **usingBackupQualityAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client +- **versionString** Installed version of the WaaSMedic engine ## Windows Store events @@ -4667,9 +4681,9 @@ FulfillmentComplete event is fired at the end of an app install or update. We us The following fields are available: - **FailedRetry** Tells us if the retry for an install or update was successful or not. -- **HResult** Resulting HResult error/success code of this call -- **PFN** Package Family Name of the app that being installed or updated -- **ProductId** Product Id of the app that is being updated or installed +- **HResult** The HResult code of the operation. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. ### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate @@ -5028,14 +5042,14 @@ This event collects information regarding the install phase of the new device ma The following fields are available: -- **errorCode** The error code returned for the current install phase -- **flightId** The unique identifier for each flight -- **objectId** Unique value for each Update Agent mode -- **relatedCV** Correlation vector value generated from the latest scan -- **result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate -- **sessionId** Unique value for each Update Agent mode attempt -- **updateId** Unique ID for each update +- **errorCode** The error code returned for the current install phase. +- **flightId** Unique ID for each flight. +- **objectId** Unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **updateId** Unique ID for each Update. ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart @@ -5108,7 +5122,7 @@ The following fields are available: - **interactive** Indicates whether the session was user initiated. - **revisionNumber** Update revision number. - **updateId** Update ID. -- **updateScenarioType** Device ID +- **updateScenarioType** Update Session type - **wuDeviceid** Device ID diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index df5f2eb5b0..404f217af2 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -369,7 +369,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -701,7 +701,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -4538,7 +4538,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 0089755870..f840faba43 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -666,7 +666,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1013,7 +1013,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index 3743dc7b3b..3dd67f4b7e 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -123,7 +123,7 @@ This setting determines whether a device shows notifications about Windows diagn ### Configure telemetry opt-in setting user interface -This setting determines whether people can change their own Windows diagnostic data level in in *Start > Settings > Privacy > Diagnostics & feedback*. +This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*. #### Group Policy diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 97f8ceee36..f33d7bbf02 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -131,7 +131,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m ## Review Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) +* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions) * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) * Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting. * Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index bbc808feae..f9c8f46088 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -104,7 +104,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m ## Review Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) +* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions) * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) * Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting. * Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 36ee129b4c..35f2f574ec 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -157,6 +157,8 @@ If you don't use Group Policy in your organization, or if not all your remote ho mstsc.exe /remoteGuard ``` +> [!NOTE] +> The user must be part of administrators group. ## Considerations when using Windows Defender Remote Credential Guard diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index 00aaec6903..d1af453ff6 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -30,28 +30,29 @@ ## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) -### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) -#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) -##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) -##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) -#### [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md) -##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md) -##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) -#### [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md) -### [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) -#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) -### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) -### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md) -### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) -### [Testing scenarios for Windows Information Protection (WIP)](windows-information-protection\testing-scenarios-for-wip.md) -### [Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) -### [How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) -### [General guidance and best practices for Windows Information Protection (WIP)](windows-information-protection\guidance-and-best-practices-wip.md) -#### [Enlightened apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md) -#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md) -#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md) -#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md) -### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md) +### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) +#### [Create a WIP policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) +##### [Deploy your WIP policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) +##### [Associate and deploy a VPN policy for WIP using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) +#### [Create a WIP policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md) +##### [Deploy your WIP policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md) +##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) +#### [Create a WIP policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md) +### [Create a WIP policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) +#### [Create and deploy a WIP policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) +### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) +### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) +### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md) +### [Testing scenarios for WIP](windows-information-protection\testing-scenarios-for-wip.md) +### [Limitations while using WIP](windows-information-protection\limitations-with-wip.md) +### [How to collect WIP audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) +### [General guidance and best practices for WIP](windows-information-protection\guidance-and-best-practices-wip.md) +#### [Enlightened apps for use with WIP](windows-information-protection\enlightened-microsoft-apps-and-wip.md) +#### [Unenlightened and enlightened app behavior while using WIP](windows-information-protection\app-behavior-with-wip.md) +#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP](windows-information-protection\recommended-network-definitions-for-wip.md) +#### [Using Outlook Web Access with WIP](windows-information-protection\using-owa-with-wip.md) +### [Fine-tune WIP Learning](windows-information-protection\wip-learning.md) +### [How WIP works with sensitivity labels](windows-information-protection\how-wip-works-with-labels.md) ## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index 5c7a8d5795..8d7bde1868 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 09/17/2018 +ms.date: 10/10/2018 --- # Information protection @@ -16,7 +16,7 @@ Learn more about how to secure documents and other data across your organization | Section | Description | |-|-| | [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. | -| [Encrypted Hard Drive](bitlocker/bitlocker-overview.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. | +| [Encrypted Hard Drive](encrypted-hard-drive.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. | | [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. | | [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.| | [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. | diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index a55901c0ac..3f71393153 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -19,7 +19,7 @@ Drive-by DMA attacks can lead to disclosure of sensitive information residing on This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on. -For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel documentation. +For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf). ## Background @@ -75,12 +75,14 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do - Turn on Intel Virtualization Technology. - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md). - Reboot system into Windows 10. -4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. +4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. + +For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ## Frequently asked questions ### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? -In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. +In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot? No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index 1ff26cb46d..1cc72bd01d 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -75,7 +75,7 @@ The adoption of new authentication technology requires that identity providers a Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1): -• **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM. +• **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM. • **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index 1c8b475572..ed7d4a50ad 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -136,4 +136,4 @@ This table includes info about how enlightened apps might behave, based on your >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index c554266f44..06c6f03b54 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -70,4 +70,4 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md index 990c0c34c4..faaddea437 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md @@ -113,7 +113,7 @@ The final step to making your VPN configuration work with WIP, is to link your t >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 06be6ec2fb..56622e9a92 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -546,4 +546,4 @@ Optionally, if you don’t want everyone in your organization to be able to shar - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md index d75ea228ef..6593dc47a3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -476,4 +476,4 @@ After you've decided where your protected apps can access enterprise data on you - [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index d686c6df22..3ff66496cf 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 09/11/2017 +ms.date: 10/15/2018 --- # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -22,19 +22,17 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll **To deploy your WIP policy** -1. On the **App policy** pane, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. - - A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane. +1. On the **App protection policies** pane, click your newly-created policy, click **Assignments**, and then select groups to include or exclude from the policy. 2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. - The policy is deployed to the selected users' devices. + The policy is deployed to the selected users' devices. - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ## Related topics - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md index 26b5ff9472..6d41dd0d2a 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -35,7 +35,7 @@ The added people move to the **Selected Groups** list on the right-hand pane. The policy is deployed to the selected users' devices. >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ## Related topics - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index e91d6c96e7..52503527a1 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 05/30/2018 +ms.date: 10/11/2018 --- # List of enlightened Microsoft apps for use with Windows Information Protection (WIP) @@ -32,7 +32,7 @@ Apps can be enlightened or unenlightened: - Windows **Save As** experiences only allow you to save your files as enterprise. -- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions. +- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. ## List of enlightened Microsoft apps Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following: @@ -82,7 +82,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li |PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.Office.PowerPoint
    **App Type:** Universal app | |OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.Office.OneNote
    **App Type:** Universal app | |Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** microsoft.windowscommunicationsapps
    **App Type:** Universal app | -|Office 365 ProPlus|Office 365 ProPlus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
    We don't recommend setting up Office by using individual paths or publisher rules.| +|Office 365 ProPlus and Office 2019 Professional Plus |Office 365 ProPlus and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
    We don't recommend setting up Office by using individual paths or publisher rules.| |Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.Windows.Photos
    **App Type:** Universal app | |Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.ZuneMusic
    **App Type:** Universal app | |Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.ZuneVideo
    **App Type:** Universal app | @@ -97,4 +97,4 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md index 8e0e18f98a..f02c43a630 100644 --- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -29,4 +29,4 @@ This section includes info about the enlightened Microsoft apps, including how t |[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook on the web with Windows Information Protection (WIP). | >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md new file mode 100644 index 0000000000..67d918b484 --- /dev/null +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -0,0 +1,88 @@ +--- +title: How Windows Information Protection (WIP) protects files with a sensitivity label (Windows 10) +description: Explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. +keywords: sensitivity, labels, WIP, Windows Information Protection, EDP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: justinha +ms.localizationpriority: medium +ms.date: 10/12/2018 +--- + +# How Windows Information Protection protects files with a sensitivity label + +**Applies to:** + +- Windows 10, version 1809 + +This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. +Microsoft information protection technologies work together as an integrated solution to help enterprises: + +- Discover corporate data on endpoint devices +- Classify and label information based on its content and context +- Protect corporate data from unintentionally leaving to non-business environments +- Enable audit reports of user interactions with corporate data on endpoint devices + +Microsoft information protection technologies include: + +- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects data at rest on endpoint devices, and manages apps to protect data in use. + +- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps. + +- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps: + + ![Sensitivity labels](images/sensitivity-labels.png) + +## Default WIP behaviors for a sensitivity label + +Enterprises can create and manage sensitivity labels on the **Labels** page in the Office 365 Security & Compliance Center. +When you create a sensitivity label, you can specify that endpoint protection should apply to content with that label. +WIP enforces default endpoint protection depending on how the sensitivity label is configured: + +- When the sensitivity label is configured for endpoint protection of content that includes business data, the device enforces work protection for documents with the label +- When the sensitivity label is *not configured* for endpoint protection, the device reverts to whatever WIP policy has been defined in Intune or System Center Configuration Manager (SCCM): + - If the document is downloaded from a work site, the device enforces work protection + - If the document is downloaded from a personal site, no work protection is applied + +For more information about labels, see [Overview of labels](https://docs.microsoft.com/office365/securitycompliance/labels). + +## Use cases + +This section covers how WIP works with sensitivity labels in specific use cases. + +### User downloads from or creates a document on a work site + +If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regradless of whether the document has a sensitivity label. + +If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label. + +### User downloads a confidential Office or PDF document from a personal site + +Windows Defender Advanced Threat Protection (Windows Defender ATP) scans for any file that gets modified or created, including files that were created on a personal site. +If the file has a sensitivity label, the corresponding WIP protection gets applied even though the file came from a personal site. +For example: + +1. Sara creates a PDF file on a Mac and labels it as **Confidential**. +2. She emails the PDF from her Gmail account to Laura. +3. Laura opens the PDF file on her Windows 10 device. +4. WIP policy gets applied and the file is protected. + +The PDF file doesn't need any work context beyond the sensitivity label. + +## Prerequisites + +- Windows 10, version 1809 +- [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) scans content for a label and applies corresponding WIP protection +- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in the Office 365 Security & Compliance Center +- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md). + + + + + + + + + diff --git a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png index cf48ea50fc..12d4f6eefd 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png and b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png new file mode 100644 index 0000000000..89a133bcbe Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png index 08afdf96b5..f453431070 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png index e0dc52bd86..fdbc950c9e 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png and b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png index 4f5a81b9a2..926a3c4473 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png and b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png differ diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index accb65ae90..c1b8b5a716 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -33,4 +33,4 @@ This list provides all of the tasks and settings that are required for the opera >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 6ebcf8b468..80629be64c 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -147,4 +147,4 @@ After deciding to use WIP in your enterprise, you need to: >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index f9318f3384..fda5027ad2 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -170,4 +170,4 @@ You can try any of the processes included in these scenarios, but you should foc >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 429aa1c479..0f59fcfe7b 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -8,9 +8,10 @@ ms.prod: w10 ms.mktglfcycl: ms.sitesec: library ms.pagetype: security -author: coreyp-at-msft +author: justinha +ms.author: justinha ms.localizationpriority: medium -ms.date: 08/08/2018 +ms.date: 10/15/2018 --- # Fine-tune Windows Information Protection (WIP) with WIP Learning @@ -27,19 +28,17 @@ In the **Website learning report**, you can view a summary of the devices that h ## Access the WIP Learning reports -1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter. +1. Open the [Azure portal](http://portal.azure.com/). -2. Choose **Intune** > **Mobile Apps**. +1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**. -3. Choose **App protection status**. +1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. -4. Choose **Reports**. + ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) - ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) +1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. -5. Finally, select either **App learning report for Windows Information Protection**, or **Website learning report for Windows Information Protection**. - - ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) + ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS). @@ -98,4 +97,4 @@ Here, you can copy the **WipAppid** and use it to adjust your WIP protection pol When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index fdc4981748..3bbbacf2d9 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -18,6 +18,8 @@ ##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md) + + ##### Alerts queue ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) ###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) @@ -90,11 +92,11 @@ ####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) ####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) ####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -#######Domain -######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) -######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) -######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) +######Domain +####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) +####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) ######File ####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) @@ -130,6 +132,10 @@ ####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) ####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) ####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) +######Machines Security States +####### [Get MachineSecurityStates collection](windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md) +######Machine Groups +####### [Get MachineGroups collection](windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md) ######User ####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) @@ -137,6 +143,10 @@ ####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) ####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) +######Windows updates (KB) info +####### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md) +######Common Vulnerabilities and Exposures (CVE) to KB map +####### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) ##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md) @@ -394,6 +404,12 @@ #### [Software developer FAQ](intelligence/developer-faq.md) #### [Software developer resources](intelligence/developer-resources.md) +## Windows Certifications + +### [FIPS 140 Validations](fips-140-validation.md) +### [Common Criteria Certifications](windows-platform-common-criteria.md) + + ## More Windows 10 security ### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md) @@ -449,6 +465,7 @@ ##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md) ##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md) ###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md) +###### [How to list XML elements in ](auditing/how-to-list-xml-elements-in-eventdata.md) ###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) ####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md) @@ -487,7 +504,7 @@ ####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md) ####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md) ###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md) -####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md) +####### [Event 4782 S: The password hash of an account was accessed.](auditing/event-4782.md) ####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md) ###### [Audit Security Group Management](auditing/audit-security-group-management.md) ####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md) @@ -961,14 +978,12 @@ ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) - - - - ### [Windows security baselines](windows-security-baselines.md) #### [Security Compliance Toolkit](security-compliance-toolkit-10.md) #### [Get support](get-support-for-security-baselines.md) +### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) + ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ## [Change history for Threat protection](change-history-for-threat-protection.md) diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index 01d32dee4a..2118e8090b 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -30,13 +30,13 @@ This subcategory allows you to audit next events: | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.”
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash of an account was accessed.”
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Member Server | No | No | No | No | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Workstation | No | No | No | No | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** -- [4782](event-4782.md)(S): The password hash an account was accessed. +- [4782](event-4782.md)(S): The password hash of an account was accessed. - [4793](event-4793.md)(S): The Password Policy Checking API was called. diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index 686af7ea86..5459b8a5c7 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true). +This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://docs.microsoft.com/en-us/windows-hardware/drivers/display/fast-user-switching). This event also generates when user reconnects to virtual host Hyper-V Enhanced Session, for example. diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 338bb36e87..ace9821d2e 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true). +This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://docs.microsoft.com/windows-hardware/drivers/display/fast-user-switching). This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example. diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index b41a078e08..7139478b3a 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -1,6 +1,6 @@ --- -title: 4782(S) The password hash an account was accessed. (Windows 10) -description: Describes security event 4782(S) The password hash an account was accessed. +title: 4782(S) The password hash of an account was accessed. (Windows 10) +description: Describes security event 4782(S) The password hash of an account was accessed. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy @@ -10,7 +10,7 @@ author: Mir0sh ms.date: 04/19/2017 --- -# 4782(S): The password hash an account was accessed. +# 4782(S): The password hash of an account was accessed. **Applies to** - Windows 10 @@ -108,7 +108,7 @@ Typically **“Subject\\Security ID”** is the SYSTEM account. ## Security Monitoring Recommendations -For 4782(S): The password hash an account was accessed. +For 4782(S): The password hash of an account was accessed. - Monitor for all events of this type, because any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change. diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md new file mode 100644 index 0000000000..dac39f14cd --- /dev/null +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -0,0 +1,129 @@ +--- +title: How to get a list of XML data name elements in (Windows 10) +description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in . +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: tedhardyMSFT +ms.date: 10/18/2018 +--- + +# How to get a list of XML data name elements in EventData + +**Applies to** +- Windows 10 + +The Security log uses a manifest where you can get all of the event schema. + +Run the following from an elevated PowerShell prompt: + +```powershell +$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing" +``` + +The .events property is a collection of all of the events listed in the manifest on the local machine. + +For each event, there is a .Template property for the XML template used for the event properties (if there are any). + +For example: + +```powershell +PS C:\WINDOWS\system32> $SecEvents.events[100] + + +Id : 4734 +Version : 0 +LogLink : System.Diagnostics.Eventing.Reader.EventLogLink +Level : System.Diagnostics.Eventing.Reader.EventLevel +Opcode : System.Diagnostics.Eventing.Reader.EventOpcode +Task : System.Diagnostics.Eventing.Reader.EventTask +Keywords : {} +Template : + +Description : A security-enabled local group was deleted. + + Subject: + Security ID: %4 + Account Name: %5 + Account Domain: %6 + Logon ID: %7 + + Group: + Security ID: %3 + Group Name: %1 + Group Domain: %2 + + Additional Information: + Privileges: %8 + + + +PS C:\WINDOWS\system32> $SecEvents.events[100].Template + + +``` + +## Mapping data name elements to the names in an event description + +You can use the