deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into azureportaltweak

Browse Source
This commit is contained in:
jaimeo 2018-09-17 09:43:24 -07:00
commit f4e7b437fd
27 changed files with 466 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: brecords
ms.date: 12/07/2017
ms.date: 09/13/2018
ms.author: jdecker
ms.topic: article
---
@ -23,11 +23,7 @@ As easy as it is to keep Surface device drivers and firmware up to date automati
On the Microsoft Download Center page for your device, you will find several files available. These files allow you to deploy drivers and firmware in various ways. You can read more about the different deployment methods for Surface drivers and firmware in [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md).
Driver and firmware updates for Surface devices are released in one of two ways:
- **Point updates** are released for specific drivers or firmware revisions and provide the latest update for a specific component of the Surface device.
- **Cumulative updates** provide comprehensive roundups of all of the latest files for the Surface device running that version of Windows.
Driver and firmware updates for Surface devices are **cumulative updates** which provide comprehensive roundups of all of the latest files for the Surface device running that version of Windows.
Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices and are detailed here in this article.
@ -212,10 +208,10 @@ Download the following updates [for Surface Pro (Model 1514) from the Microsoft
- Windows8.1-KB2969817-x64.msu Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1
## Surface RT
## Surface devices with Windows RT
There are no downloadable firmware or driver updates available for Surface RT. Updates can only be applied using Windows Update.
There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.
If you have additional questions on the driver pack and updates, please contact [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business).

1
windows/configuration/TOC.md
View File

@ -7,6 +7,7 @@
### [Set up a single-app kiosk](kiosk-single-app.md)
### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md)
### [More kiosk methods and reference information](kiosk-additional-reference.md)
#### [Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md)
#### [Validate your kiosk configuration](kiosk-validate.md)
#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
#### [Policies enforced on kiosk devices](kiosk-policies.md)

9
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -10,13 +10,20 @@ ms.localizationpriority: medium
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 08/03/2018
ms.date: 09/17/2018
---
# Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## September 2018
New or changed topic | Description
--- | ---
[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | New
[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) | Add required order of elements in XML.
## August 2018
New or changed topic | Description

95
windows/configuration/find-the-application-user-model-id-of-an-installed-app.md Normal file
View File

@ -0,0 +1,95 @@
---
title: Find the Application User Model ID of an installed app
description: In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: BD8BD003-887D-4EFD-9C7A-A68AB895D8CD
author: alhopper-msft
ms.author: alhopper
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Find the Application User Model ID of an installed app
In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry.
## To identify the AUMID of an installed app by using Windows PowerShell
At a Windows PowerShell command prompt, type the following commands to list the AUMIDs for all Microsoft Store apps installed for the current user on your device:
```powershell
$installedapps = get-AppxPackage
$aumidList = @()
foreach ($app in $installedapps)
{
foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
{
$aumidList += $app.packagefamilyname + "!" + $id
}
}
$aumidList
```
You can add the user <username> or the allusers parameters to the get-AppxPackage cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the user or allusers parameters.
## To identify the AUMID of an installed app for the current user by using the registry
Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device.
At a command prompt, type the following command:
`reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"`
## Example
The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user.
```powershell
function listAumids( $userAccount ) {
if ($userAccount -eq "allusers")
{
# Find installed packages for all accounts. Must be run as an administrator in order to use this option.
$installedapps = Get-AppxPackage -allusers
}
elseif ($userAccount)
{
# Find installed packages for the specified account. Must be run as an administrator in order to use this option.
$installedapps = get-AppxPackage -user $userAccount
}
else
{
# Find installed packages for the current account.
$installedapps = get-AppxPackage
}
$aumidList = @()
foreach ($app in $installedapps)
{
foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
{
$aumidList += $app.packagefamilyname + "!" + $id
}
}
return $aumidList
}
```
The following Windows PowerShell commands demonstrate how you can call the listAumids function after you have created it.
```powershell
# Get a list of AUMIDs for the current account:
listAumids
# Get a list of AUMIDs for an account named “CustomerAccount”:
listAumids(“CustomerAccount”)
# Get a list of AUMIDs for all accounts on the device:
listAumids(“allusers”)
```

2
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -53,7 +53,7 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps)
3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md).
3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions.
>[!NOTE]
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).

5
windows/configuration/kiosk-additional-reference.md
View File

@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
ms.date: 07/30/2018
ms.date: 09/13/2018
---
# More kiosk methods and reference information
@ -23,7 +23,8 @@ ms.date: 07/30/2018
Topic | Description
--- | ---
[Validate your kiosk configuration](kiosk-validate.md) | This topic explain what to expect on a multi-app kiosk.
[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | This topic explains how to get the AUMID for an app.
[Validate your kiosk configuration](kiosk-validate.md) | This topic explains what to expect on a multi-app kiosk.
[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience.
[Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk.
[Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration.

148
windows/configuration/kiosk-prepare.md
View File

@ -37,6 +37,8 @@ Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, a
Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
Disable removable media. | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.</br></br>**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
## Automatic logon
In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
>[!TIP]
@ -74,7 +76,151 @@ In addition to the settings in the table, you may want to set up **automatic log
>You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
## Interactions and interoperability
The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.
> [!Note]
> Where applicable, the table notes which features are optional that you can configure for assigned access.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Feature</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Accessibility</p></td>
<td><p>Assigned access does not change Ease of Access settings.</p>
<p>We recommend that you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:</p>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Key combination</th>
<th>Blocked behavior</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Left Alt+Left Shift+Print Screen</p></td>
<td><p>Open High Contrast dialog box.</p></td>
</tr>
<tr class="even">
<td><p>Left Alt+Left Shift+Num Lock</p></td>
<td><p>Open Mouse Keys dialog box.</p></td>
</tr>
<tr class="odd">
<td><p>Windows logo key+U</p></td>
<td><p>Open Ease of Access Center.</p></td>
</tr>
</tbody>
</table>
<p> </p></td>
</tr>
<tr class="even">
<td><p>Assigned access Windows PowerShell cmdlets</p></td>
<td><p>In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](https://docs.microsoft.com/powershell/module/assignedaccess/?view=win10-ps).</p></td>
</tr>
<tr class="odd">
<td><p>Key sequences blocked by assigned access</p></td>
<td><p>When in assigned access, some key combinations are blocked for assigned access users.</p>
<p>Alt+F4, Alt+Shift+TaB, Alt+Tab are not blocked by Assigned Access, it is recommended you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.</p>
<p>Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-settings).</p>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Key combination</th>
<th>Blocked behavior for assigned access users</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Alt+Esc</p></td>
<td><p>Cycle through items in the reverse order from which they were opened.</p></td>
</tr>
<tr class="even">
<td><p>Ctrl+Alt+Esc</p></td>
<td><p>Cycle through items in the reverse order from which they were opened.</p></td>
</tr>
<tr class="odd">
<td><p>Ctrl+Esc</p></td>
<td><p>Open the Start screen.</p></td>
</tr>
<tr class="even">
<td><p>Ctrl+F4</p></td>
<td><p>Close the window.</p></td>
</tr>
<tr class="odd">
<td><p>Ctrl+Shift+Esc</p></td>
<td><p>Open Task Manager.</p></td>
</tr>
<tr class="even">
<td><p>Ctrl+Tab</p></td>
<td><p>Switch windows within the application currently open.</p></td>
</tr>
<tr class="odd">
<td><p>LaunchApp1</p></td>
<td><p>Open the app that is assigned to this key.</p></td>
</tr>
<tr class="even">
<td><p>LaunchApp2</p></td>
<td><p>Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.</p></td>
</tr>
<tr class="odd">
<td><p>LaunchMail</p></td>
<td><p>Open the default mail client.</p></td>
</tr>
<tr class="even">
<td><p>Windows logo key</p></td>
<td><p>Open the Start screen.</p></td>
</tr>
</tbody>
</table>
<p> </p>
<p>Keyboard Filter settings apply to other standard accounts.</p></td>
</tr>
<tr class="even">
<td><p>Key sequences blocked by [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter)</p></td>
<td><p>If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) reference topic.</p>
<p>[Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows 10 Enterprise or Windows 10 Education.</p>
</td>
</tr>
<tr class="odd">
<td><p>Power button</p></td>
<td><p>Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.</p>
<p>For more information on removing the power button or disabling the physical power button, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).</p></td>
</tr>
<tr class="even">
<td><p>Unified Write Filter (UWF)</p></td>
<td><p>UWFsettings apply to all users, including those with assigned access.</p>
<p>For more information, see [Unified Write Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/unified-write-filter).</p></td>
</tr>
<tr class="odd">
<td><p>WEDL_AssignedAccess class</p></td>
<td><p>Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.</p>
<p>If you need to use assigned access API, see [WEDL_AssignedAccess](whttps://docs.microsoft.com/windows-hardware/customize/enterprise/wedl-assignedaccess).</p></td>
</tr>
<tr class="even">
<td><p>Welcome Screen</p></td>
<td><p>Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.</p>
<p>For more information, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).</p></td>
</tr>
</tbody>
</table>

20
windows/configuration/start-layout-xml-desktop.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 01/02/2018
ms.date: 09/17/2018
ms.localizationpriority: medium
---
@ -39,6 +39,24 @@ On Windows 10 for desktop editions, the customized Start works by:
IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions.
### Required order
The XML schema for `LayoutModification.xml` requires the following order for tags directly under the LayoutModificationTemplate node:
1. LayoutOptions
1. DefaultLayoutOverride
1. RequiredStartGroupsCollection
1. AppendDownloadOfficeTile OR AppendOfficeSuite (only one Office option can be used at a time)
1. AppendOfficeSuiteChoice
1. TopMFUApps
1. CustomTaskbarLayoutCollection
1. InkWorkspaceTopApps
Comments are not supported in the `LayoutModification.xml` file.
### Supported elements and attributes
>[!NOTE]
>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file:
>- Do not leave spaces or white lines in between each element.

8
windows/deployment/deploy-whats-new.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: medium
ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
ms.date: 09/19/2017
ms.date: 09/12/2018
author: greg-lindsay
---
@ -25,6 +25,12 @@ This topic provides an overview of new solutions and online content related to d
- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history).
## Windows 10 servicing and support
Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
![Support lifecycle](images/support-cycle.png)
## Windows 10 Enterprise upgrade
Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md).

BIN
windows/deployment/images/support-cycle.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.7 KiB

1
windows/deployment/planning/TOC.md
View File

@ -3,6 +3,7 @@
## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
## [Windows 10 compatibility](windows-10-compatibility.md)
## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
## [Windows 10, version 1809 - Features removed or planned for replacement](windows-10-1809-removed-features.md)
## [Windows 10, version 1803 - Features removed or planned for replacement](windows-10-1803-removed-features.md)
## [Fall Creators update (version 1709) - deprecated features](windows-10-fall-creators-deprecation.md)
## [Creators update (version 1703) - deprecated features](windows-10-creators-update-deprecation.md)

5
windows/deployment/planning/windows-10-1803-removed-features.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: medium
ms.sitesec: library
author: lizap
ms.author: elizapo
ms.date: 06/01/2018
ms.date: 08/16/2018
---
# Features removed or planned for replacement starting with Windows 10, version 1803
@ -34,6 +34,7 @@ We've removed the following features and functionalities from the installed prod
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
## Features were no longer developing
We are no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
@ -48,5 +49,5 @@ If you have feedback about the proposed replacement of any of these features, yo
|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.|
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.|
|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.|
|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. Installed Layered Service Providers are not migrated when you upgrade to Windows 10, version 1803; you'll need to re-install them after upgrading.|
|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.|
|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124\(vs.11\)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|

50
windows/deployment/planning/windows-10-1809-removed-features.md Normal file
View File

@ -0,0 +1,50 @@
---
title: Windows 10, version 1809 - Features that have been removed
description: Learn about features that will be removed or deprecated in Windows 10, version 1809, or a future release
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
author: lizap
ms.author: elizapo
ms.date: 08/31/2018
---
# Features removed or planned for replacement starting with Windows 10, version 1809
> Applies to: Windows 10, version 1809
Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1809.
> [!TIP]
> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes.
> - Have questions about other releases? Check out the information for [Windows 10, version 1803](windows-10-1803-removed-features.md), [Windows 10, version 1709](windows-10-fall-creators-deprecation.md), and [Windows 10, version 1703](windows-10-creators-update-deprecation.md).
**The list is subject to change and might not include every affected feature or functionality.**
## Features we removed in this release
We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method.
|Feature |Instead you can use...|
|-----------|--------------------
|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.|
|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/en-us/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.|
|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.|
|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.|
|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.|
|Trusted Platform Module (TPM) management console|The information previously available in the TPM management console is now available on the [**Device security**](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security) page in the [Windows Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).|
|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|Were no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).|
## Features were no longer developing
We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
|Feature |Instead you can use...|
|-----------|---------------------|
|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.|
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.|
|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.|

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

@ -35,8 +35,6 @@ You can learn more about Windows functional and diagnostic data through these ar
- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
## Appraiser events
### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount

2
windows/security/threat-protection/intelligence/TOC.md
View File

@ -10,6 +10,8 @@
### [Exploits and exploit kits](exploits-malware.md)
### [Fileless threats](fileless-threats.md)
### [Macro malware](macro-malware.md)
### [Phishing](phishing.md)

2
windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
View File

@ -32,4 +32,4 @@ Organizations participating in the CME effort work together to help eradicate se
Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
Please apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx) to get started.
If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join CME, [VIA](./virus-information-alliance-criteria.md), or [MVI](./virus-initiative-criteria.md).

91
windows/security/threat-protection/intelligence/fileless-threats.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Fileless threats
description: Learn about fileless threats, its categories, and how it runs
keywords: fileless, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
ms.author: eravena
author: eavena
ms.date: 09/14/2018
---
#Fileless threats
What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate. In the Sharpshooter example, while the payload itself is fileless, the entry point relies on scripts that need to be dropped on the targets machine and executed. This, too, is considered a fileless attack.
Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.
To shed light on this loaded term, we grouped fileless threats into different categories.
![Comprehensive diagram of fileless malware](images/fileless-malware.png)<br>
*Figure 1. Comprehensive diagram of fileless malware*
First, we can classify the entry point (inner circle in the diagram), which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts.
Next, we can list the form of entry point (intermediate circle): for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector.
Finally, we can classify the host of the infection (outer circle): for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads.
This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced.
From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.
##Type I: No file activity performed
A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls.
Infections of this type can be extra difficult to detect and remediate. Antivirus products usually dont have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, its not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks.
##Type II: Indirect file activity
There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type dont directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically.
Its possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes its considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed.
##Type III: Files required to operate
Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
![Image of Kovter's registry key](images/kovter-reg-key.png)<br>
*Figure 2. Kovters registry key*
When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts.
Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present.
##Categorizing fileless threats by infection host
Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.
###Exploits
**File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file.
**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
###Hardware
**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. A software residing and running in the chipset of a device is called a firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/).
**CPU-based** (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/) bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution.
**USB-based** (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will.
**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. Its a very important component that operates at a very low level and executes before the boot sector. Its possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/).
**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date.
###Execution and injection
**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes.
**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe), and theyre implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute.
**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: theyre textual files (not binary executables) and they run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt.
**Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but its accessible by the operating system, and modern antivirus products have the capability to scan and restore it.

BIN
windows/security/threat-protection/intelligence/images/fileless-malware.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 194 KiB

BIN
windows/security/threat-protection/intelligence/images/kovter-reg-key.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

4
windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
View File

@ -46,6 +46,4 @@ To be eligible for VIA your organization must:
3. Be willing to sign and adhere to the VIA membership agreement.
If your organization wants to apply and meets this criteria, you can apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx).
If you have any questions, you can also contact us using our [partnerships contact form](https://www.microsoft.com/security/portal/partnerships/contactus.aspx).
If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join VIA, [MVI](./virus-initiative-criteria.md), or [CME](./coordinated-malware-eradication.md).

2
windows/security/threat-protection/intelligence/virus-initiative-criteria.md
View File

@ -54,4 +54,4 @@ Your organization must meet the following eligibility requirements to participat
### Apply to MVI
If your organization wants to apply and meets this criteria, you can apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx).
If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join MVI, [VIA](./virus-information-alliance-criteria.md), or [CME](./coordinated-malware-eradication.md).

2
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -72,7 +72,7 @@ The following tables are exposed as part of Advanced hunting:
- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events
- **LogonEvents** - Stores login events
- **ImageLoadEvents** - Stores load dll events
- **MiscEvents** - Stores several types of events, including Windows Defender blocks (Windows Defender Antivirus, Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall), process injection events, access to LSASS processes, and others.
- **MiscEvents** - Stores several types of events, process injection events, access to LSASS processes, and others.
These tables include data from the last 30 days.

44
windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -10,15 +10,13 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 05/29/2018
ms.date: 09/12/2018
---
# Configure machine proxy and Internet connectivity settings
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -46,18 +44,24 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report diagnostic data and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
The static proxy is configurable through Group Policy (GP). The group policy can be found under:
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
![Image of Group Policy setting](images/atp-gpo-proxy1.png)
- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
- Configure the proxy:<br>
![Image of Group Policy setting](images/atp-gpo-proxy2.png)
The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
The registry value `TelemetryProxyServer` takes the following string format:
The registry value `TelemetryProxyServer` takes the following string format:
```text
<server name or ip>:<port>
```
For example: 10.0.0.6:8080
```text
<server name or ip>:<port>
```
For example: 10.0.0.6:8080
The registry value `DisableEnterpriseAuthProxy` should be set to 1.
The registry value `DisableEnterpriseAuthProxy` should be set to 1.
## Configure the proxy server manually using netsh command
@ -82,7 +86,7 @@ For example: netsh winhttp set proxy 10.0.0.6:8080
## Enable access to Windows Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
>![NOTE]
>[!NOTE]
> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
Service location | Microsoft.com DNS record
@ -124,14 +128,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br>
The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP services. For example:
```text
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
5 - Command line proxy: Doesn't exist
```
```text
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
5 - Command line proxy: Doesn't exist
```
If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method. <br><br>

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

4
windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
View File

@ -35,7 +35,9 @@ If your client secret expires or if you've misplaced the copy provided when you
3. Select your tenant.
4. Click **App registrations** > **All apps**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`.
4. Click **App registrations**. Then in the applications list, select the application:
- For SIEM: `https://WindowsDefenderATPSiemConnector`
- For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
5. Select **Keys** section, then provide a key description and specify the key validity duration.

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -180,6 +180,7 @@ This field helps to enumerate and report state on the relevant security properti
| **4.** | If present, Secure Memory Overwrite is available. |
| **5.** | If present, NX protections are available. |
| **6.** | If present, SMM mitigations are available. |
| **7.** | If present, Mode Based Execution Control is available. |
#### InstanceIdentifier
@ -199,6 +200,7 @@ This field describes the required security properties to enable virtualization-b
| **4.** | If present, Secure Memory Overwrite is needed. |
| **5.** | If present, NX protections are needed. |
| **6.** | If present, SMM mitigations are needed. |
| **7.** | If present, Mode Based Execution Control is needed. |
#### SecurityServicesConfigured
@ -274,4 +276,4 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time.
- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.