-
@@ -447,7 +447,7 @@ ms.date: 10/30/2017
Deploy Overview
+Deployment Overview
Learn how to deploy our suite of education offerings. Set up a cloud infrastructure for your school, acquire apps, and configure and manage Windows 10 devices.
@@ -457,8 +457,8 @@ ms.date: 10/30/2017
-
Microsoft Education Partner Network
-Find out the latest news and announcements for Microsoft Education partners.
+Microsoft Partner Network
+Discover the latest news and resources for Microsoft Education products, solutions, licensing, and readiness.
@@ -476,8 +476,8 @@ ms.date: 10/30/2017
-
Authorized Education Partner (AEP) home page
-Access the essentials and find out what it takes to become an AEP.
+Authorized Education Partner (AEP) program
+Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEU).
- Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory.
- It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab
- 36 hours: searchable in private store
- 36 hours: available on private store tab, if the product has just been added to inventory | +| Add a product to the private store
- Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory.
- It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab
- 36 hours: searchable in private store
- 36 hours: searchable in private store tab | | Remove a product from private store | - 15 minutes: private store tab
- 36 hours: searchable in private store | -| Accept a new LOB app into your inventory (under **Products & services)**) | 36 hours | +| Accept a new LOB app into your inventory (under **Products & services)**) | - 15 minutes: available on private store tab
- 36 hours: searchable in private store | | Create a new collection | 15 minutes| | Edit or remove a collection | 15 minutes | | Create private store tab | 4-6 hours | diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 59e3fc2354..d7484344ae 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 4/26/2018 +ms.date: 5/31/2018 --- # Microsoft Store for Business and Education release history @@ -17,6 +17,11 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## April 2018 +- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses. +- **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. +- **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. + ## March 2018 - **Performance improvements in private store** - We've made it significantly faster for you to udpate the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) - **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 2849a71cfc..fc29d300b3 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 4/26/2018 +ms.date: 5/31/2018 --- # What's new in Microsoft Store for Business and Education @@ -17,15 +17,19 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**April 2018** +**May 2018** | | | |--------------------------------------|---------------------------------| -|  |**Assign apps to larger groups**
We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | -|  |**Change collection order in private store**
Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections.
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | -|  |**Office 365 subscription management**
We know that sometimes customers need to cancel subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period.
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | - +|  |**Immersive Reader app in Microsoft Store for Education**
Microsoft Immersive Reader is now available for education organizations using Microsoft Store for Education. This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. Check out and download [Immersive Reader](https://educationstore.microsoft.com/en-us/store/details/immersive-reader/9PJZQZ821DQ2).
**Applies to**:
Microsoft Store for Education | + + + +> [!Warning] +> Starting in the next major version of Windows, this policy is deprecated. + Domain member: Digitally encrypt or sign secure channel data (always) This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. @@ -883,6 +887,10 @@ GP Info: + +> [!Warning] +> Starting in the next major version of Windows, this policy is deprecated. + Domain member: Digitally encrypt secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. @@ -955,6 +963,10 @@ GP Info: + +> [!Warning] +> Starting in the next major version of Windows, this policy is deprecated. + Domain member: Disable machine account password changes Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index eb2b36eac7..23a98eaa7b 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 06/05/2018 --- # Policy CSP - Privacy +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -22,6 +24,9 @@ ms.date: 05/14/2018
+ +**Privacy/AllowCrossDeviceClipboard** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Added in Windows 10, next major version. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow Clipboard synchronization across devices* +- GP name: *AllowCrossDeviceClipboard* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +0 – Not allowed. +1 (default) – Allowed. + + + + + + + + + + +
+ **Privacy/AllowInputPersonalization** @@ -1804,6 +1890,214 @@ ADMX Info:
+ +**Privacy/LetAppsAccessGazeInput** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +This policy setting specifies whether Windows apps can access the eye tracker. + + + + + + + + + + + + + +
+ + +**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + + + + + + + + + + +
+ + +**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + + + + + + + + + + +
+ + +**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + + + + + + + + + + +
+ **Privacy/LetAppsAccessLocation** @@ -4478,6 +4772,66 @@ The following list shows the supported values: + +
+ + +**Privacy/UploadUserActivities** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Allows ActivityFeed to upload published 'User Activities'. + + + +ADMX Info: +- GP English name: *Allow upload of User Activities* +- GP name: *UploadUserActivities* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + + + + + + + + + +
Footnote: @@ -4486,13 +4840,20 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. ## Privacy policies supported by Windows Holographic for Business +- [Privacy/AllowCrossDeviceClipboard](#privacy-allowcrossdeviceclipboard) - [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) +- [Privacy/LetAppsAccessGazeInput](#privacy-letappsaccessgazeinput) +- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](#privacy-letappsaccessgazeinput-forceallowtheseapps) +- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](#privacy-letappsaccessgazeinput-forcedenytheseapps) +- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](#privacy-letappsaccessgazeinput-userincontroloftheseapps) +- [Privacy/UploadUserActivities](#privacy-uploaduseractivities) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 343d589daa..8f4da31f35 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 06/05/2018 --- # Policy CSP - System +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -46,6 +48,12 @@ ms.date: 05/14/2018
+ +**System/ConfigureTelemetryOptInChangeNotification** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ + | + |
+ + + +This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings. +If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. +If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in change notifications.* +- GP name: *ConfigureTelemetryOptInChangeNotification* +- GP element: *ConfigureTelemetryOptInChangeNotification* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/ConfigureTelemetryOptInSettingsUx** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ + | + |
+ + + +This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. + +If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. + +If you set this policy setting to "Enable Telemetry opt-in Setings" or don't configure this policy setting, people can change their own telemetry levels in Settings. + +Note: +Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in setting user interface.* +- GP name: *ConfigureTelemetryOptInSettingsUx* +- GP element: *ConfigureTelemetryOptInSettingsUx* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ **System/DisableEnterpriseAuthProxy** @@ -1051,6 +1190,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 2bff07d2b3..8b3d74ac3b 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,20 +10,28 @@ ms.localizationpriority: high author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 06/05/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## June 2018 + +New or changed topic | Description +--- | --- +[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Updated instructions for using Microsoft Intune to configure a kiosk. + ## May 2018 New or changed topic | Description --- | --- [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Added note that Wi-Fi Sense is no longer available. Topics about Windows 10 diagnostic data | Moved to [Windows Privacy](https://docs.microsoft.com/windows/privacy/). +[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added information on Kiosk Browser settings and URL filtering. [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added details of event log entries to check for when customization is not applied as expected. +[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | Added Active Directory domain account to provisioning method. ## RELEASE: Windows 10, version 1803 diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 8e57f63ebd..9e2edfd8e0 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -9,7 +9,7 @@ author: jdeckerms ms.localizationpriority: high ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 05/31/2018 --- # Guidelines for choosing an app for assigned access (kiosk mode) @@ -45,8 +45,6 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. ->[!NOTE] ->Kiosk Browser app is coming soon to Microsoft Store for Business. **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education). @@ -54,6 +52,72 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr 2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps) 3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md). +>[!NOTE] +>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE). + +#### Kiosk Browser settings + +Kiosk Browser settings | Use this setting to +--- | --- +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.
For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.
If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. +Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. +Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. +Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. +Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. +Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. + +>[!TIP] +>To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information: +>- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton +>- Data type: Integer +>- Value: 1 + + +#### Rules for URLs in Kiosk Browser settings + +Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home). + +URLs can include: +- A valid port value from 1 to 65,535. +- The path to the resource. +- Query parameters. + +Additional guidelines for URLs: + +- If a period precedes the host, the policy filters exact host matches only. +- You cannot use user:pass fields. +- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence. +- The policy searches wildcards (*) last. +- The optional query is a set of key-value and key-only tokens delimited by '&'. +- Key-value tokens are separated by '='. +- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching. + +### Examples of blocked URLs and exceptions + +The following table describes the results for different combinations of blocked URLs and blocked URL exceptions. + +Blocked URL rule | Block URL exception rule | Result +--- | --- | --- +`*` | `contoso.com`
`fabrikam.com` | All requests are blocked unless it is to contoso.com, fabrikam.com, or any of their subdomains. +`contoso.com` | `mail.contoso.com`
`.contoso.com`
`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. +`youtube.com` | `youtube.com/watch?v=v1`
`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). + +The following table gives examples for blocked URLs. + +Entry | Result +--- | --- +`contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com +`https://*` | Blocks all HTTPS requests to any domain. +`mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com +`.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. +`.www.contoso.com` | Blocks www.contoso.com but not its subdomains. +`*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. +`*:8080` | Blocks all requests to port 8080. +`contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. +`192.168.1.2` | Blocks requests to 192.168.1.2. +`youtube.com/watch?v=V1` | Blocks youtube video with id V1. + ### Other browsers >[!NOTE] diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index f1cc7e5caa..7610e6fe75 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: high -ms.date: 04/30/2018 +ms.date: 06/05/2018 ms.author: jdecker ms.topic: article --- @@ -38,9 +38,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi ## Configure a kiosk in Microsoft Intune -Watch how to use Intune to configure a multi-app kiosk. - ->[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false] 1. [Generate the Start layout for the kiosk device.](#startlayout) 2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. @@ -49,14 +46,15 @@ Watch how to use Intune to configure a multi-app kiosk. 5. Select **Create profile**. 6. Enter a friendly name for the profile. 7. Select **Windows 10 and later** for the platform. -8. Select **Device restrictions** for the profile type. -9. Select **Kiosk**. -10. In **Kiosk Mode**, select **Multi app kiosk**. -11. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu. +8. Select **Kiosk (Preview)** for the profile type. +9. Select **Kiosk - 1 setting available**. +10. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu. 12. Enter a friendly name for the configuration. -13. Select an app type, either **Win32 App** for a classic desktop application or **UWP App** for a Universal Windows Platform app. - - For **Win32 App**, enter the fully qualified pathname of the executable, with respect to the device. - - For **UWP App**, enter the Application User Model ID for an installed app. +10. In **Kiosk Mode**, select **Multi app kiosk**. +13. Select an app type. + - For **Add Win32 app**, enter the **App Name** and **Identifier**. + - For **Add managed apps**, select an app that you manage through Intune. + - For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app. 14. Select whether to enable the taskbar. 15. Browse to and select the Start layout XML file that you generated in step 1. 16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available. diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md index a20aa7ba15..36581a3438 100644 --- a/windows/configuration/setup-kiosk-digital-signage.md +++ b/windows/configuration/setup-kiosk-digital-signage.md @@ -10,7 +10,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: high -ms.date: 04/30/2018 +ms.date: 06/05/2018 --- # Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education @@ -38,7 +38,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t >[!WARNING] >For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. > ->Assigned access can be configured via Windows Mangement Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. +>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. @@ -48,14 +48,14 @@ Choose this method | For this edition | For this kiosk account type --- | --- | --- [Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user [PowerShell](#powershell) | Pro, Ent, Edu | Local standard user -[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user +[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory [Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD ### Methods for kiosks and digital signs running a Classic Windows app Choose this method | For this edition | For this kiosk account type --- | --- | --- -[Provisioning](#wizard) | Ent, Edu | Local standard user +[Provisioning](#wizard) | Ent, Edu | Local standard user, Active Directory [ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD @@ -200,7 +200,7 @@ Clear-AssignedAccess > >OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types > ->Account type: Local standard user +>Account type: Local standard user, Active Directory >[!IMPORTANT] >When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). @@ -268,11 +268,11 @@ The following steps explain how to configure a kiosk in Microsoft Intune. For ot 5. Select **Create profile**. 6. Enter a friendly name for the profile. 7. Select **Windows 10 and later** for the platform. -8. Select **Device restrictions** for the profile type. -9. Select **Kiosk**. -10. In **Kiosk Mode**, select **Single app kiosk**. -1. Enter the user account (Azure AD or a local standard user account). -11. Enter the Application User Model ID for an installed app. +8. Select **Kiosk (Preview)** for the profile type. +9. Enter a friendly name for the kiosk configuration. +10. In **Kiosk Mode**, select **Single full-screen app kiosk**. +10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate. +1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account. 14. Select **OK**, and then select **Create**. 18. Assign the profile to a device group to configure the devices in that group as kiosks. diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index 62dae40b01..53991256e5 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -1,9 +1,11 @@ --- title: Windows 10 accessibility information for IT Pros (Windows 10) -description: +description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them +keywords: accessibility, settings, vision, hearing, physical, cognition, assistive ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +ms.author: jaimeo author: jaimeo ms.localizationpriority: high ms.date: 01/12/2018 diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 322fa570ca..d27c1b2542 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -213,6 +213,7 @@ ## [Update Windows 10](update/index.md) ### [Quick guide to Windows as a service](update/waas-quick-start.md) +#### [Servicing stack updates](update/servicing-stack-updates.md) ### [Overview of Windows as a service](update/waas-overview.md) ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) @@ -250,6 +251,7 @@ ##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md) ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md) +##### [Targeting a new operating system version](upgrade/upgrade-readiness-target-new-OS.md) ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) #### [Get started with Update Compliance](update/update-compliance-get-started.md) #### [Use Update Compliance](update/update-compliance-using.md) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 9e9b4bdb87..dd0540a540 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt -ms.date: 10/18/2017 +ms.date: 05/25/2018 author: greg-lindsay --- diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md index 87631ec626..48f9beb9c1 100644 --- a/windows/deployment/planning/windows-10-1803-removed-features.md +++ b/windows/deployment/planning/windows-10-1803-removed-features.md @@ -7,7 +7,7 @@ ms.localizationpriority: high ms.sitesec: library author: lizap ms.author: elizapo -ms.date: 05/03/2018 +ms.date: 06/01/2018 --- # Features removed or planned for replacement starting with Windows 10, version 1803 @@ -32,7 +32,6 @@ We've removed the following features and functionalities from the installed prod |Language control in the Control Panel| Use the Settings app to change your language settings.| |HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.
When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| -|**Conversations** in the People app when you're offline or if you're using a non-Office 365 mail account|In Windows 10, the People app shows mail from Office 365 contacts and contacts from your school or work organization under **Conversations**. After you update to Windows 10, version 1803, in order to see new mail in the People app from these specific contacts, you need to be online, and you need to have signed in with either an Office 365 account or, for work or school organization accounts, through the [Mail](https://support.microsoft.com/help/17198/windows-10-set-up-email), [People](https://support.microsoft.com/help/14103/windows-people-app-help), or [Calendar](https://support.office.com/article/Mail-and-Calendar-for-Windows-10-FAQ-4ebe0864-260f-4d3a-a607-7b9899a98edc) apps. Please be aware that you’ll only see mail for work and school organization accounts and some Office 365 accounts.| |XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| ## Features we’re no longer developing diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 08b8659f6e..c6fc16db14 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -1,6 +1,7 @@ --- title: Introduction to the Windows Insider Program for Business description: Introduction to the Windows Insider Program for Business and why IT Pros should join it +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 4a72395427..81a57be6d4 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -8,6 +8,8 @@ ms.sitesec: library ms.date: 03/20/2018 ms.pagetype: deploy author: jaimeo +ms.author: jaimeo +ms.localizationpriority: high --- # Get started with Device Health @@ -26,9 +28,9 @@ Steps are provided in sections that follow the recommended setup process: Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). -**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. +**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. -**If you are not yet using OMS**, use the following steps to subscribe to OMS Device Health: +**If you are not yet using Windows Analytics or Azure Log Analytics**, use the following steps to subscribe: 1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. [](images/uc-02.png) @@ -50,11 +52,11 @@ Device Health is offered as a solution in the Microsoft Operations Management Su [](images/uc-06.png) -6. To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. +6. To add Update Readiness to your workspace, go to the Solution Gallery, Select the **Update Readiness** tile and then select **Add** on the solution's detail page. [](images/solution-bundle.png) -7. Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added. +7. Click the **Update Readiness** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added. [](images/OMS-after-adding-solution.jpg) diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index 96aec57103..6e78e96a31 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.date: 11/14/2017 ms.pagetype: deploy author: jaimeo +ms.author: jaimeo --- # Monitor the health of devices with Device Health diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index 19e2365401..3e28db2683 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -3,10 +3,13 @@ title: Using Device Health description: Explains how to begin usihg Device Health. ms.prod: w10 ms.mktglfcycl: deploy +keywords: oms, operations management suite, wdav, health, log analytics ms.sitesec: library ms.date: 03/30/2018 ms.pagetype: deploy author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium --- # Using Device Health diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index dea0940ed3..65cd936797 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -1,30 +1,31 @@ --- title: Olympia Corp enrollment guidelines description: Olympia Corp enrollment guidelines -ms.author: nibr +ms.author: jaimeo ms.topic: article ms.prod: w10 ms.technology: windows author: jaimeo ms.date: 03/02/2018 +keywords: insider, trial, enterprise, lab, corporation, test --- # Olympia Corp ## What is Windows Insider Lab for Enterprise and Olympia Corp? -Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. +Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. As an Olympia user, you will have an opportunity to: -- Use various Enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). +- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). - Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. - Validate and test pre-release software in your environment. - Provide feedback. - Interact with engineering team members through a variety of communication channels. >[!Note] ->Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice. +>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md new file mode 100644 index 0000000000..196ca53038 --- /dev/null +++ b/windows/deployment/update/servicing-stack-updates.md @@ -0,0 +1,39 @@ +--- +title: Servicing stack updates (Windows 10) +description: Servicing stack updates improve the code that installs the other updates. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: Jaimeo +ms.localizationpriority: high +ms.author: jaimeo +ms.date: 05/29/2018 +--- + +# Servicing stack updates + + +**Applies to** + +- Windows 10 + +## What is a servicing stack update? +The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. + +## Why should servicing stack updates be installed and kept up to date? + +Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. + +## When are they released? + +Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required. + +## Is there any special guidance? + +Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. + +## Installation notes + +• Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. +• Installing servicing stack update does not require restarting the device, so installation should not be disruptive. +• Servicing stack update releases are specific to the operating system version (build number), much like quality updates. diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index dce1b56274..213f047db8 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -8,6 +8,8 @@ ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.date: 03/27/2018 +keywords: oms, operations management suite, optimization, downloads, updates, log analytics +ms.localizationpriority: high --- # Delivery Optimization in Update Compliance diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index d5059b3973..6cfecd1c73 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: Jaimeo ms.author: jaimeo ms.date: 03/15/2018 +ms.localizationpriority: high --- # Get started with Update Compliance diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index b5fe1d1337..d992899639 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: Jaimeo ms.author: jaimeo ms.date: 02/09/2018 +ms.localizationpriority: high --- # Monitor Windows Updates and Windows Defender Antivirus with Update Compliance diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index f2ecc2a75b..eac7d97530 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -1,6 +1,7 @@ --- title: Using Update Compliance (Windows 10) description: Explains how to begin usihg Update Compliance. +keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,6 +9,7 @@ ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.date: 10/13/2017 +ms.localizationpriority: high --- # Use Update Compliance diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index b6260dbd6d..f9c3e0a5d1 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -4,10 +4,10 @@ description: You can use Group Policy or your mobile device management (MDM) ser ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: DaniHalfin +author: jaimeo ms.localizationpriority: high -ms.author: daniha -ms.date: 10/13/2017 +ms.author: jaimeo +ms.date: 06/01/2018 --- # Configure Windows Update for Business @@ -21,14 +21,14 @@ ms.date: 10/13/2017 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) >[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products. > >In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). >[!IMPORTANT] ->For Windows Update for Business policies to be honored, the Diagnostic Data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). +>For Windows Update for Business policies to be honored, the diagnostic data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md). @@ -42,7 +42,7 @@ By grouping devices with similar deferral periods, administrators are able to cl ## Configure devices for Current Branch (CB) or Current Branch for Business (CBB) -With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). +With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). **Release branch policies** @@ -60,6 +60,9 @@ Starting with version 1703, users are able to configure their device's branch re >[!NOTE] >Users will not be able to change this setting if it was configured by policy. +>[!IMPORTANT] +>Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). + ## Configure when devices receive Feature Updates After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 41ce8a4d4c..ca57e83882 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,6 +1,7 @@ --- title: Configure Delivery Optimization for Windows 10 updates (Windows 10) description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 +keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 88a40b5473..4a3d26fe3b 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -4,10 +4,10 @@ description: Windows Update for Business lets you manage when devices received u ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: jaimeo ms.localizationpriority: high -ms.author: daniha -ms.date: 10/13/2017 +ms.author: jaimeo +ms.date: 06/01/2018 --- # Deploy updates using Windows Update for Business @@ -21,11 +21,11 @@ ms.date: 10/13/2017 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) >[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products. > ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. +>In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. -Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. +Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. Specifically, Windows Update for Business allows for: @@ -45,7 +45,7 @@ Windows Update for Business is a free service that is available for Windows Pro, Windows Update for Business provides three types of updates to Windows 10 devices: - **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually. -- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. +- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred. Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. @@ -102,10 +102,10 @@ The pause period is now calculated starting from the set start date. For additio ## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607 -Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. +Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. >[!NOTE] ->For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-channels). +>For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels).
Select Servicing Options: CB or CBB | Not available. To defer updates, all systems must be on the Current Branch for Business (CBB) | Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB). | |||||||||||||||||||
Select servicing options: CB or CBB | Not available. To defer updates, all systems must be on the Current Branch for Business (CBB) | Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB). | |||||||||||||||||||
Quality Updates | Able to defer receiving Quality Updates:
| Able to defer receiving Quality Updates:
| |||||||||||||||||||
Feature Updates | Able to defer receiving Feature Updates:
| Able to defer receiving Feature Updates:
| |||||||||||||||||||
Pause updates |
| Features and Quality Updates can be paused separately.
| **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. - If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). |
-
+ ||||||||||||||||||
| 13 - Can’t connect to Microsoft - setting. | -An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. + | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. 14 | |||||||||||||||||||
| 14 - Can’t connect to Microsoft - compatexchange. | -An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). | +An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). | |||||||||||||||||||
| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | -This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult. | +This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. | |||||||||||||||||||
| 16 - The computer requires a reboot before running the script. | diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 8468224bf5..e80d01d273 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -1,12 +1,15 @@ --- title: Get started with Upgrade Readiness (Windows 10) description: Explains how to get started with Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo +ms.author: jaimeo ms.date: 03/20/2018 +ms.localizationpriority: high --- # Get started with Upgrade Readiness diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 9e68e3b157..21dfb741d1 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -1,9 +1,12 @@ --- title: Upgrade Readiness requirements (Windows 10) description: Provides requirements for Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, ms.prod: w10 author: jaimeo +ms.author: ms.date: 03/15/2018 +ms.localizationpriority: high --- # Upgrade Readiness requirements diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index 58ffa25e69..1433901e8b 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -1,9 +1,12 @@ --- title: Upgrade Readiness - Resolve application and driver issues (Windows 10) description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, ms.prod: w10 author: jaimeo +ms.author: jaimeo ms.date: 08/31/2017 +ms.localizationpriority: high --- # Upgrade Readiness - Step 2: Resolve app and driver issues diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md new file mode 100644 index 0000000000..a44c405280 --- /dev/null +++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md @@ -0,0 +1,57 @@ +--- +title: Upgrade Readiness - Targeting a new operating system version +description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor +ms.prod: w10 +author: jaimeo +ms.date: 05/31/2018 +--- + +# Targeting a new operating system version + +After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: + +## TestResults + +If you want to preserve the TestResults from the previous operating system version testing, there is nothing you need to do. + +If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and TestResult <> "Not started"` + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **TestResult** to *Not started*. Leave all other fields as they are. + +## UpgradeDecision + +If you want to preserve the UpgradeDecision from the previous operating system version testing, there is nothing you need to do. + +If you want to reset them, keep these important points in mind: + +- Make sure to *not* reset the **Ready to upgrade** decision for the "long tail" of apps that have importance of **Ignore** or **Low install count**. Doing this will make it extremely difficult to complete the Upgrade Readiness workflow. +- Decide which decisions to reset. For example, one option is just to reset the decisions marked **Ready to upgrade** (in order to retest those), while preserving states of apps marked **Won't upgrade**. Doing this means you won't lose track of this previous marking. Or you can reset everything. + +To do this, type the following query in **Log Search**: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and Importance <> "Ignore" and Importance <> "Low install count" and UpgradeDecision == "Ready to upgrade"` + +>[!NOTE] +>If you just want to reset all **UpgradeDecision** values, you can simply remove `'and UpgradeDecision == "Ready to upgrade"` from the query. + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **UpgradeDecision** to *Not reviewed*. Leave all other fields as they are. + + +## Bulk-approving apps from a given vendor + +You can bulk-approve all apps from a given vendor (for example, Microsoft) if there are no known compatibility issues. To do this, type the following query in **Log Search**: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and AppVendor has "Microsoft" and UpgradeAssessment=="No known issues" and UpgradeDecision<>"Ready to upgrade"` + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit" button**, and then set the **UpgradeDecision** to *Ready to upgrade*. Leave all other fields as they are. + +## Related topics + +[Windows Analytics overview](../update/windows-analytics-overview.md) + +[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) + +[Get started with Upgrade Readiness](upgrade-readiness-get-started.md) + diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index f0f332312c..6f66364a62 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -1,8 +1,11 @@ --- title: Use Upgrade Readiness to manage Windows upgrades (Windows 10) description: Describes how to use Upgrade Readiness to manage Windows upgrades. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.localizationpriority: high ms.prod: w10 author: jaimeo +ms.author: jaimeo ms.date: 08/30/2017 --- diff --git a/windows/deployment/upgrade/windows-10-downgrade-paths.md b/windows/deployment/upgrade/windows-10-downgrade-paths.md index d095a3d449..4422179d21 100644 --- a/windows/deployment/upgrade/windows-10-downgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-downgrade-paths.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.localizationpriority: high ms.pagetype: mobile author: greg-lindsay -ms.date: 02/15/2018 +ms.date: 06/07/2018 --- # Windows 10 downgrade paths @@ -17,13 +17,11 @@ ms.date: 02/15/2018 ## Downgrading Windows 10 -This topic provides a summary of supported Windows 10 downgrade paths. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired. +This topic provides a summary of supported Windows 10 downgrade paths. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired. To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md). For example, you might downgrade an Enterprise edition by manually entering a valid Pro license key. If a downgrade is supported, then your apps and settings can be migrated from the current edition to the downgraded edition. If a path is not supported, then a clean install is required. -To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md). - -Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not supported, unless you are performing a rollback of a previous upgrade. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. +Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. The only downgrade method available for this the rollback of a previous upgrade. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. >**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. @@ -32,7 +30,8 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not suppor ### Supported Windows 10 downgrade paths >[!NOTE] ->Edition changes that are considered upgrades (Ex: Pro to Enterprise) are not shown here. Switching between different editions of Pro is supported. This is not strictly considered an edition downgrade, but is included here for clarity. +>Edition changes that are considered upgrades (Ex: Pro to Enterprise) are not shown here.Pro | Pro for Workstations | Pro Education | -S | Education | Enterprise LTSC | Enterprise | @@ -65,7 +63,6 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not suppor- | |||||||||||||
| Pro | @@ -73,7 +70,6 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not suppor✔ | ✔ | -✔ | @@ -84,7 +80,6 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not suppor | ✔ | ✔ | -✔ | @@ -95,18 +90,6 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not suppor | ✔ | ✔ | - | ✔ | -- | - | - | ||||||
| S | -- | ✔ | -✔ | -✔ | -@@ -117,7 +100,6 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not suppor | ✔ | ✔ | ✔ | -✔ | @@ -129,7 +111,6 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not suppor | - | ✔ | ✔ | ✔ | -✔ | diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index e6f428797e..9b8d7a8ea6 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.localizationpriority: high ms.pagetype: mobile author: greg-lindsay -ms.date: 05/18/2018 +ms.date: 05/29/2018 --- # Windows 10 upgrade paths @@ -28,6 +28,8 @@ This topic provides a summary of available upgrade paths to Windows 10. You can >**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. +>**Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355). + ✔ = Full upgrade is supported including personal data, settings, and applications. | - | ||||
| Windows 8 | -|||||||||||||||||||||
| (Core) | -✔ | -✔ | -✔ | -✔ | -- | - | - | - | |||||||||||||
| Professional | -D | -✔ | -✔ | -✔ | -✔ | -- | - | - | |||||||||||||
| Professional WMC | -D | -✔ | -✔ | -✔ | -✔ | -- | - | - | |||||||||||||
| Enterprise | -- | - | - | ✔ | -✔ | -- | - | - | |||||||||||||
| Embedded Industry | -- | - | - | - | ✔ | -- | - | - | |||||||||||||
| Windows RT | -- | - | - | - | - | - | - | - | |||||||||||||
| Windows Phone 8 | -- | - | - | - | - | - | - | - | |||||||||||||
| Windows 8.1 | |||||||||||||||||||||
| Cloud Resources | With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com Without proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.Important In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.Important In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. |
||||||||||||||||||
| Protected domains | @@ -428,7 +432,7 @@ There are no default locations included with WIP, you must add each of your netw After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. >[!Important] ->Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic. +>Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic. **To upload your DRA certificate** 1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. @@ -473,7 +477,7 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. ## Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. @@ -483,7 +487,7 @@ Optionally, if you don’t want everyone in your organization to be able to shar >Curly braces -- {} -- are required around the RMS Template ID. >[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. ## Related topics - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) @@ -494,9 +498,9 @@ Optionally, if you don’t want everyone in your organization to be able to shar - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) -- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) +- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms) -- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune) +- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/intune/deploy-use/create-windows-information-protection-policy-with-intune) - [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md index 68e5de567f..12a7d8e8a4 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 10/16/2017 --- # Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune @@ -359,7 +359,7 @@ There are no default locations included with WIP, you must add each of your netw|||||||||||||||||||||
| Enterprise Cloud Resources | With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com Without proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: Important When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: Important When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. |
||||||||||||||||||
| Enterprise Network Domain Names (Required) | @@ -414,7 +414,7 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ## Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. @@ -424,7 +424,7 @@ Optionally, if you don’t want everyone in your organization to be able to shar >Curly braces -- {} -- are required around the RMS Template ID. >[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. ## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. @@ -475,7 +475,7 @@ After you've decided where your protected apps can access enterprise data on you - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) -- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) +- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms) >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md index c4df5d699f..2d44748948 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md @@ -6,8 +6,8 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross -ms.date: 10/13/2017 +ms.author: justinha +ms.date: 05/30/2018 localizationpriority: medium --- @@ -26,15 +26,18 @@ By using Microsoft Intune with Mobile application management (MAM), organization - Remove enterprise data from employee's devices - Report on mobile app inventory and track usage ->[!NOTE] ->This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, you must follow the instructions in the [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md) topic. ->If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined, the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. ->Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. +## Alternative steps if you already manage devices with MDM + +This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, see [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md). + +If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy (with device enrollement) will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. + +Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. ## Prerequisites to using MAM with Windows Information Protection (WIP) -Before you can create your WIP policy with MAM, you must first set up your MAM provider. For more info about how to do this, see the [Get ready to configure app protection policies for Windows 10](https://docs.microsoft.com/en-us/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10) topic. +Before you can create your WIP policy with MAM, you need to [set up your MAM provider](https://docs.microsoft.com/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10). -Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device. +Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device. >[!Important] >WIP doesn't support multi-identity. Only one managed identity can exist at a time. @@ -64,7 +67,7 @@ After you’ve set up Intune for your organization, you must create a WIP-specif  >[!Important] - >Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, you must use these instructions, [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md), instead. + >Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, see [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md). 4. Click **Create**. @@ -134,7 +137,7 @@ If you don't know the publisher or product name for your Store app, you can find **To find the publisher and product name values for Store apps without installing them** 1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*. -2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. +2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. 3. In a browser, run the Microsoft Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value. @@ -447,7 +450,7 @@ There are no default locations included with WIP, you must add each of your netw|||||||||||||||||||||
| Cloud Resources | With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com Without proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.Important In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.Important In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. |
||||||||||||||||||
| Network domain names | @@ -552,7 +555,7 @@ After you've decided where your protected apps can access enterprise data on you - **MDM discovery URL.** Lets the **Windows Settings** > **Accounts** > **Access work or school** sign-in offer an **Upgrade to MDM** link. Additionally, this lets you switch to another MDM provider, so that Microsoft Intune can manage MAM, while the new MDM provider manages the MDM devices. By default, this is specified to use Microsoft Intune. #### Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. @@ -562,7 +565,7 @@ Optionally, if you don’t want everyone in your organization to be able to shar >Curly braces -- {} -- are required around the RMS Template ID. >[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. ### Choose whether to use and configure Windows Hello for Business You can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices. @@ -645,11 +648,11 @@ After you’ve created your policy, you'll need to deploy it to your employees. ## Related topics -- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/en-us/windows/client-management/mdm/implement-server-side-mobile-application-management) +- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management) - [Microsoft Intune - Mobile Application Management (MAM) standalone blog post](https://blogs.technet.microsoft.com/cbernier/2016/01/05/microsoft-intune-mobile-application-management-mam-standalone/) -- [MAM-supported apps](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps) +- [MAM-supported apps](https://www.microsoft.com/cloud-platform/microsoft-intune-apps) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 10a6ed181f..0bd2b3e912 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: eross-msft ms.localizationpriority: medium -ms.date: 09/11/2017 +ms.date: 05/30/2018 --- # List of enlightened Microsoft apps for use with Windows Information Protection (WIP) @@ -93,6 +93,8 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li |Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`|||||||||||||||||||||
| Redirected folders with Client Side Caching are not compatible with WIP. | Apps might encounter access errors while attempting to read a cached, offline file. | -Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business. Note For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045). |
+ Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business. Note For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045). |
||||||||||||||||||
| You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. | @@ -79,7 +79,7 @@ This table provides info about the most common problems you might encounter whil|||||||||||||||||||||
| ActiveX controls should be used with caution. | Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. | -We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology. For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). |
+ We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology. For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). |
||||||||||||||||||
| Resilient File System (ReFS) isn't currently supported with WIP. | @@ -105,7 +105,7 @@ This table provides info about the most common problems you might encounter whilWIP isn’t turned on for employees in your organization. | -Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). + | Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). |
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| -|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.
This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.| +|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.
This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.| >[!NOTE] diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 4227a5f80b..b6041c8b1f 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -7,9 +7,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: coreyp-at-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Protect your enterprise data using Windows Information Protection (WIP) @@ -18,7 +18,7 @@ ms.date: 09/11/2017 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. @@ -29,7 +29,7 @@ You’ll need this software to run WIP in your enterprise: |Operating system | Management solution | |-----------------|---------------------| -|Windows 10, version 1607 or later | Microsoft Intune
-OR-
System Center Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| +|Windows 10, version 1607 or later | Microsoft Intune
-OR-
System Center Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.| ## What is enterprise data control? Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure. diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index 41d141a9d4..d9b56f7ad3 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) @@ -18,7 +18,7 @@ ms.date: 09/11/2017 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md index 15ca7a4e9e..0d85fb8053 100644 --- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Using Outlook on the web with Windows Information Protection (WIP) @@ -17,7 +17,7 @@ ms.date: 09/11/2017 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). Because Outlook on the web can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP): diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index 82577755ce..b971c3a054 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Determine the Enterprise Context of an app running in Windows Information Protection (WIP) @@ -17,7 +17,7 @@ ms.date: 09/11/2017 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly. diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md index ba22997a67..b8a4c7c248 100644 --- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md @@ -76,6 +76,16 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability +The **Create global objects** user right is required for a user account to create global objects in Remote Desktop sessions. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk. + +By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right. + +### Countermeasure + +When non-administrators need to access a server using Remote Desktop, add the users to the **Remote Desktop Users** group rather than assining them this user right. + +### Vulnerability + >**Caution:** A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts. Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their privileges or create a denial-of-service (DoS) condition. diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index d7cba5795f..c9cb9862fb 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 05/31/2018 --- # Domain member: Maximum machine account password age @@ -32,8 +32,9 @@ For more information, see [Machine Account Password Process](https://blogs.techn ### Best practices -It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. +1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites. +2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer starts after being offline more than 30 days, the Netlogon service will notice the password age and initiate a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer will not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days. ### Location diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md index f5d8338e71..b684158c99 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md @@ -29,7 +29,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob - Enabled - An anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects the SID-to-name translation as well as the name-to-SID translation + An anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects the SID-to-name translation as well as the name-to-SID translation. - Disabled @@ -52,7 +52,7 @@ The following table lists the actual and effective default values for this polic | Server type or GPO | Default value | | - | - | | Default Domain Policy| Not defined| -| Default Domain Controller Policy | Note defined| +| Default Domain Controller Policy | Not defined| | Stand-Alone Server Default Settings | Disabled| | DC Effective Default Settings | Enabled| | Member Server Effective Default Settings| Disabled| diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 8e5b6d0232..e42efc4ec8 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -630,7 +630,7 @@ Here are the minimum steps for WEF to operate:
@@ -78,7 +79,7 @@ For October 2017, we are announcing an update to system.management.automation.dl Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: ``` - +
- **Interactive** - User physically interacts with the machine using the local keyboard and screen.
- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients.
- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed.
- **Batch** - Session initiated by scheduled tasks.
- **Service** - Session initiated by services as they start.
-| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. | -| MachineId | string | Unique identifier for the machine in the service. | -| MD5 | string | MD5 hash of the file that the recorded action was applied to. | -| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format. | -| OSArchitecture | string | Architecture of the operating system running on the machine. | -| OSBuild | string | Build version of the operating system running on the machine. | -| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | -| PreviousRegistryKey | string | Original registry key of the registry value before it was modified. | -| PreviousRegistryValueData | string | Original data of the registry value before it was modified. | -| PreviousRegistryValueName | string | Original name of the registry value before it was modified. | -| PreviousRegistryValueType | string | Original data type of the registry value before it was modified. | -| ProcessCommandline | string | Command line used to create the new process. | -| ProcessCreationTime | datetime | Date and time the process was created. | -| ProcessId | int | Process ID (PID) of the newly created process. | -| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | -| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. | -| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log. | -| RegistryKey | string | Registry key that the recorded action was applied to. | -| RegistryValueData | string | Data of the registry value that the recorded action was applied to. | -| RegistryValueName | string | Name of the registry value that the recorded action was applied to. | -| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to. | -| RemoteIP | string | IP address that was being connected to. | -| RemotePort | int | TCP port on the remote device that was being connected to. | -| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. | -| ReportIndex | long | Event identifier that is unique among the same event type. | -| SHA1 | string | SHA-1 of the file that the recorded action was applied to. | -| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. +| AccountDomain | string | Domain of the account | +| AccountName | string | User name of the account | +| AccountSid | string | Security Identifier (SID) of the account | +| ActionType | string | Type of activity that triggered the event | +| AdditionalFields | string | Additional information about the event in JSON array format | +| AlertId | string | Unique identifier for the alert | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| EventTime | datetime | Date and time when the event was recorded | +| EventType | string | Table where the record is stored | +| FileName | string | Name of the file that the recorded action was applied to | +| FileOriginIp | string | IP address where the file was downloaded from | +| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file | +| FileOriginUrl | string | URL where the file was downloaded from | +| FolderPath | string | Folder containing the file that the recorded action was applied to | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | +| InitiatingProcessFileName | string | Name of the process that initiated the event | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | +| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | +| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | +| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event | +| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. | +| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | +| LocalIP | string | IP address assigned to the local machine used during communication | +| LocalPort | int | TCP port on the local machine used during communication | +| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | +| LogonType | string | Type of logon session, specifically:
- **Interactive** - User physically interacts with the machine using the local keyboard and screen
- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients
- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed
- **Batch** - Session initiated by scheduled tasks
- **Service** - Session initiated by services as they start
+| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. | +| MachineId | string | Unique identifier for the machine in the service | +| MD5 | string | MD5 hash of the file that the recorded action was applied to | +| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format | +| OSArchitecture | string | Architecture of the operating system running on the machine | +| OSBuild | string | Build version of the operating system running on the machine | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| PreviousRegistryKey | string | Original registry key of the registry value before it was modified | +| PreviousRegistryValueData | string | Original data of the registry value before it was modified | +| PreviousRegistryValueName | string | Original name of the registry value before it was modified | +| PreviousRegistryValueType | string | Original data type of the registry value before it was modified | +| ProcessCommandline | string | Command line used to create the new process | +| ProcessCreationTime | datetime | Date and time the process was created | +| ProcessId | int | Process ID (PID) of the newly created process | +| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | +| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | +| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log | +| RegistryKey | string | Registry key that the recorded action was applied to | +| RegistryValueData | string | Data of the registry value that the recorded action was applied to | +| RegistryValueName | string | Name of the registry value that the recorded action was applied to | +| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | +| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | +| RemoteIP | string | IP address that was being connected to | +| RemotePort | int | TCP port on the remote device that was being connected to | +| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. | +| SHA1 | string | SHA-1 of the file that the recorded action was applied to | +| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) ## Related topic - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) -- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) - +- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index b4c4800faf..0fbf8430f5 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -73,7 +73,6 @@ Automation level | Description :---|:--- Semi - require approval for any remediation | This is the default automation level.
An approval is needed for any remediation action. Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed. -Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders will automatically be remediated if needed. Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders will automatically be remediated if needed. Full - remediate threats automatically | All remediation actions will be performed automatically. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 595710cac3..db4d4d1e03 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 05/01/2018 +ms.date: 06/06/2018 --- # Configure alert notifications in Windows Defender ATP @@ -41,29 +41,45 @@ Only users assigned to the Global administrator role can manage notification rul The email notification includes basic information about the alert and a link to the portal where you can do further investigation. -## Set up email notifications for alerts -The email notifications feature is turned off by default. Turn it on to start receiving email notifications. +## Create rules for alert notifications +You can create rules that determine the machines and alert severities to send email notifications for and the notification recipients. -1. On the navigation pane, select **Settings** > **Alert notifications**. -2. Toggle the setting between **On** and **Off**. -3. Select the alert severity level that youd like your recipients to receive: - - **High** Select this level to send notifications for high-severity alerts. - - **Medium** Select this level to send notifications for medium-severity alerts. - - **Low** - Select this level to send notifications for low-severity alerts. - - **Informational** - Select this level to send notification for alerts that might not be considered harmful but good to keep track of. -4. In **Email recipients to notify on new alerts**, type the email address then select the + sign. -5. Click **Save preferences** when youve completed adding all the recipients. -Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email. +1. In the navigation pane, select **Settings** > **Alert notifications**. + +2. Click **Add notification rule**. + +3. Specify the General information: + - **Rule name** + - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). + - **Alert severity** - Choose the alert severity level + +4. Click **Next**. + +5. Enter the recipient's email address then click **Add recipient**. You can add multiple email addresses. + +6. Check that email recipients are able to receive the email notifications by selecting **Send test email**. + +7. Click **Save notification rule**. Here's an example email notification:  -## Remove email recipients +## Edit a notification rule +1. Select the notification rule you'd like to edit. + +2. Update the General and Recipient tab information. + +3. Click **Save notification rule**. + + +## Delete notification rule + +1. Select the notification rule you'd like to delete. + +2. Click **Delete**. -1. Select the trash bin icon beside the email address youd like to remove. -2. Click **Save preferences**. ## Troubleshoot email notifications for alerts This section lists various issues that you may encounter when using email notifications for alerts. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 8de9ab0c90..f66994565d 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 05/03/2018 +ms.date: 05/29/2018 --- @@ -90,16 +90,13 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec Service location | Microsoft.com DNS record :---|:--- -Common URLs for all locations | ```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com``` ```events.data.microsoft.com``` +Common URLs for all locations | ```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com``` US | ```us.vortex-win.data.microsoft.com```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` Europe | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com``` UK | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com``` -AU | ```au.vortex-win.data.microsoft.com```
```au-v20.events.data.microsoft.com```
```winatp-gw-aue.microsoft.com```
```winatp-gw-aus.microsoft.com``` - - - If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. +If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. ## Verify client connectivity to Windows Defender ATP service URLs diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index e04a79d353..7a7abff824 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik ## Do I have the flexibility to select where to store my data? -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the United Kingdom, Europe, or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index f4c7dd2bb3..1d174e789f 100644 --- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 04/24/2018 +ms.date: 05/21/2018 --- @@ -211,6 +211,12 @@ Check that the onboarding settings and scripts were deployed properly. Try to re See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).