+This version of Surface Diagnostic Toolkit for Business adds support for the following: +- Advanced Setup option to unlock admin capabilities through the installer UI, without requiring command line configuration. +- Accessibility improvements. +- Surface brightness control settings included in logs. +- External monitor compatibility support link in report generator. diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index e42a925b72..0f888bcc93 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -154,7 +154,7 @@ Packages created with the Microsoft Surface UEFI Configurator tool are signed wi * **Key Length** – 2048 * **Hash Algorithm** – SHA-256 * **Type** – SSL Server Authentication -* **Key Usage** – Key Encipherment +* **Key Usage** – Digital signature, Key Encipherment * **Provider** – Microsoft Enhanced RSA and AES Cryptographic Provider * **Expiration Date** – 15 Months from certificate creation * **Key Export Policy** – Exportable diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index baef69db7c..f1fcb46348 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 09/12/2018 ms.author: jdecker ms.topic: article --- @@ -41,11 +40,16 @@ Support for broad deployments of Surface devices using Windows Autopilot, includ ### Surface device support Surface devices with support for out-of-box deployment with Windows Autopilot, enrolled during the purchase process with a Surface partner, include the following devices, where the devices ship from the factory with Windows 10 Version 1709: -* Surface Pro (Model 1796) + +* Surface Pro (5th gen) +* Surface Laptop(1st gen) +* Surface Studio (1st gen) +* Surface Pro 6 * Surface Book 2 -* Surface Laptop -* Surface Studio +* Surface Laptop 2 +* Surface Studio 2 * Surface Go +* Surface Go with LTE Advanced ## Surface partners enabled for Windows Autopilot Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management. diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index 6df81f8b27..c57aa58776 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -32,7 +32,7 @@ Hello, IT administrators! In this walkthrough, we'll show you how you can quickl - **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff - **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop - **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom -- **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features +- **Windows 10, version 1703 or later** which brings 3D for everyone and other new and updated Windows features - **Minecraft: Education Edition** which provides an open and immersive environment to promote creativity, collaboration, and problem-solving With Microsoft Education, schools can: @@ -60,11 +60,11 @@ Click the link to watch the video or follow the step-by-step guidance for each. ## Prerequisites Complete these tasks before you start the walkthrough: -- Make sure all the devices that you want to configure, such as student PCs, have the latest Windows 10, version 1703 image installed. +- Make sure all the devices that you want to configure, such as student PCs, have Windows 10 (version 1703 or later) image installed. - We recommend Windows 10, version 1703 to take advantage of all the new features and functionality that Windows supports. This version of Windows is also compatible with the latest version of the Set up School PCs app and the versions must match in order for Set up School PCs to provision the devices. + We recommend Windows 10, version 1703 or later, to take advantage of all the new features and functionality that Windows supports. This version of Windows is also compatible with the latest version of the Set up School PCs app and the versions must match in order for Set up School PCs to provision the devices. - If you don't have Windows 10, version 1703 installed on your devices, we recommend upgrading. This process takes a while so start this task before proceeding with this walkthrough. + If you don't have Windows 10, version 1703 or later, installed on your devices, we recommend upgrading. This process takes a while so start this task before proceeding with this walkthrough. - Have an education-verified tenant to qualify for an Office 365 for Education subscription. You also need to be education-verified to use School Data Sync and Intune for Education. diff --git a/it-client b/it-client new file mode 160000 index 0000000000..61e0a21977 --- /dev/null +++ b/it-client @@ -0,0 +1 @@ +Subproject commit 61e0a21977430f3c0eef1c32e398999dc090c332 diff --git a/mdop/mbam-v25/client-event-logs.md b/mdop/mbam-v25/client-event-logs.md index f8d2dc07c4..8f25a56a05 100644 --- a/mdop/mbam-v25/client-event-logs.md +++ b/mdop/mbam-v25/client-event-logs.md @@ -13,7 +13,7 @@ ms.date: 06/16/2016 # Client Event Logs - +MBAM Client event logs are located in Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM - Operational path. The following table contains event IDs that can occur on the MBAM Client.
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
**EncryptionMethodByDriveType** -Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
+Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
| Home | diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index a20317c21f..d286f6f918 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/26/2018 +ms.date: 04/30/2019 --- # DeviceStatus CSP @@ -157,6 +157,12 @@ Valid values: Supported operation is Get. +If more than one antivirus provider is active, this node returns: +- 1 – If every active antivirus provider has a valid signature status. +- 0 – If any of the active antivirus providers has an invalid signature status. + +This node also returns 0 when no antivirus provider is active. + **DeviceStatus/Antivirus/Status** Added in Windows, version 1607. Integer that specifies the status of the antivirus. @@ -186,6 +192,12 @@ Valid values: Supported operation is Get. +If more than one antispyware provider is active, this node returns: +- 1 – If every active antispyware provider has a valid signature status. +- 0 – If any of the active antispyware providers has an invalid signature status. + +This node also returns 0 when no antispyware provider is active. + **DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the antispyware. diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 22ee108fb4..6a8c928ee7 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -553,7 +553,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
|---|
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+  6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + + +Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on. + +If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + +If you disable or do not configure this policy setting, users control this setting. + + + + +ADMX Info: +- GP English name: *Energy Saver Battery Threshold (on battery)* +- GP name: *EsBattThresholdDC* +- GP element: *EnterEsBattThreshold* +- GP path: *System/Power Management/Energy Saver Settings* +- GP ADMX file name: *power.admx* + + + +Supported values: 0-100. The default is 70. + + + + + + + + + +
+ + +**Power/EnergySaverBatteryThresholdPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on. + +If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + +If you disable or do not configure this policy setting, users control this setting. + + + + +ADMX Info: +- GP English name: *Energy Saver Battery Threshold (plugged in)* +- GP name: *EsBattThresholdAC* +- GP element: *EnterEsBattThreshold* +- GP path: *System/Power Management/Energy Saver Settings* +- GP ADMX file name: *power.admx* + + + +Supported values: 0-100. The default is 70. + + + + + + + + + +
+ **Power/HibernateTimeoutOnBattery** @@ -558,6 +728,438 @@ ADMX Info:
+ +**Power/SelectLidCloseActionOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the lid switch action (on battery)* +- GP name: *DCSystemLidAction_2* +- GP element: *SelectDCSystemLidAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported lid close switch actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectLidCloseActionPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the lid switch action (plugged in)* +- GP name: *ACSystemLidAction_2* +- GP element: *SelectACSystemLidAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported lid close switch actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectPowerButtonActionOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the Power button action (on battery)* +- GP name: *DCPowerButtonAction_2* +- GP element: *SelectDCPowerButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Power button actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectPowerButtonActionPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the Power button action (plugged in)* +- GP name: *ACPowerButtonAction_2* +- GP element: *SelectACPowerButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Power button actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectSleepButtonActionOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the Sleep button action (on battery)* +- GP name: *DCSleepButtonAction_2* +- GP element: *SelectDCSleepButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Sleep button actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectSleepButtonActionPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the Sleep button action (plugged in)* +- GP name: *ACSleepButtonAction_2* +- GP element: *SelectACSleepButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Sleep button actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ **Power/StandbyTimeoutOnBattery** @@ -683,14 +1285,291 @@ ADMX Info: +
-Footnote: + +**Power/TurnOffHybridSleepOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep. + +If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). + +If you set this policy setting to 1 or do not configure this policy setting, users control this setting. + + + + +ADMX Info: +- GP English name: *Turn off hybrid sleep (on battery)* +- GP name: *DCStandbyWithHiberfileEnable_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported values for Hybrid sleep (on battery): +- 0 - no hibernation file for sleep (default) +- 1 - hybrid sleep + + + + + + + + + + +
+ + +**Power/TurnOffHybridSleepPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep. + +If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). + +If you set this policy setting to 1 or do not configure this policy setting, users control this setting. + + + + +ADMX Info: +- GP English name: *Turn off hybrid sleep (plugged in)* +- GP name: *ACStandbyWithHiberfileEnable_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported values for Hybrid sleep (plugged in): +- 0 - no hibernation file for sleep (default) +- 1 - hybrid sleep + + + + + + + + + + +
+ + +**Power/UnattendedSleepTimeoutOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. + +If you disable or do not configure this policy setting, users control this setting. + +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + + + + +ADMX Info: +- GP English name: *Specify the unattended sleep timeout (on battery)* +- GP name: *UnattendedSleepTimeOutDC* +- GP element: *EnterUnattendedSleepTimeOut* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +Default value for unattended sleep timeout (on battery): +300 + + + + + + + + + +
+ + +**Power/UnattendedSleepTimeoutPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. + +If you disable or do not configure this policy setting, users control this setting. + +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + + + + +ADMX Info: +- GP English name: *Specify the unattended sleep timeout (plugged in)* +- GP name: *UnattendedSleepTimeOutAC* +- GP element: *EnterUnattendedSleepTimeOut* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +Default value for unattended sleep timeout (plugged in): +300 + + + + + + + + + + +
+ +Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - - - +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index bccb2e581b..e59ee6fa01 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -6,13 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/14/2018 +ms.date: 05/01/2019 --- # Policy CSP - Privacy > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -4851,16 +4851,28 @@ ADMX Info: -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. + +## Privacy policies supported by Windows Holographic + +- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) + + + +## Privacy policies supported by Windows Holographic for Business + +- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) + + +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index f51a32f819..3106f2b945 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/30/2018 +ms.date: 05/01/2019 --- # Policy CSP - Search @@ -849,16 +849,27 @@ The following list shows the supported values: -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. + +## Search policies supported by Windows Holographic +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) + + +## Search policies supported by Windows Holographic for Business + +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) + + +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index ec1d131e0d..e6bce4de0b 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -6,13 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/09/2018 +ms.date: 05/01/2019 --- # Policy CSP - Security > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -739,18 +739,28 @@ The following list shows the supported values: -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. + +## Security policies supported by Windows Holographic +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) + + +## Security policies supported by Windows Holographic for Business + +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) + + +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index fa1b94e71a..5ff09bf3e4 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/09/2018 +ms.date: 05/01/2019 --- # Policy CSP - Settings @@ -839,16 +839,29 @@ To validate on Desktop, do the following: -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. + +## Settings policies supported by Windows Holographic +- [Settings/AllowDateTime](#settings-allowdatetime) +- [Settings/AllowVPN](#settings-allowvpn) + + +## Settings policies supported by Windows Holographic for Business + +- [Settings/AllowDateTime](#settings-allowdatetime) +- [Settings/AllowVPN](#settings-allowvpn) + + +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index 43023aecdc..bd274c38df 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/09/2018 +ms.date: 05/01/2019 --- # Policy CSP - Speech @@ -82,14 +82,27 @@ The following list shows the supported values: -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. + +## Speech policies supported by Windows Holographic + +- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate) + + + +## Speech policies supported by Windows Holographic for Business + +- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate) + + +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 16bfa23ec7..77c58a2714 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,13 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/24/2018 +ms.date: 05/01/2019 --- # Policy CSP - System > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -1433,16 +1433,30 @@ ADMX Info: -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. + +## System policies supported by Windows Holographic + +- [System/AllowTelemetry](#system-allowtelemetry) +- [System/AllowLocation](#system-allowlocation) + + + +## System policies supported by Windows Holographic for Business + +- [System/AllowTelemetry](#system-allowtelemetry) +- [System/AllowLocation](#system-allowlocation) + + +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 2e24ad1c47..8e9d7a15c7 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,13 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/29/2018 +ms.date: 05/08/2019 --- # Policy CSP - Update > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -57,9 +57,24 @@ ms.date: 08/29/2018
+ > [!NOTE] > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). @@ -933,6 +949,76 @@ The following list shows the supported values:
+ +**Update/AutomaticMaintenanceWakeUp** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting allows you to configure if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. + +> [!Note] +> If the OS power wake policy is explicitly disabled, then this setting has no effect. + +If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if required. + +If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. + + + +ADMX Info: +- GP English name: *Automatic Maintenance WakeUp Policy* +- GP category English path: *Windows Components/Maintenance Scheduler* +- GP name: *WakeUpPolicy* +- GP path: *Windows Components/Maintenance Scheduler* +- GP ADMX file name: *msched.admx* + + + +Supported values: +- true - Enable +- false - Disable (Default) + + + + + + + + + +
+ **Update/BranchReadinessLevel** @@ -995,6 +1081,306 @@ The following list shows the supported values:
+ +**Update/ConfigureDeadlineForFeatureUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. + +Default value is 7. + + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineForFeatureUpdates* +- GP element: *ConfigureDeadlineForFeatureUpdates* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + +
+ + +**Update/ConfigureDeadlineForQualityUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineForQualityUpdates* +- GP element: *ConfigureDeadlineForQualityUpdates* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. + +Default value is 7. + + + + + + + + + +
+ + +**Update/ConfigureDeadlineGracePeriod** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. + + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineGracePeriod* +- GP element: *ConfigureDeadlineGracePeriod* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. + +Default value is 2. + + + + + + + + + +
+ + +**Update/ConfigureDeadlineNoAutoReboot** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart. + +When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. + + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineNoAutoReboot* +- GP element: *ConfigureDeadlineNoAutoReboot* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values: +- 1 - Enabled +- 0 (default) - Disabled + + + + + + + + + +
+ + +**Update/ConfigureFeatureUpdateUninstallPeriod** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+ + + +Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. + + + + +
+ **Update/ConfigureFeatureUpdateUninstallPeriod** @@ -3571,15 +3957,65 @@ ADMX Info: -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. + + +## Update policies supported by Windows Holographic + +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) +- [Update/RequireUpdateApproval](#update-requireupdateapproval) +- [Update/ScheduledInstallDay](#update-scheduledinstallday) +- [Update/ScheduledInstallTime](#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](#update-updateserviceurl) +- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) + + + +## Update policies supported by Windows Holographic for Business + +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) +- [Update/RequireUpdateApproval](#update-requireupdateapproval) +- [Update/ScheduledInstallDay](#update-scheduledinstallday) +- [Update/ScheduledInstallTime](#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](#update-updateserviceurl) +- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) + + + +## Update policies supported by IoT Core + +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) + + + +## Update policies supported by IoT Enterprise + +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) + +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 8d16e2c852..ff2649412f 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 05/01/2019 --- # Policy CSP - Wifi @@ -379,36 +379,49 @@ Supported operations are Add, Delete, Get, and Replace. -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. ## Wifi policies that can be set using Exchange Active Sync (EAS) -- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](#wifi-allowwifi) +- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](#wifi-allowwifi) + +## Wifi policies supported by Windows Holographic + +- [Wifi/AllowManualWiFiConfiguration](#wifi-allowmanualwificonfiguration) + + + +## Wifi policies supported by Windows Holographic for Business + +- [Wifi/AllowManualWiFiConfiguration](#wifi-allowmanualwificonfiguration) + + ## Wifi policies supported by IoT Core -- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) -- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](#wifi-allowwifi) -- [Wifi/WLANScanMode](#wifi-wlanscanmode) +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](#wifi-allowwifi) +- [Wifi/WLANScanMode](#wifi-wlanscanmode) ## Wifi policies supported by Microsoft Surface Hub -- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting) +- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting) +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index e75a0cf6de..e307f8f433 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,12 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/12/2018 +ms.date: 05/07/2019 --- # Policy CSP - WindowsLogon - +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -19,23 +20,182 @@ ms.date: 07/12/2018 ## WindowsLogon policies
-
+
- + WindowsLogon/AllowAutomaticRestartSignOn + +
- + WindowsLogon/ConfigAutomaticRestartSignOn +
- WindowsLogon/DisableLockScreenAppNotifications
- WindowsLogon/DontDisplayNetworkSelectionUI +
- + WindowsLogon/EnableFirstLogonAnimation +
- WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
- WindowsLogon/HideFastUserSwitching -
- - WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart -
+ + +**WindowsLogon/AllowAutomaticRestartSignOn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 6 |
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot. + +This occurs only if the last interactive user did not sign out before the restart or shutdown. + +If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns. + +If you do not configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. + +After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot. + +If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Sign-in and lock last interactive user automatically after a restart* +- GP name: *AutomaticRestartSignOn* +- GP path: *Windows Components/Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + + + + + + + + + + + +
+ + +**WindowsLogon/ConfigAutomaticRestartSignOn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 6 |
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting controls the configuration under which an automatic restart, sign on, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign on does not occur and this policy need not be configured. + +If you enable this policy setting, you can choose one of the following two options: + +- Enabled if BitLocker is on and not suspended: Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +BitLocker is suspended during updates if: + - The device does not have TPM 2.0 and PCR7 + - The device does not use a TPM-only protector +- Always Enabled: Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. + +If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot* +- GP name: *ConfigAutomaticRestartSignOn* +- GP path: *Windows Components/Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + + + + + + + + + +
@@ -188,6 +348,78 @@ ADMX Info:
+ +**WindowsLogon/EnableFirstLogonAnimation** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in. + +If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation. + +If you disable this policy setting, users do not see the animation and Microsoft account users do not see the opt-in prompt for services. + +If you do not configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer do not see the animation. + +> [!NOTE] +> The first sign-in animation is not displayed on Server, so this policy has no effect. + + + + +ADMX Info: +- GP English name: *Show first sign-in animation* +- GP name: *EnableFirstLogonAnimation* +- GP path: *System/Logon* +- GP ADMX file name: *Logon.admx* + + + +Supported values: +- false - disabled +- true - enabled + + + + + + + + + +
+ **WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers** @@ -313,75 +545,15 @@ To validate on Desktop, do the following: -
- - -**WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - -This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. - -If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user. - -If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Sign-in last interactive user automatically after a system-initiated restart* -- GP name: *AutomaticRestartSignOn* -- GP path: *Windows Components/Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* - - - -
- -Footnote: +Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - - - +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 77dea602cf..f5d0d53a0f 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -30,7 +30,7 @@ The following diagram shows the Reboot configuration service provider management > [!Note] > If this node is set to execute during a sync session, the device will reboot at the end of the sync session. -
The supported operations are Execute and Get. +
The supported operations are Execute and Get.
**Schedule**The supported operation is Get.
diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index e3351b8c80..95f47c5df9 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -29,7 +29,7 @@ The **Reclaim seat from user** operation returns reclaimed seats for a user in tPOST
DELETE
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}
->Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
->Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key.
+>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. +>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. ## Firmware-embedded activation key @@ -35,9 +38,9 @@ If the device has a firmware-embedded activation key, it will be displayed in th If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: -1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
- a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
- b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
+1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: +- **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 +- **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. 3. The admin can now assign subscription licenses to users. @@ -59,7 +62,7 @@ Also in this article: You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. +You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. @@ -72,6 +75,9 @@ For more information about integrating on-premises AD DS domains with Azure AD, - [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/) - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) +>[!NOTE] +>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. + ## Preparing for deployment: reviewing requirements Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. @@ -151,12 +157,12 @@ Now the device is Azure AD joined to the company’s subscription. ### Step 2: Pro edition activation >[!IMPORTANT] ->If the device is running Windows 10, version 1803 or later, this step is no longer necessary when there is a firmware-embedded activation key on the device. Starting with Windows 10, version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
+>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. >If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
-**Figure 7a - Windows 10 Pro activation in Settings**
+**Figure 7a - Windows 10 Pro activation in Settings** Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). @@ -176,11 +182,17 @@ You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &g
-**Figure 9 - Windows 10 Enterprise subscription in Settings**
+**Figure 9 - Windows 10 Enterprise subscription in Settings** If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. +>[!NOTE] +>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: +>Name: Windows(R), Professional edition +>Description: Windows(R) Operating System, RETAIL channel +>Partial Product Key: 3V66T + ## Virtual Desktop Access (VDA) Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). @@ -205,23 +217,20 @@ Use the following figures to help you troubleshoot when users experience these c - [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. -
-**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**
+**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings** -
-**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**
+**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings** -
-**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**
+**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings** ### Review requirements on devices diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index 67561a162b..b5d8733948 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -32,6 +32,14 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor ## Free trial account +**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center** + +From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services. +In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles. +There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles. + +**If you do not already have a Microsoft services subscription** + You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. >[!NOTE] diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 1750d67101..da352844e5 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -606,7 +606,7 @@ In these steps, you generate offline media from the MDT Production deployment sh Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini files. These files are stored in the Control folder of the offline media; they also can be accessed via properties of the offline media in the Deployment Workbench. -1. On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\\MDTBuildLab\\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. +1. On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\MDTProduction\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. 2. Using Deployment Workbench, in the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. 3. In the **General** tab, configure the following: 1. Clear the Generate x86 boot image check box. diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 8dcb9a871f..933f240e24 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -26,8 +26,8 @@ To configure your environment for BitLocker, you will need to do the following: 3. Configure the operating system deployment task sequence for BitLocker. 4. Configure the rules (CustomSettings.ini) for BitLocker. -**Note** -Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. +>[!NOTE] +>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). @@ -35,8 +35,8 @@ For the purposes of this topic, we will use DC01, a domain controller that is a To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory. -**Note** -Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. +>[!NOTE] +>Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. @@ -79,8 +79,8 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services 4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy. -**Note** -If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. +>[!NOTE] +>If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. ### Set permissions in Active Directory for BitLocker diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index c815cc9c41..a2f2212ae8 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -21,15 +21,15 @@ This topic is designed to teach you how to use the MDT database to pre-stage inf MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment. -**Note** -Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. +>[!NOTE] +>Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. ## Create the deployment database The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01. -**Note** -Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. +>[!NOTE] +>Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. 1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. 2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**: diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index 5ecbefe38b..e1c1d22bc7 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -20,6 +20,7 @@ ms.topic: article - Windows 8.1 - Windows 8 - Windows 7 +- Windows Server 2016 - Windows Server 2012 - Windows Server 2008 R2 @@ -29,10 +30,28 @@ After you deploy and store the customized databases on each of your local comput ## Command-Line Options for Deploying Customized Database Files +Sample output from the command `Sdbinst.exe /?` in an elevated CMD window: -The command-line options use the following conventions. +``` +Microsoft Windows [Version 10.0.14393] +(c) 2016 Microsoft Corporation. All rights reserved. -Sdbinst.exe \[-q\] \[-?\] \[-u\] \[-g\] \[-p\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] +C:\Windows\system32>Sdbinst.exe /? +Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name" + + -? - print this help text. + -p - Allow SDBs containing patches. + -q - Quiet mode: prompts are auto-accepted. + -u - Uninstall. + -g {guid} - GUID of file (uninstall only). + -n "name" - Internal name of file (uninstall only). + +C:\Windows\system32>_ +``` + +The command-line options use the following conventions: + +Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] The following table describes the available command-line options. @@ -49,6 +68,18 @@ The following table describes the available command-line options.
-?
Displays the Help for the Sdbinst.exe tool.
+For example,
+sdbinst.exe -?
-p
Allows SDBs installation with Patches
+For example,
+sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb
-q
Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).
For example,
@@ -72,18 +103,6 @@ The following table describes the available command-line options.For example,
sdbinst.exe -n "My_Database"
-?
Displays the Help for the Sdbinst.exe tool.
-For example,
-sdbinst.exe -?
-p
Allows SDBs installation with Patches
-For example,
-sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb
When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| -|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| +|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image.
However, if you install Windows 10, version 1803, you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| ## Features we’re no longer developing diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 53c10d8b86..23981b631a 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -18,6 +18,13 @@ The Update Compliance solution of Windows Analytics provides you with informatio  +> [!IMPORTANT] +> There are currently two known issues affecting the Delivery Optimization status displayed in these blades: +>- Devices running Windows 10, version 1803 or older versions are not sending the correct configuration profile. As a result, the information in the Device Configuration blade might not accurately reflect the settings in your environment. +>- Some devices running Windows 10, version 1809 report the Delivery Optimization DownloadMode configuration value as the sequential value in the list of possible configurations rather than the actual configured value. For example, a device that is configured as HTTP + Group (2), will be shown as HTTP + Internet (3) in Update Compliance. +> +>Look for fixes for both of these issues in a forthcoming update. + ## Delivery Optimization Status The Delivery Optimization Status section includes three blades: diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 582639b74e..7fbacf8aee 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -5,9 +5,9 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: JaimeO +author: greg-lindsay ms.localizationpriority: medium -ms.author: jaimeo +ms.author: greglin ms.collection: M365-modern-desktop ms.topic: article --- @@ -37,7 +37,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | --- | --- | --- | | [Download mode](#download-mode) | DODownloadMode | 1511 | | [Group ID](#group-id) | DOGroupID | 1511 | -| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | +| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | | [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | | [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 | | [Max Cache Size](#max-cache-size) | DOMaxCacheSize | 1511 | @@ -70,7 +70,7 @@ Delivery Optimization uses locally cached updates. In cases where devices have a - The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location. >[!NOTE] ->It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices). +>It is possible to configure preferred cache devices. For more information, see [Group ID](#group-id). All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size). @@ -79,7 +79,7 @@ Additional options available that control the impact Delivery Optimization has o - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. -- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. +- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. @@ -89,7 +89,7 @@ Additional options available that control the impact Delivery Optimization has o - [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. Administrators can further customize scenarios where Delivery Optimization will be used with the following settings: -- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled. +- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled. - [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled. - [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching. - [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. You must enable this policy to allow upload while on battery. diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 1c13688e4e..178f964ce4 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -5,9 +5,9 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: JaimeO +author: greg-lindsay ms.localizationpriority: medium -ms.author: jaimeo +ms.author: greglin ms.collection: M365-modern-desktop ms.topic: article --- diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 9ef541fce2..af88e40987 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -69,8 +69,8 @@ Click the following Microsoft Mechanics video for an overview of the updated rel ## Learn more -[Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) - +- [Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) +- [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) ## Related topics diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 13c1dce96d..ee8f3c4fde 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -42,6 +42,9 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. +> [!NOTE] +> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted. + You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). @@ -159,8 +162,9 @@ In the Group Policy editor, you will see a number of policy settings that pertai >[!NOTE] >You can only choose one path for restart behavior. -> >If you set conflicting restart policies, the actual restart behavior may not be what you expected. +>When using RDP, only active RDP sessions are considered as logged on users. + ## Registry keys used to manage restart The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10. diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 7a7dfcc5d0..37103745b0 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -26,7 +26,7 @@ ms.topic: article > >Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products. -Semi-Annual Channel (Targeted) is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each edition of Windows 10. +Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. | Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program | | --- | --- | --- | --- | --- | @@ -44,6 +44,9 @@ Semi-Annual Channel (Targeted) is the default servicing channel for all Windows >[!NOTE] >The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). +>[!NOTE] +>Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those, who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel. + ## Assign devices to Semi-Annual Channel >[!IMPORTANT] diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index c1f447026d..9942044960 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -86,7 +86,7 @@ If you have devices that appear in other solutions, but not Device Health (the D 3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). 4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). 5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. -6. Remove the Device Health (appears as DeviceHealthProd on some pages) from your Log Analytics workspace +6. Add the Device Health solution back to your Log Analytics workspace. 7. Wait 48 hours for activity to appear in the reports. 8. If you need additional troubleshooting, contact Microsoft Support. @@ -195,6 +195,11 @@ Upgrade Readiness only collects app inventory on devices that are not yet upgrad Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.) Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level. + +There are two additional configurations to check: +1. Make sure Flip Ahead with Page Prediction is enabled. It can be configured at Internet Options -> Advanced -> Browsing -> Enable flip ahead with page prediction. +2. Make sure IE is not running in InPrivate mode. + Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). >[!NOTE] diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index b65bcc0c93..df6c14cfbf 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -141,3 +141,5 @@ There are different identifiers for the same update in different contexts. It’ - Small integers (especially in Datastore) can be local IDs  +## Windows Setup log files analysis using SetupDiag tool +SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag). diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 5f09b45f16..4c56170e4d 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -20,7 +20,8 @@ If you run into problems when using Windows Update, start with the following ste 1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. 2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. 3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: - + + - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index 9753f76d40..b7b51ae981 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -12,16 +12,7 @@ ms.collection: M365-analytics # Upgrade Readiness data sharing -To enable data sharing with the Upgrade Readiness solution, the following endpoints must be accessible: - - -| **Endpoint** | **Function** | -|---------------------------------------------------------|-----------| -| `https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experiences and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. | -| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. | -| `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. | - -Whitelist these endpoints on your network. This might require working with your organizations's network security group. +To enable data sharing with the Upgrade Readiness solution, double-check the endpoints list in [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md#enable-data-sharing) to be sure they are whitelisted. ## Connectivity to the Internet @@ -38,10 +29,10 @@ In order to use the direct connection scenario, set the parameter **ClientProxy= This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. In order to set the WinHTTP proxy system-wide on your computers, you need to -•Use the command netsh winhttp set proxy \
StorePath
Indicates a folder where files and settings will be saved. Note that StorePath cannot be c:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.
Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.
/apps
| Windows 10 installation media | Windows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an [evaluation version of Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). |
| Internet access | If you are behind a firewall, see the detailed [networking requirements](windows-autopilot-requirements-network.md). Otherwise, just ensure that you have a connection to the Internet. |
| Hyper-V or a physical device running Windows 10 | The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V. |
| A Premium Intune account | This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab. |
[Enable Hyper-V](#enable-hyper-v) +
[Create a demo VM](#create-a-demo-vm) +
[Set ISO file location](#set-iso-file-location) +
[Determine network adapter name](#determine-network-adapter-name) +
[Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm) +
[Install Windows 10](#install-windows-10) +
[Capture the hardware ID](#capture-the-hardware-id) +
[Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe) +
[Verify subscription level](#verify-subscription-level) +
[Configure company branding](#configure-company-branding) +
[Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment) +
[Register your VM](#register-your-vm) +
[Autopilot registration using Intune](#autopilot-registration-using-intune) +
[Autopilot registration using MSfB](#autopilot-registration-using-msfb) +
[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile) +
[Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) +
[Assign the profile](#assign-the-profile) +
[Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) +
[See Windows Autopilot in action](#see-windows-autopilot-in-action) +
[Remove devices from Autopilot](#remove-devices-from-autopilot) +
[Delete (deregister) Autopilot device](#delete-deregister-autopilot-device) +
[Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v) +
[Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile) +
[Add a Win32 app](#add-a-win32-app) +
[Prepare the app for Intune](#prepare-the-app-for-intune) +
[Create app in Intune](#create-app-in-intune) +
[Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) +
[Add Office 365](#add-office-365) +
[Create app in Intune](#create-app-in-intune) +
[Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) +
[Glossary](#glossary) + +## Verify support for Hyper-V + +If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later). + +>If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10). + +If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed. + +## Enable Hyper-V + +To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command: -Open a PowerShell prompt **as an administrator** and run the following: ```powershell Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All ``` -You will be prompted to restart your device, so save all your work and restart it before you continue. +This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command: -### Create and start your demo Virtual Machine - -Now that Hyper-V is enabled, proceed to create your Virtual Machine. - -Open a PowerShell prompt **as an administrator** and run the following: ```powershell -New-VMSwitch -Name AutopilotExternal -NetAdapterName
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
+
+After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
+
+To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
+
+## Create a demo VM
+
+Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
+
+To use Windows Powershell we just need to know two things:
+
+1. The location of the Windows 10 ISO file.
+ - In the example, we assume the location is **c:\iso\win10-eval.iso**.
+2. The name of the network interface that connects to the Internet.
+ - In the example, we use a Windows PowerShell command to determine this automatically.
+
+After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
+
+### Set ISO file location
+
+You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+- When asked to select a platform, choose **64 bit**.
+
+After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
+
+1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
+2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
+3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
+
+### Determine network adapter name
+
+The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
+
+```powershell
+(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+```
+
+The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
+
+For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
+
+### Use Windows PowerShell to create the demo VM
+
+All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
+
+>[!IMPORTANT]
+>**VM switch**: a VM switch is how Hyper-V connects VMs to a network. None. Turns off Delivery Optimization. Group. Gets or sends updates and apps to PCs on the same local network domain. Internet. Gets or sends updates and apps to PCs on the Internet. LAN. Gets or sends updates and apps to PCs on the same NAT only. Simple. Simple download mode with no peering. Bypass. Use BITS instead of Windows Update Delivery Optimization.Set to Bypass to restrict traffic. None. Turns off Delivery Optimization. Group. Gets or sends updates and apps to PCs on the same local network domain. Internet. Gets or sends updates and apps to PCs on the Internet. LAN. Gets or sends updates and apps to PCs on the same NAT only. Simple. Simple download mode with no peering. Bypass. Use BITS instead of Windows Update Delivery Optimization. **Set to Bypass** to restrict traffic. 0. Turns off Delivery Optimization. 1. Gets or sends updates and apps to PCs on the same NAT only. 2. Gets or sends updates and apps to PCs on the same local network domain. 3. Gets or sends updates and apps to PCs on the Internet. 99. Simple download mode with no peering. 100. Use BITS instead of Windows Update Delivery Optimization. Yes
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
+
+```powershell
+New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-Add-VMDvdDrive -Path
+PS C:\autopilot> dir c:\iso
+
+
+ Directory: C:\iso
+
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+-a---- 3/12/2019 2:46 PM 4627343360 win10-eval.iso
+
+PS C:\autopilot> (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+Ethernet
+PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+
+Name SwitchType NetAdapterInterfaceDescription
+---- ---------- ------------------------------
+AutopilotExternal External Intel(R) Ethernet Connection (2) I218-LM
+
+PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+
+Name State CPUUsage(%) MemoryAssigned(M) Uptime Status Version
+---- ----- ----------- ----------------- ------ ------ -------
+WindowsAutopilot Off 0 0 00:00:00 Operating normally 8.0
+
+PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
+PS C:\autopilot> Start-VM -VMName WindowsAutopilot
+PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
+PS C:\autopilot> dir
+
+ Directory: C:\autopilot
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+d----- 3/12/2019 3:15 PM VMData
+d----- 3/12/2019 3:42 PM VMs
+
+PS C:\autopilot>
+
### Install Windows 10
-Now that the Virtual Machine was created and started, open **Hyper-V Manager** and connect to the **WindowsAutopilot** Virtual Machine.
-Make sure the Virtual Machine booted from the installation media you've provided and complete the Windows installation process.
+Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
-Once the installation is complete, create a checkpoint. You will create multiple checkpoints throughout this process, which you can later use to go through the process again.
+ 
+ 
+ 
+ 
+ 
+ 
+
+>After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
+
+ 
+
+Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
+
+ 
+
+To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
-To create the checkpoint, open a PowerShell prompt **as an administrator** and run the following:
```powershell
Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
```
-## Capture your Virtual Machine's hardware ID
+Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
-On the newly created Virtual Machine, open a PowerShell prompt **as an administrator** and run the following:
-```powershell
-md c:\HWID
-Set-Location c:\HWID
-Set-ExecutionPolicy Unrestricted
-Install-Script -Name Get-WindowsAutopilotInfo
-Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-```
+## Capture the hardware ID
+
+>NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+
+Follow these steps to run the PS script:
+
+1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
+
+ ```powershell
+ md c:\HWID
+ Set-Location c:\HWID
+ Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+ Install-Script -Name Get-WindowsAutopilotInfo -Force
+ $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+ Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+ ```
+
+When you are prompted to install the NuGet package, choose **Yes**.
+
+See the sample output below.
+
+
+PS C:\> md c:\HWID
+
+ Directory: C:\
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+d----- 3/14/2019 11:33 AM HWID
+
+PS C:\> Set-Location c:\HWID
+PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+NuGet provider is required to continue
+PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+import the NuGet provider now?
+[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
+PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+PS C:\HWID> dir
+
+ Directory: C:\HWID
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+-a---- 3/14/2019 11:33 AM 8184 AutopilotHWID.csv
+
+PS C:\HWID>
+
+
+Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
+
+**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+
+
+
+You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+
+If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
>[!NOTE]
->Accept all prompts while running the above cmdlets.
+>When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
-### Mount the Virtual Hard Drive (VHD)
+## Reset the VM back to Out-Of-Box-Experience (OOBE)
-To gain access to the AutopilotHWID.csv that contains the hardware ID, stop the Virtual Machine to unlock the Virtual Hard Drive.
-
-To do that, on your device (**not** on the Virtual Machine), open a PowerShell prompt **as an administrator** and run the following:
-```powershell
-Stop-VM -VMName WindowsAutopilot
-```
-
-Once the Virtual Machine has stopped, create a checkpoint:
-```powershell
-Checkpoint-VM -Name WindowsAutopilot -SnapshotName "HWID captured"
-```
-
-With the checkpoint created, continue to mount the VHD:
-```powershell
-Mount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutopilot).Path
-```
-
-Once mounted, navigate to the new drive and copy **AutopilotHWID.csv** to a location on your device.
-
-Before you proceed, unmount the VHD to unlock it and start the Virtual Machine:
-```powershell
-Dismount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutopilot).Path
-Start-VM -VMName WindowsAutopilot
-```
-
-## Reset Virtual Machine back to Out-Of-Box-Experience (OOBE)
-
-With the hardware ID captured, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
+With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
-Resetting your Virtual Machine can take a while. Proceed to the next steps while your Virtual Machine is resetting.
+Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
+## Verify subscription level
+
+For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
+
+**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
+
+
+
+If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
+
+To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
+
+
+
## Configure company branding
->[!IMPORTANT]
->If you already have company branding configured in Azure Active Directory, you can skip this step.
-
-Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding).
+If you already have company branding configured in Azure Active Directory, you can skip this step.
>[!IMPORTANT]
>Make sure to sign-in with a Global Administrator account.
-Click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
+Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
-
+
-Once finished, click **Save**.
+When you are finished, click **Save**.
>[!NOTE]
>Changes to company branding can take up to 30 minutes to apply.
-
## Configure Microsoft Intune auto-enrollment
->[!IMPORTANT]
->If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
+If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
-Navigate to [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**.
+Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**.
For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
-
+
-## Register your Virtual Machine to your organization
+## Register your VM
-Navigate to [Microsoft Store for Business device management](https://businessstore.microsoft.com/en-us/manage/devices). Click on **Add devices** and select the **AutopilotHWID.csv** you've saved earlier. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your Virtual Machine added.
+Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB.
-
+### Autopilot registration using Intune
+
+1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
+
+ 
+
+ >[!NOTE]
+ >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
+
+2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
+
+ 
+
+ You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
+
+3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
+
+4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
+
+ 
+
+### Autopilot registration using MSfB
+
+>[!IMPORTANT]
+>If you've already registered your VM (or device) using Intune, then skip this step.
+
+Optional: see the following video for an overview of the process.
+
+
+
+> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
+
+First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview) to create a new one.
+
+Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page.
+
+Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
+
+
+
+Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
+
+
## Create and assign a Windows Autopilot deployment profile
-Navigate to [Windows enrollment in Microsoft Intune](https://portal.azure.com/#blade/Microsoft_Intune_Enrollment/OverviewBlade/windowsEnrollment).
+>[!IMPORTANT]
+>Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
-Make sure to sync the device you've just registered, by clicking on **Devices** under **Windows Autopilot Deployment Program (Preview)** and selecting **Sync**. Wait a few moments before refreshing to see your Virtual Machine added.
+Pick one:
+- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
-
+### Create a Windows Autopilot deployment profile using Intune
-### Create a Windows Autopilot deployment profile
+>[!NOTE]
+>Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
-Click on **Deployment profiles** under **Windows Autopilot Deployment Program (Preview)** and select **Create profile**.
+
-
+>The example above lists both a physical device and a VM. Your list should only include only one of these.
-In the **Create profile** blade, set the name to **Autopilot Intune Demo**, click on **Out-of-box experience (OOBE)** and configure the following:
-| Setting name | Value |
+To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
+
+
+
+Click on **Create profile**.
+
+
+
+On the **Create profile** blade, use the following values:
+
+| Setting | Value |
|---|---|
-|Privacy Settings|Hide|
-|End user license agreement (EULA)|Hide|
-|User account type|Standard|
+| Name | Autopilot Lab profile |
+| Description | blank |
+| Convert all targeted devices to Autopilot | No |
+| Deployment mode | User-driven |
+| Join to Azure AD as | Azure AD joined |
-Click on **Save** and **Create**.
+Click on **Out-of-box experience (OOBE)** and configure the following settings:
-
+| Setting | Value |
+|---|---|
+| EULA | Hide |
+| Privacy Settings | Hide |
+| Hide change account options | Hide |
+| User account type | Standard |
+| Apply device name template | No |
-### Assign a Windows Autopilot deployment profile
+See the following example:
-With the deployment profile created, go back to **Devices** under **Windows Autopilot Deployment Program (Preview)** and select your Virtual Machine. Click on **Assign profile** and in the **Assign Profile** blade select **Autopilot Intune Demo** under the **Autopilot profile**. Click on **Assign**.
+
-
+Click on **OK** and then click on **Create**.
-Wait a few minutes for all changes to apply.
+>If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
+
+#### Assign the profile
+
+Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
+
+To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**:
+
+
+
+Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
+
+Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
+
+
+
+Now click **Create** to finish creating the new group.
+
+Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
+
+With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
+
+From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
+
+
+
+Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
+
+
+
+Click **Select** and then click **Save**.
+
+
+
+It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
+
+### Create a Windows Autopilot deployment profile using MSfB
+
+If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
+
+A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
+
+First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
+
+Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
+
+
+
+Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
+
+To CREATE the profile:
+
+Select your device from the **Devices** list:
+
+
+
+On the Autopilot deployment dropdown menu, select **Create new profile**:
+
+
+
+Name the profile, choose your desired settings, and then click **Create**:
+
+
+
+The new profile is added to the Autopilot deployment list.
+
+To ASSIGN the profile:
+
+To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
+
+
+
+Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
+
+
+
+>[!IMPORTANT]
+>The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
## See Windows Autopilot in action
-By now, your Virtual Machine should be back to OOBE. Make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding)
-, otherwise those changes might not show up.
+If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
+
+
+
+Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
+
+>[!TIP]
+>If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+
+- Ensure your device has an internet connection.
+- Turn on the device
+- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
+
+
+
+Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
+
+
Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
-
+Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
-Windows Autopilot will now take over to automatically join your Virtual Machine into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
+## Remove devices from Autopilot
+To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/en-us/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+
+### Delete (deregister) Autopilot device
+
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
+
+
+
+Click **X** when challenged to complete the operation:
+
+
+
+This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
+
+
+
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+
+To remove the device from the Autopilot program, select the device and click Delete.
+
+
+
+A warning message appears reminding you to first remove the device from Intune, which we previously did.
+
+
+
+At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
+
+
+
+Once the device no longer appears, you are free to reuse it for other purposes.
+
+If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
+
+
+
+## Appendix A: Verify support for Hyper-V
+
+Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+
+To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
+
+
+C:\>systeminfo
+
+...
+Hyper-V Requirements: VM Monitor Mode Extensions: Yes
+ Virtualization Enabled In Firmware: Yes
+ Second Level Address Translation: Yes
+ Data Execution Prevention Available: Yes
+
+
+In this example, the computer supports SLAT and Hyper-V.
+
+>If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+
+You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+
+
+C:\>coreinfo -v
+
+Coreinfo v3.31 - Dump information on system CPU and memory topology
+Copyright (C) 2008-2014 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+Microcode signature: 0000001B
+HYPERVISOR - Hypervisor is present
+VMX * Supports Intel hardware-assisted virtualization
+EPT * Supports Intel extended page tables (SLAT)
+
+
+Note: A 64-bit operating system is required to run Hyper-V.
+
+## Appendix B: Adding apps to your profile
+
+### Add a Win32 app
+
+#### Prepare the app for Intune
+
+Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+
+1. The source folder for your application
+2. The name of the setup executable file
+3. The output folder for the new file
+
+For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
+
+Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi.
+
+Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
+
+
+
+After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
+
+#### Create app in Intune
+
+Log into the Azure portal and select **Intune**.
+
+Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+
+
+
+Under **App Type**, select **Windows app (Win32)**:
+
+
+
+On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
+
+
+
+On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
+
+
+
+On the **Program Configuration** blade, supply the install and uninstall commands:
+
+Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
+Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
+
+NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
+
+
+
+Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+
+Click **OK** to save your input and activate the **Requirements** blade.
+
+On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
+
+
+
+Next, configure the **Detection rules**. For our purposes, we will select manual format:
+
+
+
+Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
+
+
+
+Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
+
+**Return codes**: For our purposes, leave the return codes at their default values:
+
+
+
+Click **OK** to exit.
+
+You may skip configuring the final **Scope (Tags)** blade.
+
+Click the **Add** button to finalize and save your app package.
+
+Once the indicator message says the addition has completed.
+
+
+
+You will be able to find your app in your app list:
+
+
+
+#### Assign the app to your Intune profile
+
+**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
+In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
+
+
+
+Select **Add Group** to open the **Add group** pane that is related to the app.
+
+For our purposes, select *8Required** from the **Assignment type** dropdown menu:
+
+>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+
+Select **Included Groups** and assign the groups you previously created that will use this app:
+
+
+
+
+
+In the **Select groups** pane, click the **Select** button.
+
+In the **Assign group** pane, select **OK**.
+
+In the **Add group** pane, select **OK**.
+
+In the app **Assignments** pane, select **Save**.
+
+
+
+At this point, you have completed steps to add a Win32 app to Intune.
+
+For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/en-us/intune/apps-win32-app-management).
+
+### Add Office 365
+
+#### Create app in Intune
+
+Log into the Azure portal and select **Intune**.
+
+Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+
+
+
+Under **App Type**, select **Office 365 Suite > Windows 10**:
+
+
+
+Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
+
+
+
+Click **OK**.
+
+In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
+
+>Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
+
+
+
+Click **OK**.
+
+In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
+
+
+
+Click **OK** and then click **Add**.
+
+#### Assign the app to your Intune profile
+
+**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
+In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
+
+
+
+Select **Add Group** to open the **Add group** pane that is related to the app.
+
+For our purposes, select **Required** from the **Assignment type** dropdown menu:
+
+>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+
+Select **Included Groups** and assign the groups you previously created that will use this app:
+
+
+
+
+
+In the **Select groups** pane, click the **Select** button.
+
+In the **Assign group** pane, select **OK**.
+
+In the **Add group** pane, select **OK**.
+
+In the app **Assignments** pane, select **Save**.
+
+
+
+At this point, you have completed steps to add Office to Intune.
+
+For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365).
+
+If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
+
+
+
+## Glossary
+
+
+
diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md
index d2e6471454..fd2778c09b 100644
--- a/windows/deployment/windows-autopilot/enrollment-status.md
+++ b/windows/deployment/windows-autopilot/enrollment-status.md
@@ -20,6 +20,8 @@ ms.topic: article
The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete.
+
+From Windows 10 version 1803 onwards, you can opt out of the account setup phase. If it is skipped, settings will be applied for users when they access their desktop for the first time.
## Available settings
diff --git a/windows/deployment/windows-autopilot/images/aad-lic1.png b/windows/deployment/windows-autopilot/images/aad-lic1.png
new file mode 100644
index 0000000000..569d601066
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/aad-lic1.png differ
diff --git a/windows/deployment/windows-autopilot/images/all-groups.png b/windows/deployment/windows-autopilot/images/all-groups.png
new file mode 100644
index 0000000000..6ae904ed62
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/all-groups.png differ
diff --git a/windows/deployment/windows-autopilot/images/app01.png b/windows/deployment/windows-autopilot/images/app01.png
new file mode 100644
index 0000000000..f551c5ca68
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app01.png differ
diff --git a/windows/deployment/windows-autopilot/images/app02.png b/windows/deployment/windows-autopilot/images/app02.png
new file mode 100644
index 0000000000..e5036043cc
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app02.png differ
diff --git a/windows/deployment/windows-autopilot/images/app03.png b/windows/deployment/windows-autopilot/images/app03.png
new file mode 100644
index 0000000000..63ef76b3f8
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app03.png differ
diff --git a/windows/deployment/windows-autopilot/images/app04.png b/windows/deployment/windows-autopilot/images/app04.png
new file mode 100644
index 0000000000..bd307c4a46
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app04.png differ
diff --git a/windows/deployment/windows-autopilot/images/app05.png b/windows/deployment/windows-autopilot/images/app05.png
new file mode 100644
index 0000000000..83861dcd51
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app05.png differ
diff --git a/windows/deployment/windows-autopilot/images/app06.png b/windows/deployment/windows-autopilot/images/app06.png
new file mode 100644
index 0000000000..9563e0514c
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app06.png differ
diff --git a/windows/deployment/windows-autopilot/images/app07.png b/windows/deployment/windows-autopilot/images/app07.png
new file mode 100644
index 0000000000..59025e69fa
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app07.png differ
diff --git a/windows/deployment/windows-autopilot/images/app08.png b/windows/deployment/windows-autopilot/images/app08.png
new file mode 100644
index 0000000000..cea5edfc57
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app08.png differ
diff --git a/windows/deployment/windows-autopilot/images/app09.png b/windows/deployment/windows-autopilot/images/app09.png
new file mode 100644
index 0000000000..250c85dd8a
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app09.png differ
diff --git a/windows/deployment/windows-autopilot/images/app10.png b/windows/deployment/windows-autopilot/images/app10.png
new file mode 100644
index 0000000000..8d5af2ece1
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app10.png differ
diff --git a/windows/deployment/windows-autopilot/images/app11.png b/windows/deployment/windows-autopilot/images/app11.png
new file mode 100644
index 0000000000..9ca5bc10eb
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app11.png differ
diff --git a/windows/deployment/windows-autopilot/images/app12.png b/windows/deployment/windows-autopilot/images/app12.png
new file mode 100644
index 0000000000..3f82bf78a9
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app12.png differ
diff --git a/windows/deployment/windows-autopilot/images/app13.png b/windows/deployment/windows-autopilot/images/app13.png
new file mode 100644
index 0000000000..2b499f4ec2
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app13.png differ
diff --git a/windows/deployment/windows-autopilot/images/app14.png b/windows/deployment/windows-autopilot/images/app14.png
new file mode 100644
index 0000000000..e809db6134
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app14.png differ
diff --git a/windows/deployment/windows-autopilot/images/app15.png b/windows/deployment/windows-autopilot/images/app15.png
new file mode 100644
index 0000000000..b85a96bf9e
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app15.png differ
diff --git a/windows/deployment/windows-autopilot/images/app16.png b/windows/deployment/windows-autopilot/images/app16.png
new file mode 100644
index 0000000000..f22f74a091
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app16.png differ
diff --git a/windows/deployment/windows-autopilot/images/app17.png b/windows/deployment/windows-autopilot/images/app17.png
new file mode 100644
index 0000000000..5adfc9218f
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app17.png differ
diff --git a/windows/deployment/windows-autopilot/images/app18.png b/windows/deployment/windows-autopilot/images/app18.png
new file mode 100644
index 0000000000..24c4b9f331
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app18.png differ
diff --git a/windows/deployment/windows-autopilot/images/app19.png b/windows/deployment/windows-autopilot/images/app19.png
new file mode 100644
index 0000000000..281ba9fb40
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app19.png differ
diff --git a/windows/deployment/windows-autopilot/images/app20.png b/windows/deployment/windows-autopilot/images/app20.png
new file mode 100644
index 0000000000..a5a066b45e
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app20.png differ
diff --git a/windows/deployment/windows-autopilot/images/app21.png b/windows/deployment/windows-autopilot/images/app21.png
new file mode 100644
index 0000000000..d2e23f2db4
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app21.png differ
diff --git a/windows/deployment/windows-autopilot/images/app22.png b/windows/deployment/windows-autopilot/images/app22.png
new file mode 100644
index 0000000000..4541a69204
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app22.png differ
diff --git a/windows/deployment/windows-autopilot/images/app23.png b/windows/deployment/windows-autopilot/images/app23.png
new file mode 100644
index 0000000000..19b951c653
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app23.png differ
diff --git a/windows/deployment/windows-autopilot/images/app24.png b/windows/deployment/windows-autopilot/images/app24.png
new file mode 100644
index 0000000000..aa77e4083f
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app24.png differ
diff --git a/windows/deployment/windows-autopilot/images/app25.png b/windows/deployment/windows-autopilot/images/app25.png
new file mode 100644
index 0000000000..544d1ae37a
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app25.png differ
diff --git a/windows/deployment/windows-autopilot/images/app26.png b/windows/deployment/windows-autopilot/images/app26.png
new file mode 100644
index 0000000000..e210faa31b
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app26.png differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png b/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png
new file mode 100644
index 0000000000..1533f68c7c
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png differ
diff --git a/windows/deployment/windows-autopilot/images/branding.png b/windows/deployment/windows-autopilot/images/branding.png
new file mode 100644
index 0000000000..46dd37bc4a
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/branding.png differ
diff --git a/windows/deployment/windows-autopilot/images/create-profile.png b/windows/deployment/windows-autopilot/images/create-profile.png
new file mode 100644
index 0000000000..52f087721d
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/create-profile.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device1.png b/windows/deployment/windows-autopilot/images/delete-device1.png
new file mode 100644
index 0000000000..e73f929fbd
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device1.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device2.png b/windows/deployment/windows-autopilot/images/delete-device2.png
new file mode 100644
index 0000000000..ed764ac1ed
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device2.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device3.png b/windows/deployment/windows-autopilot/images/delete-device3.png
new file mode 100644
index 0000000000..a2daa1c39a
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device3.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device4.png b/windows/deployment/windows-autopilot/images/delete-device4.png
new file mode 100644
index 0000000000..c0119fbc39
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device4.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device5.png b/windows/deployment/windows-autopilot/images/delete-device5.png
new file mode 100644
index 0000000000..33b539d33c
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device5.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device6.png b/windows/deployment/windows-autopilot/images/delete-device6.png
new file mode 100644
index 0000000000..23cbcb7c44
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device6.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device7.png b/windows/deployment/windows-autopilot/images/delete-device7.png
new file mode 100644
index 0000000000..dcdeee5205
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device7.png differ
diff --git a/windows/deployment/windows-autopilot/images/deployment-profiles.png b/windows/deployment/windows-autopilot/images/deployment-profiles.png
new file mode 100644
index 0000000000..7888da55d1
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/deployment-profiles.png differ
diff --git a/windows/deployment/windows-autopilot/images/deployment-profiles2.png b/windows/deployment/windows-autopilot/images/deployment-profiles2.png
new file mode 100644
index 0000000000..6ff9fbb89e
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/deployment-profiles2.png differ
diff --git a/windows/deployment/windows-autopilot/images/device-import.png b/windows/deployment/windows-autopilot/images/device-import.png
new file mode 100644
index 0000000000..3be4cff996
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/device-import.png differ
diff --git a/windows/deployment/windows-autopilot/images/device-status.png b/windows/deployment/windows-autopilot/images/device-status.png
new file mode 100644
index 0000000000..5a78973ce5
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/device-status.png differ
diff --git a/windows/deployment/windows-autopilot/images/enabled-device.png b/windows/deployment/windows-autopilot/images/enabled-device.png
new file mode 100644
index 0000000000..96dc935309
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enabled-device.png differ
diff --git a/windows/deployment/windows-autopilot/images/hwid-csv.png b/windows/deployment/windows-autopilot/images/hwid-csv.png
new file mode 100644
index 0000000000..ac177e0b5a
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/hwid-csv.png differ
diff --git a/windows/deployment/windows-autopilot/images/hwid.png b/windows/deployment/windows-autopilot/images/hwid.png
new file mode 100644
index 0000000000..fcc73fa0b0
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/hwid.png differ
diff --git a/windows/deployment/windows-autopilot/images/import-vm.png b/windows/deployment/windows-autopilot/images/import-vm.png
new file mode 100644
index 0000000000..5fb97cda5d
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/import-vm.png differ
diff --git a/windows/deployment/windows-autopilot/images/include-group.png b/windows/deployment/windows-autopilot/images/include-group.png
new file mode 100644
index 0000000000..fb7bca7efa
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/include-group.png differ
diff --git a/windows/deployment/windows-autopilot/images/include-group2.png b/windows/deployment/windows-autopilot/images/include-group2.png
new file mode 100644
index 0000000000..585d006bac
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/include-group2.png differ
diff --git a/windows/deployment/windows-autopilot/images/intune-devices.png b/windows/deployment/windows-autopilot/images/intune-devices.png
new file mode 100644
index 0000000000..bc29c76511
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/intune-devices.png differ
diff --git a/windows/deployment/windows-autopilot/images/mdm-intune.png b/windows/deployment/windows-autopilot/images/mdm-intune.png
new file mode 100644
index 0000000000..db9b144fad
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/mdm-intune.png differ
diff --git a/windows/deployment/windows-autopilot/images/mdm-intune2.png b/windows/deployment/windows-autopilot/images/mdm-intune2.png
new file mode 100644
index 0000000000..d464863f37
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/mdm-intune2.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-assign1.png b/windows/deployment/windows-autopilot/images/msfb-assign1.png
new file mode 100644
index 0000000000..c1e8e27e21
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-assign1.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-assign2.png b/windows/deployment/windows-autopilot/images/msfb-assign2.png
new file mode 100644
index 0000000000..fd3be16853
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-assign2.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-create1.png b/windows/deployment/windows-autopilot/images/msfb-create1.png
new file mode 100644
index 0000000000..f76aa82991
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-create1.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-create2.png b/windows/deployment/windows-autopilot/images/msfb-create2.png
new file mode 100644
index 0000000000..ec6c260fcd
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-create2.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-create3.png b/windows/deployment/windows-autopilot/images/msfb-create3.png
new file mode 100644
index 0000000000..a6241fb5ea
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-create3.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-device.png b/windows/deployment/windows-autopilot/images/msfb-device.png
new file mode 100644
index 0000000000..d338056013
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-device.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-manage.png b/windows/deployment/windows-autopilot/images/msfb-manage.png
new file mode 100644
index 0000000000..9bf684d844
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-manage.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-manage2.png b/windows/deployment/windows-autopilot/images/msfb-manage2.png
new file mode 100644
index 0000000000..406aaf5948
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-manage2.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-manage3.png b/windows/deployment/windows-autopilot/images/msfb-manage3.png
new file mode 100644
index 0000000000..bf5fb1ccf9
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-manage3.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb.png b/windows/deployment/windows-autopilot/images/msfb.png
new file mode 100644
index 0000000000..af937c2c5f
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb.png differ
diff --git a/windows/deployment/windows-autopilot/images/new-group.png b/windows/deployment/windows-autopilot/images/new-group.png
new file mode 100644
index 0000000000..c18c1865f6
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/new-group.png differ
diff --git a/windows/deployment/windows-autopilot/images/profile.png b/windows/deployment/windows-autopilot/images/profile.png
new file mode 100644
index 0000000000..40cf26bee2
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/profile.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup1.png b/windows/deployment/windows-autopilot/images/winsetup1.png
new file mode 100644
index 0000000000..c8048256c4
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup1.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup2.png b/windows/deployment/windows-autopilot/images/winsetup2.png
new file mode 100644
index 0000000000..43db844334
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup2.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup3.png b/windows/deployment/windows-autopilot/images/winsetup3.png
new file mode 100644
index 0000000000..dbea3969de
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup3.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup4.png b/windows/deployment/windows-autopilot/images/winsetup4.png
new file mode 100644
index 0000000000..1121b1dff5
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup4.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup5.png b/windows/deployment/windows-autopilot/images/winsetup5.png
new file mode 100644
index 0000000000..2757253097
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup5.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup6.png b/windows/deployment/windows-autopilot/images/winsetup6.png
new file mode 100644
index 0000000000..e91843e1ff
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup6.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup7.png b/windows/deployment/windows-autopilot/images/winsetup7.png
new file mode 100644
index 0000000000..dadf85485e
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup7.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup8.png b/windows/deployment/windows-autopilot/images/winsetup8.png
new file mode 100644
index 0000000000..9d7a499db0
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup8.png differ
diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md
index c084916d3e..c75f3e2df4 100644
--- a/windows/deployment/windows-autopilot/user-driven-hybrid.md
+++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md
@@ -29,10 +29,11 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
- **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile.
- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
- The device must be running Windows 10, version 1809 or later.
-- The device must be connected to the Internet and have access to an Active Directory domain controller.
+- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user).
+- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements-network.md).
- The Intune Connector for Active Directory must be installed.
- Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf.
-- If using Proxy, WDAP Proxy settings option must be enabled and configured.
+- If using Proxy, WPAD Proxy settings option must be enabled and configured.
**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
index ac25a597f7..c6b59a7df4 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
@@ -19,12 +19,14 @@ ms.topic: article
**Applies to: Windows 10, version 1709 and above
+The Intune Service Administrator role is required to perform this task. Learn more about how to [Assign Azure Active Directory roles](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
+
IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
To enable local Autopilot Reset in Windows 10:
-1. [Enable the policy for the feature](#enable-autopilot-reset)
-2. [Trigger a reset for each device](#trigger-autopilot-reset)
+1. [Enable the policy for the feature](#enable-local-autopilot-reset)
+2. [Trigger a reset for each device](#trigger-local-autopilot-reset)
## Enable local Windows Autopilot Reset
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
index 30fb733eb0..7e67c7eca1 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
@@ -21,7 +21,7 @@ ms.topic: article
When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process.
-To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed, joined to Azure AD, and configured to use the [enrollment status page](enrollment-status.md).
+To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed, joined to Azure AD, and configured to use the [enrollment status page](enrollment-status.md). This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md).
## Triggering a remote Windows Autopilot Reset
@@ -34,5 +34,8 @@ To trigger a remote Windows Autopilot Reset via Intune, follow these steps:
>[!NOTE]
>The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher.
+>[!IMPORTANT]
+>The feature for Autopilot Reset (preview) will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device).
+
Once the reset is complete, the device is again ready for use.
-
\ No newline at end of file
+
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
index 1a5c9e982d..78eca0eb39 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
@@ -33,6 +33,9 @@ Windows Autopilot Reset will block the user from accessing the desktop until thi
>[!IMPORTANT]
>To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection.
+>[!NOTE]
+>The Autopilot Reset does not support Hybrid Azure AD joined devices.
+
## Scenarios
Windows Autopilot Reset supports two scenarios:
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 1883594880..a811ff7119 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,6 +1,6 @@
# [Windows 10 and Windows 10 Mobile](index.md)
## [What's new](/windows/whats-new)
-## [Release information](release-information.md)
+## [Release information](/windows/release-information)
## [Deployment](/windows/deployment)
## [Configuration](/windows/configuration)
## [Client management](/windows/client-management)
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index 4539d3b751..a28aaa3b77 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -25,9 +25,9 @@
- name: Mobile Device Management
tocHref: /windows/client-management/mdm/
topicHref: /windows/client-management/mdm/index
- - name: Known issues
- tocHref: /windows/known-issues/
- topicHref: /windows/known-issues/index
+ - name: Release information
+ tocHref: /windows/release-information/
+ topicHref: /windows/release-information/index
- name: Privacy
tocHref: /windows/privacy/
topicHref: /windows/privacy/index
diff --git a/windows/hub/release-information.md b/windows/hub/release-information.md
deleted file mode 100644
index 2aa38be1de..0000000000
--- a/windows/hub/release-information.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Windows 10 - release information
-description: Learn release information for Windows 10 releases
-keywords: ["Windows 10", "Windows 10 October 2018 Update"]
-ms.prod: w10
-layout: LandingPage
-ms.topic: landing-page
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: lizap
-ms.author: elizapo
-ms.localizationpriority: high
----
-# Windows 10 release information
-
-Feature updates for Windows 10 are released twice a year, targeting March and September, via the Semi-Annual Channel (SAC) and will be serviced with monthly quality updates for 18 months from the date of the release. We recommend that you begin deployment of each SAC release immediately to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
-
-Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date. For information about servicing timelines, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853).
-
->[!NOTE]
->If you are not using Windows Update for Business today, the "Semi-Annual Channel (Targeted)" servicing option has no impact on when your devices will be updated. It merely reflects a milestone for the semi-annual release, the period of time during which Microsoft recommends that your IT team make the release available to specific, "targeted" devices for the purpose of validating and generating data in order to get to a broad deployment decision. For more information, see [this blog post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523).
-
-
-OEM Original Equipment Manufacturer CSV Comma Separated Values MPC Microsoft Partner Center CSP Cloud Solution Provider MSfB Microsoft Store for Business AAD Azure Active Directory 4K HH 4K Hardware Hash CBR Computer Build Report EC Enterprise Commerce (server) DDS Device Directory Service OOBE Out of the Box Experience VM Virtual Machine
Disable this policy to turn off Cortana. |
-| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results.
Disable this policy to block access to location information for Cortana. |
-| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Enable this policy to remove the option to search the Internet from Cortana. |
-| Don't search the web or display web results in Search| Choose whether to search the web from Cortana.
Enable this policy to stop web queries and results from showing in Search. |
-| Set what information is shared in Search | Control what information is shared with Bing in Search.
If you enable this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. |
+| Allow Cortana | Choose whether to let Cortana install and run on the device.
**Disable** this policy to turn off Cortana. |
+| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results.
**Disable** this policy to block access to location information for Cortana. |
+| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
**Enable** this policy to remove the option to search the Internet from Cortana. |
+| Don't search the web or display web results in Search| Choose whether to search the web from Cortana.
**Enable** this policy to stop web queries and results from showing in Search. |
+| Set what information is shared in Search | Control what information is shared with Bing in Search.
If you **enable** this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. |
You can also apply the Group Policies using the following registry keys:
| Policy | Registry Path |
|------------------------------------------------------|---------------------------------------------------------------------------------------|
-| Allow Cortana | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: AllowCortana
Value: 0|
-| Allow search and Cortana to use location | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: AllowSearchToUseLocation
Value: 0 |
-| Do not allow web search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: DisableWebSearch
Value: 1 |
-| Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: ConnectedSearchUseWeb
Value: 0 |
-| Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: ConnectedSearchPrivacy
Value: 3 |
+| Allow Cortana | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: AllowCortana
Value: 0|
+| Allow search and Cortana to use location | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: AllowSearchToUseLocation
Value: 0 |
+| Do not allow web search | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: DisableWebSearch
Value: 1 |
+| Don't search the web or display web results in Search| HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: ConnectedSearchUseWeb
Value: 0 |
+| Set what information is shared in Search | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: ConnectedSearchPrivacy
Value: 3 |
>[!IMPORTANT]
->These steps are not required for devices running Windows 10, version 1607 or Windows Server 2016.
+> Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
-1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
+1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
@@ -363,12 +362,15 @@ You can also apply the Group Policies using the following registry keys:
9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
- - For **Protocol type**, choose **TCP**.
+ - For **Protocol type**, choose **TCP**.
- - For **Local port**, choose **All Ports**.
+ - For **Local port**, choose **All Ports**.
- - For **Remote port**, choose **All ports**.
+ - For **Remote port**, choose **All ports**.
+-or-
+
+- Create a new REG_SZ registry setting named **{0DE40C8E-C126-4A27-9371-A27DAB1039F7}** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\FirewallRules** and set it to a value of **v2.25|Action=Block|Active=TRUE|Dir=Out|Protocol=6|App=%windir%\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\searchUI.exe|Name=Block outbound Cortana|**
If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost.
@@ -389,29 +391,26 @@ You can prevent Windows from setting the time automatically.
-or-
-- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
+- Create a REG_SZ registry setting in **HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
After that, configure the following:
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client**
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Windows Time Service** > **Time Providers** > **Enable Windows NTP Client**
- > [!NOTE]
- > This is only available on Windows 10, version 1703 and later. If you're using Windows 10, version 1607, the Group Policy setting is **Computer Configuration** > **Administrative Templates** > **System** > **Windows Time Service** > **Time Providers** > **Enable Windows NTP Client**
+ -or-
- -or -
-
-- Create a new REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to 0 (zero).
+- Create a new REG_DWORD registry setting named **Enabled** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to **0 (zero)**.
### 4. Device metadata retrieval
To prevent Windows from retrieving device metadata from the Internet:
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
-or -
-- Create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one).
+- Create a new REG_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one).
-or -
@@ -421,13 +420,15 @@ To prevent Windows from retrieving device metadata from the Internet:
To turn off Find My Device:
-- Turn off the feature in the UI
+- Turn **Off** the feature in the UI by going to **Settings -> Update & Security -> Find My Device**, click the Change button, and set the value to **Off**
-or-
-- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
-You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FindMyDevice\\AllowFindMyDevice** to 0 (zero).
+ -or-
+
+- You can also create a new REG_DWORD registry setting **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FindMyDevice\\AllowFindMyDevice** to **0 (zero)**.
### 6. Font streaming
@@ -435,15 +436,19 @@ Fonts that are included in Windows but that are not stored on the local device c
If you're running Windows 10, version 1607, Windows Server 2016, or later:
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.
-- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\System\\EnableFontProviders** to 0 (zero).
+ -or-
+
+- Create a new REG_DWORD registry setting **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\EnableFontProviders** to **0 (zero)**.
+
+ -or-
- In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
- - **false**. Font streaming is disabled.
+ - **False**. Font streaming is Disabled.
- - **true**. Font streaming is enabled.
+ - **True**. Font streaming is Enabled.
> [!NOTE]
> After you apply this policy, you must restart the device for it to take effect.
@@ -451,8 +456,7 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later:
### 7. Insider Preview builds
-The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10.
-This setting stops communication with the Windows Insider Preview service that checks for new builds.
+The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. This setting stops communication with the Windows Insider Preview service that checks for new builds.
Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016.
@@ -461,7 +465,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo
To turn off Insider Preview builds for a released version of Windows 10:
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
To turn off Insider Preview builds for Windows 10:
@@ -472,11 +476,11 @@ To turn off Insider Preview builds for Windows 10:
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
+- **Enable** the Group Policy **Toggle user control over Insider builds** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
- -or -
+ -or-
-- Create a new REG\_DWORD registry setting named **AllowBuildPreview** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds** with a vlue of 0 (zero)
+- Create a new REG_DWORD registry setting named **AllowBuildPreview** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds** with a **value of 0 (zero)**
-or-
@@ -488,63 +492,70 @@ To turn off Insider Preview builds for Windows 10:
- **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
- -or-
-
-- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where:
-
- - **0**. Users cannot make their devices available for downloading and installing preview software.
-
- - **1**. Users can make their devices available for downloading and installing preview software.
-
- - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
### 8. Internet Explorer
-
-Use Group Policy to manage settings for Internet Explorer. You can find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
+> [!NOTE]
+> The following Group Policies and Registry Keys are for user interactive scenarios rather then the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
-| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.|
-| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
Default: Enabled|
-| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
-| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled|
-| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled |
+| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
**Set Value to: Disabled**
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.|
+| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
**Set Value to: Disabled**|
+| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
**Set Value to: Enabled** You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
+| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
**Set Value to: Enabled**|
+| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
**Set Value to: Enabled** and then set **Select SmartScreen filtering mode** to **Off**.|
-Alternatively, you could use the registry to set the Group Policies.
-| Policy | Registry path |
+| Registry Key | Registry path |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
-| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites
REG_DWORD: Enabled
Value: 0|
-| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
Value: 0|
-| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AutoComplete
REG_SZ: AutoSuggest
Value: **No** |
-| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
Value: 1 |
-| Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
Value: 0 |
+| Turn on Suggested Sites| HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites
REG_DWORD: Enabled
**Set Value to: 0**|
+| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**|
+| Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** |
+| Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** |
+| Prevent managing SmartScreen filter | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** |
There are more Group Policy objects that are used by Internet Explorer:
| Path | Policy | Description |
| - | - | - |
-| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Disabled |
-| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled |
-| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled |
-| **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Allow Online Tips** | Allow Online Tips | Enables or disables the retrieval of online tips and help for the Settings app.
Set to : Disabled |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can fix website display problems that he or she may encounter while browsing.
**Set to: Enabled** |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
**Set to: Enabled** |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
**Set to: Enabled** |
+| **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Allow Online Tips** | Allow Online Tips | Enables or disables the retrieval of online tips and help for the Settings app.
**Set to: Disabled** |
-You can also use registry entries to set these Group Policies.
+You can also use Registry keys to set these policies.
-| Policy | Registry path |
+| Registry Key | Registry path |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
-| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation
REG_DWORD: MSCompatibilityMode
Value: 0|
-| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead
REG_DWORD: Enabled
Value: 0|
-| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
REG_DWORD: BackgroundSyncStatus
Value: 0|
-| Turn off Online Tips | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
REG_DWORD: AllowOnlineTips
Value: 0|
+| Choose whether employees can configure Compatibility View. | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\BrowserEmulation
REG_DWORD: DisableSiteListEditing
**Set Value to 1**|
+| Turn off the flip ahead with page prediction feature | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead
REG_DWORD: Enabled
**Set Value to 0**|
+| Turn off background synchronization for feeds and Web Slices | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
REG_DWORD: BackgroundSyncStatus
**Set Value to 0**|
+| Allow Online Tips | HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
REG_DWORD: AllowOnlineTips
**Set Value to 0**|
+
+To turn off the home page, **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**, and set it to **about:blank**.
+
+ -or -
+
+- Create a new REG_SZ registry setting named **Start Page** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main** with a **about:blank**
+
+ -and -
+
+- Create a new REG_DWORD registry setting named **HomePage** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Control Panel** with a **1 (one)**
+To configure the First Run Wizard, **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Prevent running First Run wizard**, and set it to **Go directly to home page**.
-To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**, and set it to **about:blank**.
+ -or -
-To configure the First Run Wizard, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Prevent running First Run wizard**, and set it to **Go directly to home page**.
+- Create a new REG_DWORD registry setting named **DisableFirstRunCustomize** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main** with a **1 (one)**
+
+
+To configure the behavior for a new tab, **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Specify default behavior for a new tab**, and set it to **about:blank**.
+
+ -or -
+
+- Create a new REG_DWORD registry setting named **NewTabPageShow** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\TabbedBrowsing** with a **0 (zero)**
-To configure the behavior for a new tab, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Specify default behavior for a new tab**, and set it to **about:blank**.
### 8.1 ActiveX control blocking
@@ -552,11 +563,11 @@ ActiveX control blocking periodically downloads a new list of out-of-date Active
You can turn this off by:
-- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList**
+- **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList**
-or -
-- Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
+- Changing the REG_DWORD registry setting **HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to **0 (zero)**.
For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/library/dn761713.aspx).
@@ -564,7 +575,7 @@ For more info, see [Out-of-date ActiveX control blocking](https://technet.micros
You can turn off License Manager related traffic by setting the following registry entry:
-- Add a REG\_DWORD value named **Start** to **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LicenseManager** and set the value to 4
+- Add a REG_DWORD value named **Start** to **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LicenseManager** and set the **value to 4**
- The value 4 is to disable the service. Here are the available options to set the registry:
@@ -582,11 +593,11 @@ You can turn off License Manager related traffic by setting the following regist
To turn off Live Tiles:
-- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
-or-
-- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)**
In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
@@ -606,28 +617,26 @@ To turn off mail synchronization for Microsoft Accounts that are configured on a
To turn off the Windows Mail app:
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
-
- -or-
-
-- Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero).
+- Create a REG_DWORD registry setting named **ManualLaunchAllowed** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a **value of 0 (zero)**.
### 12. Microsoft Account
To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
-- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**.
+- **Enable** the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**.
-or-
-- Create a REG\_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a value of 3.
+- Create a REG_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a **value of 3**.
To disable the Microsoft Account Sign-In Assistant:
- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
-- Change the Start REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**.
+ -or-
+
+- Change the **Start** REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**.
### 13. Microsoft Edge
@@ -640,30 +649,33 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
-| Allow configuration updates for the Books Library | Choose whether configuration updates are done for the Books Library.
Default: Enabled |
-| Configure Autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
-| Configure Do Not Track | Choose whether employees can send Do Not Track headers.
Default: Disabled |
-| Configure Password Manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
-| Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
Default: Enabled |
-| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled |
-| Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled |
-| Configure Start pages | Choose the Start page for domain-joined devices.
Set this to **\
Set to: Enable |
+| Allow Address bar drop-down list suggestions | Choose whether to show the address bar drop-down list
**Set to Disabled** |
+| Allow configuration updates for the Books Library | Choose whether configuration updates are done for the Books Library.
**Set to Disabled** |
+| Configure Autofill | Choose whether employees can use autofill on websites.
**Set to Disabled** |
+| Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** |
+| Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** |
+| Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** |
+| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off.
**Set to Disabled** |
+| Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** |
+| Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <
**Set to: Enable** |
+| Allow Microsoft Compatibility List | Choose whether to use the Microsoft Compatibility List in Microsoft Edge.
**Set to: Disabled** |
-Alternatively, you can configure the Microsoft Group Policies using the following registry entries:
+Alternatively, you can configure the these Registry keys as described:
-| Policy | Registry path |
+| Registry Key | Registry path |
| - | - |
-| Allow Address Bar drop-down list suggestions | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: ShowOneBox
Value: 0|
-| Allow configuration updates for the Books Library | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary
REG_DWORD name: AllowConfigurationUpdateForBooksLibrary
Value: 1|
-| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: Use FormSuggest
Value : **no** |
-| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: 1 |
-| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **no** |
-| Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: 0|
-| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: 0 |
-| Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: AllowWebContentOnNewTabPage
Value: 0 |
-| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: ProvisionedHomePages
Value: 0|
-| Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: 1|
+| Allow Address Bar drop-down list suggestions | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: ShowOneBox
Set to **0**|
+| Allow configuration updates for the Books Library | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary
REG_DWORD name: AllowConfigurationUpdateForBooksLibrary
Set to **0**|
+| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: Use FormSuggest
Value : **No** |
+| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** |
+| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** |
+| Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**|
+| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** |
+| Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** |
+| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<
REG_DWORD name: PreventFirstRunPage
Value: **1**|
+| Choose whether employees can configure Compatibility View. | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation
REG_DWORD: MSCompatibilityMode
Value: **0**|
### 13.2 Microsoft Edge MDM policies
@@ -672,13 +684,13 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
-| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed |
-| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed |
-| Browser/AllowMicrosoftCompatbilityList | Specify the Microsoft compatibility list in Microsoft Edge.
Default: Enabled |
-| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed |
-| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the Address Bar shows search suggestions..
Default: Allowed |
-| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed |
-| Browser/FirstRunURL | Choose the home page for Microsoft Edge on Windows Mobile 10.
Default: blank |
+| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
**Set to: Not Allowed** |
+| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
**Set to: Allowed** |
+| Browser/AllowMicrosoftCompatbilityList | Specify the Microsoft compatibility list in Microsoft Edge.
**Set to: Not Allowed** |
+| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
**Set to: Not Allowed** |
+| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the Address Bar shows search suggestions..
**Set to: Not Allowed** |
+| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
**Set to: Not Allowed** |
+| Browser/FirstRunURL | Choose the home page for Microsoft Edge on Windows Mobile 10.
**Set to:** blank |
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies).
@@ -691,7 +703,7 @@ In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2
You can turn off NCSI by doing one of the following:
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) with a value of 1.
@@ -700,49 +712,49 @@ You can turn off NCSI by doing one of the following:
-or-
-- Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **NoActiveProbe** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one).
### 15. Offline maps
You can turn off the ability to download and update offline maps.
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
-or-
-- Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero).
+- Create a REG_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a **value of 0 (zero)**.
-or-
-- In Windows 10, version 1607 and later, apply the Maps/EnableOfflineMapsAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate) with a value of 0.
+- In Windows 10, version 1607 and later, apply the Maps/EnableOfflineMapsAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate) with a **value of 0**.
-and-
-- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
+- In Windows 10, version 1607 and later, **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
-or-
-- Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero).
+- Create a REG_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero).
### 16. OneDrive
To turn off OneDrive in your organization:
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
-or-
-- Create a REG\_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one).
-and-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)**
-or-
-- Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OneDrive** with a **value of 1 (one)**
- -or-
+-or-
- Set the System/DisableOneDriveFileSync MDM policy from the [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync) to True (value 1) to disable OneDrive File Sync.
@@ -881,7 +893,7 @@ Use Settings > Privacy to configure some settings that may be important to yo
- [18.5 Notifications](#bkmk-priv-notifications)
-- [18.6 Speech, inking, & typing](#bkmk-priv-speech)
+- [18.6 Speech](#bkmk-priv-speech)
- [18.7 Account info](#bkmk-priv-accounts)
@@ -895,19 +907,23 @@ Use Settings > Privacy to configure some settings that may be important to yo
- [18.12 Messaging](#bkmk-priv-messaging)
-- [18.13 Radios](#bkmk-priv-radios)
+- [18.13 Phone Calls](#bkmk-priv-phone-calls)
-- [18.14 Other devices](#bkmk-priv-other-devices)
+- [18.14 Radios](#bkmk-priv-radios)
-- [18.15 Feedback & diagnostics](#bkmk-priv-feedback)
+- [18.15 Other devices](#bkmk-priv-other-devices)
-- [18.16 Background apps](#bkmk-priv-background)
+- [18.16 Feedback & diagnostics](#bkmk-priv-feedback)
-- [18.17 Motion](#bkmk-priv-motion)
+- [18.17 Background apps](#bkmk-priv-background)
-- [18.18 Tasks](#bkmk-priv-tasks)
+- [18.18 Motion](#bkmk-priv-motion)
-- [18.19 App Diagnostics](#bkmk-priv-diag)
+- [18.19 Tasks](#bkmk-priv-tasks)
+
+- [18.20 App Diagnostics](#bkmk-priv-diag)
+
+- [18.21 Inking & Typing](#bkmk-priv-ink)
### 18.1 General
@@ -924,15 +940,15 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
-or-
-- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero).
+- Create a REG_DWORD registry setting named **Enabled** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero).
- -or-
+ -and-
-- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
To turn off **Let websites provide locally relevant content by accessing my language list**:
@@ -940,7 +956,7 @@ To turn off **Let websites provide locally relevant content by accessing my lang
-or-
-- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1.
+- Create a new REG_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY_CURRENT_USER\\Control Panel\\International\\User Profile** with a value of 1.
To turn off **Let Windows track app launches to improve Start and search results**:
@@ -948,7 +964,7 @@ To turn off **Let Windows track app launches to improve Start and search results
-or-
-- Create a REG_DWORD registry setting named **Start_TrackProgs** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced** with value of 0 (zero).
+- Create a REG_DWORD registry setting named **Start_TrackProgs** in **HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced** with value of 0 (zero).
#### Windows Server 2016 and Windows 10, version 1607 and earlier options
@@ -961,15 +977,15 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
+
+ -or-
+
+- Create a REG_DWORD registry setting named **Enabled** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero).
-or-
-- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero).
-
- -or-
-
-- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
To turn off **Turn on SmartScreen Filter to check web content (URLs) that Microsoft Store apps use**:
@@ -977,30 +993,22 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros
-or-
-- Create a provisioning package, using:
- - For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen**
- - For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen**
-
- -or-
-
-- Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost** with a value of 0 (zero).
+- Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost** with a value of 0 (zero).
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
> [!NOTE]
> If the diagnostic data level is set to either **Basic** or **Security**, this is turned off automatically.
-
-
- Turn off the feature in the UI.
-or-
- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
- - **0**. Not allowed
+ - **0**. Not allowed
- - **1**. Allowed (default)
+ - **1**. Allowed (default)
To turn off **Let websites provide locally relevant content by accessing my language list**:
@@ -1008,7 +1016,7 @@ To turn off **Let websites provide locally relevant content by accessing my lang
-or-
-- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1.
+- Create a new REG_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY_CURRENT_USER\\Control Panel\\International\\User Profile** with a value of 1.
To turn off **Let apps on my other devices open apps and continue experiences on this devices**:
@@ -1020,7 +1028,7 @@ To turn off **Let apps on my other devices open apps and continue experiences on
-or-
-- Create a REG\_DWORD registry setting named **EnableCdp** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero).
+- Create a REG_DWORD registry setting named **EnableCdp** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero).
To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
@@ -1036,46 +1044,39 @@ To turn off **Location for this device**:
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
-or-
- Apply the System/AllowLocation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
- - **0**. Turned off and the employee can't turn it back on.
+ - **0**. Turned off and the employee can't turn it back on.
- - **1**. Turned on, but lets the employee choose whether to use it. (default)
+ - **1**. Turned on, but lets the employee choose whether to use it. (default)
- - **2**. Turned on and the employee can't turn it off.
+ - **2**. Turned on and the employee can't turn it off.
> [!NOTE]
> You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx).
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where
-
- - **No**. Turns off location service.
-
- - **Yes**. Turns on location service. (default)
-
To turn off **Location**:
- Turn off the feature in the UI.
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
+
+ -or-
+
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
- Set the **Select a setting** box to **Force Deny**.
-or-
-- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **DisableLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
- -or-
To turn off **Location history**:
@@ -1101,26 +1102,19 @@ To turn off **Let apps use my camera**:
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessCamera** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
-or-
- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
- - **0**. Apps can't use the camera.
+ - **0**. Apps can't use the camera.
- - **1**. Apps can use the camera.
+ - **1**. Apps can use the camera.
> [!NOTE]
> You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx).
- -or-
-
-- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where:
-
- - **0**. Apps can't use the camera.
-
- - **1**. Apps can use the camera.
To turn off **Choose apps that can use your camera**:
@@ -1144,13 +1138,13 @@ To turn off **Let apps use my microphone**:
- Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where:
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
+- Create a REG_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
To turn off **Choose apps that can use your microphone**:
@@ -1169,15 +1163,15 @@ To turn off notifications network usage:
-or-
-- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one)
+- Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one)
-or-
- Apply the Notifications/DisallowCloudNotification MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification), where:
- - **0**. WNS notifications allowed
- - **1**. No WNS notifications allowed
+ - **0**. WNS notifications allowed
+ - **1**. No WNS notifications allowed
In the **Notifications** area, you can also choose which apps have access to notifications.
@@ -1195,55 +1189,33 @@ To turn off **Let apps access my notifications**:
- Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where:
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
+- Create a REG_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
-### 18.6 Speech, inking, & typing
+### 18.6 Speech
-In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
+In the **Speech** area, you can configure the functionality as such:
-> [!NOTE]
-> For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
+To turn off streaming audio to Microsoft Speech services,
-To turn off the functionality:
-
-- Click the **Stop getting to know me** button, and then click **Turn off**.
+- Toggle the Settings -> Privacy -> Speech -> **Online speech recognition** switch to **Off**
-or-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
+- **Disable** the Group Policy: **Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options > Allow users to enable online speech recognition services**
-or-
-- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one).
+- Set the Privacy\AllowInputPersonalization MDM Policy from the Policy CSP to **0 - Not allowed**
-or-
-- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero).
-
- -and-
-
-- Create a REG\_DWORD registry setting named **HarvestContacts** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\InputPersonalization\\TrainedDataStore** with a value of 0 (zero).
-
-If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models:
-
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatically update of Speech Data**
-
-If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models:
-
-Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where:
-
-- **0** (default). Not allowed.
-- **1**. Allowed.
-
- -or-
-
-- Create a REG\_DWORD registry setting named **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences** with a value of 0 (zero).
+- Create a REG_DWORD registry setting named **HasAccepted** in **HKEY_CURRENT_USER\\Software\\Microsoft\\Speech_OneCore\\Settings\\OnlineSpeechPrivacy** with a **value of 0 (zero)**
### 18.7 Account info
@@ -1263,13 +1235,15 @@ To turn off **Let apps access my name, picture, and other account info**:
- Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where:
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+
+
To turn off **Choose the apps that can access your account info**:
@@ -1293,13 +1267,13 @@ To turn off **Choose apps that can access contacts**:
- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessContacts** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessContacts** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
### 18.9 Calendar
@@ -1319,13 +1293,13 @@ To turn off **Let apps access my calendar**:
- Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where:
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
To turn off **Choose apps that can access calendar**:
@@ -1349,13 +1323,13 @@ To turn off **Let apps access my call history**:
- Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where:
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
### 18.11 Email
@@ -1381,7 +1355,7 @@ To turn off **Let apps access and send email**:
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessEmail** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
### 18.12 Messaging
@@ -1401,13 +1375,13 @@ To turn off **Let apps read or send messages (text or MMS)**:
- Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where:
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
To turn off **Choose apps that can read or send messages**:
@@ -1415,13 +1389,13 @@ To turn off **Choose apps that can read or send messages**:
**To turn off Message Sync**
-- Create a REG\_DWORD registry setting named **AllowMessageSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\Messaging and set the value to 0.
+- Create a REG_DWORD registry setting named **AllowMessageSync** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Messaging** and set the **value to 0 (zero)**.
-or-
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Messaging**
- - Set the **Allow Message Service Cloud** to **Disable**.
+ - Set the **Allow Message Service Cloud Sync** to **Disable**.
### 18.13 Phone calls
@@ -1441,13 +1415,13 @@ To turn off **Let apps make phone calls**:
- Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where:
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessPhone** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
To turn off **Choose apps that can make phone calls**:
@@ -1478,7 +1452,7 @@ To turn off **Let apps control radios**:
-or-
-- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessRadios** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
To turn off **Choose apps that can control radios**:
@@ -1491,23 +1465,19 @@ In the **Other Devices** area, you can choose whether devices that aren't paired
To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
-- Turn off the feature in the UI.
+- Turn off the feature in the UI by going to Settings > Privacy > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**.
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps communicate with unpaired devices** and set the **Select a setting** box to **Force Deny**.
-or-
-- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where:
-
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+- Set the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices) to **2**. Force deny
-or-
-- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
@@ -1515,9 +1485,11 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** and set the **Select a setting** box to **Force Deny**.
-- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG_DWORD registry setting named **LetAppsAccessTrustedDevices** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
-or-
@@ -1538,24 +1510,23 @@ To change how frequently **Windows should ask for my feedback**:
> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
-
- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
-or-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
-or-
-- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one).
-or-
-- Create the registry keys (REG\_DWORD type):
+- Create the registry keys (REG_DWORD type):
- - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
+ - HKEY_CURRENT_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
- - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
+ - HKEY_CURRENT_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
Based on these settings:
@@ -1574,11 +1545,11 @@ To change the level of diagnostic and usage data sent when you **Send your devic
-or-
-- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment.
+- **Enable** the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and **set it to a value of 0**.
-or-
-- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level).
+- Create a REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a **value of 0**.
> [!NOTE]
> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition.
@@ -1587,25 +1558,14 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
- - **0**. Maps to the **Security** level.
+ - **0**. Maps to the **Security** level.
- - **1**. Maps to the **Basic** level.
+ - **1**. Maps to the **Basic** level.
- - **2**. Maps to the **Enhanced** level.
+ - **2**. Maps to the **Enhanced** level.
- - **3**. Maps to the **Full** level.
-
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where:
-
- - **0**. Maps to the **Security** level.
-
- - **1**. Maps to the **Basic** level.
-
- - **2**. Maps to the **Enhanced** level.
-
- - **3**. Maps to the **Full** level.
+ - **3**. Maps to the **Full** level.
+
To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
@@ -1613,7 +1573,20 @@ To turn off tailored experiences with relevant tips and recommendations by using
-or-
-- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**
+
+ -or-
+
+- Create a REG_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of **1**
+
+ -and-
+
+- **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
+
+ -or-
+
+- Create a REG_DWORD registry setting named **DisableTailoredExperiencesWithDiagnosticData** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of **1**
+
### 18.17 Background apps
@@ -1621,25 +1594,23 @@ In the **Background Apps** area, you can choose which apps can run in the backgr
To turn off **Let apps run in the background**:
-- In **Background apps**, set **Let apps run in the background** to **Off**.
+- In the **Background apps** settings page, set **Let apps run in the background** to **Off**.
-or-
-- In **Background apps**, turn off the feature for each app.
+- In the **Background apps** settings page, turn off the feature for each app.
+
+ -or-
+
+- **Enable** the Group Policy (only applicable for Windows 10 version 1703 and above): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** and set the **Select a setting** box to **Force Deny**.
-or-
-- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background**
-
- - Set the **Select a setting** box to **Force Deny**.
+- Create a REG_DWORD registry setting named **LetAppsRunInBackground** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**
-or-
-- Apply the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground), where:
-
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+- Set the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground) to **2 Force Deny**.
> [!NOTE]
> Some apps, including Cortana and Search, might not function as expected if you set **Let apps run in the background** to **Force Deny**.
@@ -1654,19 +1625,20 @@ To turn off **Let Windows and your apps use your motion data and collect motion
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** and set the **Default for all apps** to **Force Deny**
+
+ -or-
+
+- Create a REG_DWORD registry setting named **LetAppsAccessMotion** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
-or-
- Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where:
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
- -or-
-
-- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
### 18.19 Tasks
@@ -1678,17 +1650,19 @@ To turn this off:
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks**. Set the **Select a setting** box to **Force Deny**.
- - Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG_DWORD registry setting named **LetAppsAccessTasks** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
-or-
- Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where:
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
### 18.20 App Diagnostics
@@ -1700,59 +1674,117 @@ To turn this off:
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps**
-or-
-- Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where:
+- Create a REG_DWORD registry setting named **LetAppsGetDiagnosticInfo** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
- - **0**. User in control
- - **1**. Force allow
- - **2**. Force deny
+ -or-
+- Set the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo) to **2**. Force deny
+
+
+### 18.21 Inking & Typing
+
+In the **Inking & Typing** area you can configure the functionality as such:
+
+To turn off Inking & Typing data collection (note: there is no Group Policy for this setting):
+
+ - In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing** and turn **Improve inking & typing** to **Off**
+
+ -or-
+
+ - Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** to a **value of 1 (one)**
+
+ -or-
+
+ - Set the Privacy\AllowInputPersonalization MDM Policy from the Policy CSP.
+ [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) to **0** (not allowed). This policy setting controls the ability to send inking and typing data to Microsoft to improve the language recognition and suggestion capabilities of apps and services running on Windows.
+
+
+If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models:
+
+ **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
+
+ -or-
+
+ - Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
+
+ -or-
+
+ - Set the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate) to **0**
+
+
+> [!NOTE]
+> Releases 1803 and earlier support **Speech, Inking, & Typing** as a combined settings area. For customizing those setting please follow the below instructions. For 1809 and above **Speech** and **Inking & Typing** are separate settings pages, please see the specific section (18.6 Speech or 18.21 Inking and Typing) above for those areas.
+
+In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
+
+ For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
+
+ To turn off the functionality:
+
+ - Click the **Stop getting to know me** button, and then click **Turn off**.
+
+ -or-
+
+ - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
+
+ -or-
+
+ - Create a REG_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one).
+
+ -or-
+
+ - Create a REG_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY_CURRENT_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero).
+
+ -and-
+
+ - Create a REG_DWORD registry setting named **HarvestContacts** in **HKEY_CURRENT_USER\\Software\\Microsoft\\InputPersonalization\\TrainedDataStore** with a value of **0 (zero)**.
### 19. Software Protection Platform
-Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
+ Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
-For Windows 10:
+ **For Windows 10:**
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
+ - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or-
-- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
+ - Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) and **set the value to 1 (Enabled)**.
-or-
-- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+ - Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**.
-For Windows Server 2019 or later:
+**For Windows Server 2019 or later:**
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
+ - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or-
-- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+ - Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
-For Windows Server 2016:
-- Create a REG\_DWORD registry setting named **NoAcquireGT** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+**For Windows Server 2016:**
->[!NOTE]
->Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead.
+ - Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
-The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+ >[!NOTE]
+ >Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead.
+ >The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
### 20. Storage health
Enterprise customers can manage updates to the Disk Failure Prediction Model.
For Windows 10:
-- Disable this Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Storage Health** > **Allow downloading updates to the Disk Failure Prediction Model**
+- **Disable** this Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Storage Health** > **Allow downloading updates to the Disk Failure Prediction Model**
-or-
-- Create a REG\_DWORD registry setting named **AllowDiskHealthModelUpdates** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\StorageHealth** with a value of 0.
+- Create a REG_DWORD registry setting named **AllowDiskHealthModelUpdates** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\StorageHealth** with a value of 0.
### 21. Sync your settings
@@ -1762,28 +1794,24 @@ You can control if your settings are synchronized:
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**. Leave the "Allow users to turn syncing on" checkbox **unchecked**.
-or-
-- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **DisableSettingSync** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
-or-
-- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
+- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) and **set the value to 0 (not allowed)**.
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where
-
- - **No**. Settings are not synchronized.
-
- - **Yes**. Settings are synchronized. (default)
To turn off Messaging cloud sync:
-- Set the Group Policy Allow Message Service Cloud to Disable. The Group Policy path is Computer Configuration\Administrative templates\Windows Components\Messaging\Allow Message Service Cloud
-- Create a REG\_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging** with a value of 0 (zero).
+- Note: There is no Group Policy corresponding to this registry key.
+
+ -or-
+
+- Create a REG_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Messaging** and set to a **value of 0 (zero)**.
### 22. Teredo
@@ -1792,15 +1820,12 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
>[!NOTE]
>If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work.
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**.
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**.
-or-
-- Create a new REG\_SZ registry setting named **Teredo_State** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**.
+- Create a new REG_SZ registry setting named **Teredo_State** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**.
- -or-
-
-- From an elevated command prompt, run **netsh interface teredo set state disabled**
### 23. Wi-Fi Sense
@@ -1811,23 +1836,16 @@ Wi-Fi Sense automatically connects devices to known hotspots and to the wireless
To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
-- Turn off the feature in the UI.
+- Turn off the feature in the UI in Settings > Network & Internet > Wi-Fi
-or-
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
-or-
-- Create a new REG\_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a value of 0 (zero).
+- Create a new REG_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a **value of 0 (zero)**.
- -or-
-
-- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909).
-
- -or-
-
-- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910).
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
@@ -1835,67 +1853,72 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr
You can disconnect from the Microsoft Antimalware Protection Service.
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS**
+- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop down box named **Join Microsoft MAPS**
- -or-
+-OR-
-- Delete the registry setting **named** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates**.
+- Use the registry to set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to **0 (zero)**.
- -or-
+-OR-
- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
- -or-
-
-- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
-
- -and-
-
- From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0**
You can stop sending file samples back to Microsoft.
-- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
+- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Never Send**.
-or-
-- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where:
-
- - **0**. Always prompt.
-
- - **1**. (default) Send safe samples automatically.
-
- - **2**. Never send.
-
- - **3**. Send all samples automatically.
+- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) to **2 (two) for Never Send**.
-or-
-- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
+- Use the registry to set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to **2 (two) for Never Send**.
-You can stop downloading definition updates:
-- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+You can stop downloading **Definition Updates**:
+
+- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-and-
-- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+- **Disable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to **Nothing**.
-or-
-- Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**.
+- Create a new REG_SZ registry setting named **FallbackOrder** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates** with a value of **FileShares**.
-For Windows 10 only, you can stop Enhanced Notifications:
+ -and-
-- Turn off the feature in the UI.
+- **Remove** the **DefinitionUpdateFileSharesSources** reg value if it exists under **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates**
+
+
+You can turn off **Malicious Software Reporting Tool diagnostic data**:
+
+- Set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to **1**.
+
+**Note:** There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data.
+
+
+You can turn off **Enhanced Notifications** as follows:
+
+- Set in the UI: Settings -> Update & Security -> Windows Security -> Virus & Threat Protection -> Virus & Threat Protection Manage Settings -> scroll to bottom for Notifications, click Change Notifications Settings -> Notifications -> click Manage Notifications -> Turn off General Notifications
+
+ -or-
+
+- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Reporting**.
+
+ -or-
+
+- Create a new REG_SZ registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** to a value of **1**.
-You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
### 24.1 Windows Defender SmartScreen
To disable Windows Defender Smartscreen:
-- In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** : **Disable**
+- In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** to be **Disabled**
-and-
@@ -1903,137 +1926,148 @@ To disable Windows Defender Smartscreen:
-and-
-- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**
+- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations**
- -or-
+-OR-
-- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\Sofware\Policies\Microsoft\Windows\System** with a value of 0 (zero).
+- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**.
-and-
-- Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of 1.
-
+- Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SmartScreen** with a **value of 1**.
+
-and-
-- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of **Anywhere**.
+- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SmartScreen** with a value of **Anywhere**.
- -or-
+-OR-
-- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+- Set the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to **0 (turned Off)**.
-### 25. Windows Media Player
-To remove Windows Media Player on Windows 10:
-
-- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
-
- -or-
-
-- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
-
-To remove Windows Media Player on Windows Server 2016:
-
-- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
-
-### 26. Windows Spotlight
+### 25. Windows Spotlight
Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface, MDM policy, or through Group Policy.
-If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy:
+If you're running Windows 10, version 1607 or later, you need to:
-- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
+- **Enable** the following Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
> [!NOTE]
> This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
- -or-
+ -or-
- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero).
- -or-
+ -or-
-- Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
+- Create a new REG_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
--and-
+-AND-
-- **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the Lock Screen**
+- Enable the following Group Policy **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the Lock Screen**
- -or-
+ -or-
-- Create a new REG\_DWORD registry setting named **NoLockScreen** in **HKEY\Local\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one).
+- Create a new REG_DWORD registry setting named **NoLockScreen** in **HKEY_Local_Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a **value of 1 (one)**
-If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
-- Configure the following in **Settings**:
+-AND-
- - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**.
- - **Personalization** > **Start** > **Occasionally show suggestions in Start**.
+- Configure the following in **Settings** UI:
- - **System** > **Notifications & actions** > **Show me tips about Windows**.
+ - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**
- -or-
+ - **Personalization** > **Start** > **Occasionally show suggestions in Start**
+
+ - **System** > **Notifications & actions** > **Show me tips about Windows**
+
+ -or-
- Apply the Group Policies:
- - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
- - Add a location in the **Path to local lock screen image** box.
+ - **Enable** the **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image and logon image** Group Policy.
+ - Add **C:\\windows\\web\\screen\\lockscreen.jpg** as the location in the **Path to local lock screen image** box.
- - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
+ - Check the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
> [!NOTE]
- > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting named **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one).
+ > This will only take effect if the policy is applied before the first logon.
+ > If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device,
+ > you can **Enable** the **Do not display the lock screen** policy under **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization**
+
+ > Alternatively, you can create a new REG_SZ registry setting named **LockScreenImage** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization**
+ > with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG_DWORD registry setting named **LockScreenOverlaysDisabled** in
+ > **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **1 (one)**.
+
+ > The Group Policy for the **LockScreenOverlaysDisabled** regkey is **Force a specific default lock screen and logon image** that is under **Control Panel** **Personalization**.
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**.
+-AND-
- -or-
- - Create a new REG\_DWORD registry setting named **DisableSoftLanding** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
+ - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips** to **Enabled**
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
+ -or-
- -or-
+ - Create a new REG_DWORD registry setting named **DisableSoftLanding** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
- - Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
- - This policy setting controls whether the lock screen appears for users. The Do not display the lock screen Group Policy should be set to Enable to prevent the lock screen from being displayed. The Group Computer Configuration\Administrative templates\Control Panel\Personalization!Do not display the lock screen.
+-AND-
- - If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
- - If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
+ - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences** to **Enabled**
+
+ -or-
+
+ - Create a new REG_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY_LOCAL_MACHINE\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
+
+
+This policy setting controls whether the lock screen appears for users. The Do not display the lock screen Group Policy should be set to Enable to prevent the lock screen from being displayed. The Group Computer Configuration\Administrative templates\Control Panel\Personalization!Do not display the lock screen.
+
+If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
+
+If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
For more info, see [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight).
-### 27. Microsoft Store
+### 26. Microsoft Store
You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded.
This will also turn off automatic app updates, and the Microsoft Store will be disabled.
In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**.
On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**.
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**.
-or-
- - Create a new REG\_DWORD registry setting named **DisableStoreApps** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one).
+- Create a new REG_DWORD registry setting named **DisableStoreApps** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one).
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**.
+-AND-
+
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**.
-or-
- - Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two).
+- Create a new REG_DWORD registry setting named **AutoDownload** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two).
-### 27.1 Apps for websites
+### 26.1 Apps for websites
You can turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app.
-Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers**
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers**
-### 28. Windows Update Delivery Optimization
+ -or-
+
+- Create a new REG_DWORD registry setting named **EnableAppUriHandlers** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**.
+
+### 27. Windows Update Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
@@ -2041,33 +2075,39 @@ By default, PCs running Windows 10 Enterprise and Windows 10 Education will only
Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
-In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below.
+In Windows 10 version 1607 and above you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Bypass** (100), as described below.
-### 28.1 Settings > Update & security
+### 27.1 Settings > Update & security
You can set up Delivery Optimization from the **Settings** UI.
- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
-### 28.2 Delivery Optimization Group Policies
+### 27.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
| Policy | Description |
|---------------------------|-----------------------------------------------------------------------------------------------------|
-| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
|
+| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
|
| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
**Note:** This ID must be a GUID.|
| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-Set the Delivery Optimization Group Policy to "Bypass" to prevent traffic. Alternatively, you can set the **Download Mode** policy by creating a new REG\_DWORD registry setting named **DODownloadMode** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** to a value of 100 (one hundred).
+### 27.3 Delivery Optimization
-### 28.3 Delivery Optimization MDM policies
+- **Enable** the **Download Mode** Group Policy under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization** and set the **Download Mode** to **"Bypass"** to prevent traffic.
+
+-or-
+
+- Create a new REG_DWORD registry setting named **DODownloadMode** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** to a value of **100 (one hundred)**.
+
+### 27.4 Delivery Optimization MDM policies
The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-| Policy | Description |
+| MDM Policy | Description |
|---------------------------|-----------------------------------------------------------------------------------------------------|
| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
|
| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
**Note** This ID must be a GUID.|
@@ -2076,52 +2116,54 @@ The following Delivery Optimization MDM policies are available in the [Policy CS
| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-### 28.4 Delivery Optimization Windows Provisioning
-
-If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
-
-Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](https://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization.
-
-1. Open Windows ICD, and then click **New provisioning package**.
-
-2. In the **Name** box, type a name for the provisioning package, and then click **Next.**
-
-3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**.
-
-4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies.
-
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684).
-### 29. Windows Update
+### 28. Windows Update
You can turn off Windows Update by setting the following registry entries:
-- Add a REG\_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+- Add a REG_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
-and-
-- Add a REG\_DWORD value named **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+- Add a REG_DWORD value named **DisableWindowsUpdateAccess** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
-and-
-- Add a REG\_DWORD value named **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**.
+- Add a REG_SZ value named **WUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
-and-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**.
+- Add a REG_SZ value named **WUStatusServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
-and-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to " ".
+- Add a REG_SZ value named **UpdateServiceUrlAlternate** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
+
+ -and-
+
+- Add a REG_DWORD value named **UseWUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\WindowsUpdate\\AU** and set the value to 1.
+
+-OR-
+
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled**
+
+ -and-
+
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features** to **Enabled**
+
+ -and-
+
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "**
+
+ -and-
+
+- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**.
You can turn off automatic updates by doing one of the following. This is not recommended.
-- Add a REG\_DWORD value named **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
+- Add a REG_DWORD value named **AutoDownload** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
-or-
@@ -2139,5 +2181,12 @@ You can turn off automatic updates by doing one of the following. This is not re
- **5**. Turn off automatic updates.
+For China releases of Windows 10 there is one additional Regkey to be set to prevent traffic:
+
+- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0.
+
+
+
+
To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md
index a3e6817d6a..3c4c5afdbb 100644
--- a/windows/privacy/manage-windows-1709-endpoints.md
+++ b/windows/privacy/manage-windows-1709-endpoints.md
@@ -405,52 +405,21 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
|----------------|----------|------------|
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
-The following endpoints are used to download operating system patches and updates.
+The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | *.windowsupdate.com |
-| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
-
-The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | cds.d2s7q6s2.hwcdn.net |
-
-The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | *wac.phicdn.net |
-| | | *wac.edgecastcdn.net |
-
-The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
-
-The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | emdl.ws.microsoft.com |
+| svchost | HTTP | *.dl.delivery.mp.microsoft.com |
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
| Source process | Protocol | Destination |
|----------------|----------|------------|
-| svchost | HTTPS | fe2.update.microsoft.com |
-| svchost | | fe3.delivery.mp.microsoft.com |
-| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
-| svchost | HTTPS | sls.update.microsoft.com |
+| svchost | HTTPS | *.update.microsoft.com |
+| svchost | HTTPS | *.delivery.mp.microsoft.com |
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
@@ -459,14 +428,6 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
|----------------|----------|------------|
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
-The following endpoints are used to download content.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | a122.dscd.akamai.net |
-| | | a1621.g.akamai.net |
-
## Microsoft forward link redirection service (FWLink)
The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
@@ -490,4 +451,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md
index c23ac04672..44e5f88ceb 100644
--- a/windows/privacy/manage-windows-1803-endpoints.md
+++ b/windows/privacy/manage-windows-1803-endpoints.md
@@ -410,53 +410,21 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
|----------------|----------|------------|
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
-The following endpoints are used to download operating system patches and updates.
+The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | *.windowsupdate.com |
-| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
-
-The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | cds.d2s7q6s2.hwcdn.net |
-
-The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | *wac.phicdn.net |
-| | | *wac.edgecastcdn.net |
-
-The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
-
-The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | emdl.ws.microsoft.com |
+| svchost | HTTP | *.dl.delivery.mp.microsoft.com |
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
| Source process | Protocol | Destination |
|----------------|----------|------------|
-| svchost | HTTPS | fe2.update.microsoft.com |
-| svchost | | fe3.delivery.mp.microsoft.com |
-| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
-| svchost | HTTPS | sls.update.microsoft.com |
-| | HTTP | *.dl.delivery.mp.microsoft.com |
+| svchost | HTTPS | *.update.microsoft.com |
+| svchost | HTTPS | *.delivery.mp.microsoft.com |
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
@@ -465,14 +433,6 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
|----------------|----------|------------|
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
-The following endpoints are used to download content.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | a122.dscd.akamai.net |
-| | | a1621.g.akamai.net |
-
## Microsoft forward link redirection service (FWLink)
The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
@@ -496,4 +456,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index 74fa377991..33042b0ada 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -440,53 +440,21 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
|----------------|----------|------------|
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
-The following endpoints are used to download operating system patches and updates.
+The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | *.windowsupdate.com |
-| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
-
-The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | cds.d2s7q6s2.hwcdn.net |
-
-The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | *wac.phicdn.net |
-| | | *wac.edgecastcdn.net |
-
-The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
-
-The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | emdl.ws.microsoft.com |
+| svchost | HTTP | *.dl.delivery.mp.microsoft.com |
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
| Source process | Protocol | Destination |
|----------------|----------|------------|
-| svchost | HTTPS | fe2.update.microsoft.com |
-| svchost | | fe3.delivery.mp.microsoft.com |
-| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
-| svchost | HTTPS | sls.update.microsoft.com |
-| | HTTP | *.dl.delivery.mp.microsoft.com |
+| svchost | HTTPS | *.update.microsoft.com |
+| svchost | HTTPS | *.delivery.mp.microsoft.com |
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
@@ -495,13 +463,6 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
|----------------|----------|------------|
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
-The following endpoints are used to download content.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | a122.dscd.akamai.net |
-| | | a1621.g.akamai.net |
## Microsoft forward link redirection service (FWLink)
@@ -528,4 +489,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
index b6be3b5acd..1df90d39e0 100644
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@@ -98,7 +98,7 @@ We used the following methodology to derive these network endpoints:
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. |
+| \*.tlu.dl.delivery.mp.microsoft.com/\* | HTTP | Enables connections to Windows Update. |
| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. |
diff --git a/windows/release-information/TOC.md b/windows/release-information/TOC.md
new file mode 100644
index 0000000000..188c87f7a3
--- /dev/null
+++ b/windows/release-information/TOC.md
@@ -0,0 +1,23 @@
+# [Windows 10 release information](index.md)
+## [Message center](windows-message-center.yml)
+## [Version 1809 and Windows Server 2019](status-windows-10-1809-and-windows-server-2019.yml)
+### [Resolved issues](resolved-issues-windows-10-1809-and-windows-server-2019.yml)
+## [Version 1803](status-windows-10-1803.yml)
+### [Resolved issues](resolved-issues-windows-10-1803.yml)
+## [Version 1709](status-windows-10-1709.yml)
+### [Resolved issues](resolved-issues-windows-10-1709.yml)
+## [Version 1703](status-windows-10-1703.yml)
+### [Resolved issues](resolved-issues-windows-10-1703.yml)
+## [Version 1607 and Windows Server 2016](status-windows-10-1607-and-windows-server-2016.yml)
+### [Resolved issues](resolved-issues-windows-10-1607.yml)
+## [Version 1507](status-windows-10-1507.yml)
+### [Resolved issues](resolved-issues-windows-10-1507.yml)
+## Previous versions
+### [Windows 8.1 and Windows Server 2012 R2](status-windows-8.1-and-windows-server-2012-r2.yml)
+####[Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml)
+### [Windows Server 2012](status-windows-server-2012.yml)
+####[Resolved issues](resolved-issues-windows-server-2012.yml)
+### [Windows 7 and Windows Server 2008 R2](status-windows-7-and-windows-server-2008-r2-sp1.yml)
+####[Resolved issues](resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml)
+### [Windows Server 2008 SP2](status-windows-server-2008-sp2.yml)
+####[Resolved issues](resolved-issues-windows-server-2008-sp2.yml)
\ No newline at end of file
diff --git a/windows/release-information/TOC.yml b/windows/release-information/TOC.yml
deleted file mode 100644
index b5ef71ac32..0000000000
--- a/windows/release-information/TOC.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-- name: Index
- href: index.md
\ No newline at end of file
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
index 6a0fb3e804..a91619d79b 100644
--- a/windows/release-information/docfx.json
+++ b/windows/release-information/docfx.json
@@ -35,7 +35,10 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "breadcrumb_path": "/release-information/breadcrumb/toc.json",
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "ms.prod": "w10",
+ "ms.date": "4/30/2019",
+ "titleSuffix": "Windows Release Information",
"extendBreadcrumb": true,
"feedback_system": "None"
},
@@ -44,4 +47,4 @@
"dest": "release-information",
"markdownEngineName": "markdig"
}
-}
\ No newline at end of file
+}
diff --git a/windows/release-information/index.md b/windows/release-information/index.md
index 45697f0cda..2aa38be1de 100644
--- a/windows/release-information/index.md
+++ b/windows/release-information/index.md
@@ -1,3 +1,30 @@
-# Welcome to release-information!
+---
+title: Windows 10 - release information
+description: Learn release information for Windows 10 releases
+keywords: ["Windows 10", "Windows 10 October 2018 Update"]
+ms.prod: w10
+layout: LandingPage
+ms.topic: landing-page
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: lizap
+ms.author: elizapo
+ms.localizationpriority: high
+---
+# Windows 10 release information
+
+Feature updates for Windows 10 are released twice a year, targeting March and September, via the Semi-Annual Channel (SAC) and will be serviced with monthly quality updates for 18 months from the date of the release. We recommend that you begin deployment of each SAC release immediately to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
+
+Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date. For information about servicing timelines, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853).
+
+>[!NOTE]
+>If you are not using Windows Update for Business today, the "Semi-Annual Channel (Targeted)" servicing option has no impact on when your devices will be updated. It merely reflects a milestone for the semi-annual release, the period of time during which Microsoft recommends that your IT team make the release available to specific, "targeted" devices for the purpose of validating and generating data in order to get to a broad deployment decision. For more information, see [this blog post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523).
+
+
+
+ "
+
+- title: Resolved issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Date resolved MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4493475April 09, 2019
10:00 AM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 10240.18158
March 12, 2019
KB4489872Resolved
KB4493475April 09, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >OS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4493475April 09, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >OS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872March 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872March 12, 2019
10:00 AM PTFirst character of Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872March 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4491101February 21, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >OS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4487018February 12, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details >OS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4487018February 12, 2019
10:00 AM PTUnable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details >OS Build 10240.18005
October 09, 2018
KB4462922Resolved
KB4471323December 11, 2018
10:00 AM PTGuest VMs running Unicast NLB fail to respond after restart
All guest virtual machines running Unicast NLB fail to respond to NLB requests after the virtual machines restart.
See details >OS Build 10240.17976
September 11, 2018
KB4457132Resolved
KB4462922October 09, 2018
10:00 AM PT
+ "
+
+- title: February 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Custom URI schemes may not start corresponding application
Back to topOS Build 10240.18158
March 12, 2019
KB4489872Resolved
KB4493475Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4493475Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTFirst character of Japanese era name not recognized
Back to topOS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topOS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4491101Resolved:
February 21, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
+ "
+
+- title: October 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History MSXML6 may cause applications to stop responding
Back to topOS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4493475Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topOS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4487018Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Back to topOS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4487018Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: September 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Unable to use Seek bar in Windows Media Player
Back to topOS Build 10240.18005
October 09, 2018
KB4462922Resolved
KB4471323Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT
+ "
diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml
new file mode 100644
index 0000000000..72407b6ba9
--- /dev/null
+++ b/windows/release-information/resolved-issues-windows-10-1607.yml
@@ -0,0 +1,135 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Resolved issues in Windows 10, version 1607 and Windows Server 2016
+metadata:
+ document_id:
+ title: Resolved issues in Windows 10, version 1607 and Windows Server 2016
+ description: Resolved issues in Windows 10, version 1607
+ keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1607"]
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ See a list of known issues that have been resolved for Windows 10, version 1607 and Windows Server 2016 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Guest VMs running Unicast NLB fail to respond after restart
Back to topOS Build 10240.17976
September 11, 2018
KB4457132Resolved
KB4462922Resolved:
October 09, 2018
10:00 AM PT
Opened:
September 11, 2018
10:00 AM PT
+ "
+
+- title: Resolved issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Date resolved Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 14393.2848
March 12, 2019
KB4489882Resolved
KB4493473April 25, 2019
02:00 PM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup.
See details >OS Build 14393.2879
March 19, 2019
KB4489889Resolved
KB4493470April 09, 2019
10:00 AM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
See details >OS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4493470April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4493470April 09, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >OS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4493470April 09, 2019
10:00 AM PTIssue hosting multiple terminal server sessions and a user logs off on Windows Server
In some cases, Windows Server will stop working and restart when hosting multiple terminal server sessions and a user logs off.
See details >OS Build 14393.2828
February 19, 2019
KB4487006Resolved
KB4489882March 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4489882March 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >OS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4487006February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 14393.2759
January 17, 2019
KB4480977Resolved
KB4487006February 19, 2019
02:00 PM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4487006February 19, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >OS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4487026February 12, 2019
10:00 AM PTInstant search in Microsoft Outlook fails on Windows Server 2016
Instant search in Microsoft Outlook clients fail with the error, \"Outlook cannot perform the search\" on Windows Server 2016.
See details >OS Build 14393.2639
November 27, 2018
KB4467684Resolved
KB4487026February 12, 2019
10:00 AM PTSqlConnection instantiation exception on .NET 4.6 and later
Instantiation of SqlConnection can throw an exception after certain updates have been installed.
See details >OS Build 14393.2457
August 30, 2018
KB4343884Resolved
KB4480977January 17, 2019
02:00 PM PTUnable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details >OS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4480977January 17, 2019
02:00 PM PTSystem becomes unresponsive when end-user-defined characters (EUDC) are used
When features related to end-user-defined characters (EUDC) are used, the entire system may become unresponsive.
See details >OS Build 14393.2639
November 27, 2018
KB4467684Resolved
KB4471321December 11, 2018
10:00 AM PTUnable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details >OS Build 14393.2551
October 09, 2018
KB4462917Resolved
KB4471321December 11, 2018
10:00 AM PTIssues with install and activation of Key Management Service (KMS) (CSVLK) host keys
Installation and client activation of Windows Server 2019 and 1809 LTSC Key Management Service (KMS) (CSVLK) host keys do not work as expected.
See details >OS Build 14393.2457
August 30, 2018
KB4343884Resolved
KB4467684November 27, 2018
10:00 AM PTPromotions that create non-root domains fail with optional features enabled
Windows Server 2016 promotions that create non-root domains fail in forests in which optional features like Active Directory recycle have been enabled.
See details >OS Build 14393.2515
September 20, 2018
KB4457127Resolved
KB4467684November 27, 2018
10:00 AM PT
+ "
+
+- title: February 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Custom URI schemes may not start corresponding application
Back to topOS Build 14393.2848
March 12, 2019
KB4489882Resolved
KB4493473Resolved:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
Back to topOS Build 14393.2879
March 19, 2019
KB4489889Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 19, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTIssue hosting multiple terminal server sessions and a user logs off on Windows Server
Back to topOS Build 14393.2828
February 19, 2019
KB4487006Resolved
KB4489882Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 19, 2019
02:00 PM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4489882Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4487006Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topOS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4487006Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
+ "
+
+- title: November 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Internet Explorer 11 authentication issue with multiple concurrent logons
Back to topOS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
Back to topOS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
Back to topOS Build 14393.2759
January 17, 2019
KB4480977Resolved
KB4487006Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 17, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Back to topOS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4487026Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Back to topOS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4480977Resolved:
January 17, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: October 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Instant search in Microsoft Outlook fails on Windows Server 2016
Back to topOS Build 14393.2639
November 27, 2018
KB4467684Resolved
KB4487026Resolved:
February 12, 2019
10:00 AM PT
Opened:
November 27, 2018
10:00 AM PTSystem becomes unresponsive when end-user-defined characters (EUDC) are used
Back to topOS Build 14393.2639
November 27, 2018
KB4467684Resolved
KB4471321Resolved:
December 11, 2018
10:00 AM PT
Opened:
November 27, 2018
10:00 AM PT
+ "
+
+- title: September 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Unable to use Seek bar in Windows Media Player
Back to topOS Build 14393.2551
October 09, 2018
KB4462917Resolved
KB4471321Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT
+ "
+
+- title: August 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Promotions that create non-root domains fail with optional features enabled
Back to topOS Build 14393.2515
September 20, 2018
KB4457127Resolved
KB4467684Resolved:
November 27, 2018
10:00 AM PT
Opened:
September 20, 2018
10:00 AM PT
+ "
diff --git a/windows/release-information/resolved-issues-windows-10-1703.yml b/windows/release-information/resolved-issues-windows-10-1703.yml
new file mode 100644
index 0000000000..a32bfe383c
--- /dev/null
+++ b/windows/release-information/resolved-issues-windows-10-1703.yml
@@ -0,0 +1,113 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Resolved issues in Windows 10, version 1703
+metadata:
+ document_id:
+ title: Resolved issues in Windows 10, version 1703
+ description: Resolved issues in Windows 10, version 1703
+ keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1703"]
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ See a list of known issues that have been resolved for Windows 10, version 1703 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History SqlConnection instantiation exception on .NET 4.6 and later
Back to topOS Build 14393.2457
August 30, 2018
KB4343884Resolved
KB4480977Resolved:
January 17, 2019
02:00 PM PT
Opened:
August 30, 2018
05:00 PM PTIssues with install and activation of Key Management Service (KMS) (CSVLK) host keys
Back to topOS Build 14393.2457
August 30, 2018
KB4343884Resolved
KB4467684Resolved:
November 27, 2018
10:00 AM PT
Opened:
August 30, 2018
05:00 PM PT
+ "
+
+- title: Resolved issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Date resolved Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 15063.1689
March 12, 2019
KB4489871Resolved
KB4493436April 25, 2019
02:00 PM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
See details >OS Build 15063.1716
March 19, 2019
KB4489888Resolved
KB4493474April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4493474April 09, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >OS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4493474April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 15063.1659
February 19, 2019
KB4487011Resolved
KB4489871March 12, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 15063.1596
January 15, 2019
KB4480959Resolved
KB4487011February 19, 2019
02:00 PM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4487011February 19, 2019
02:00 PM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >OS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4487011February 19, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >OS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4487020February 12, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.
See details >OS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4487020February 12, 2019
10:00 AM PTSqlConnection instantiation exception on .NET 4.6 and later
Instantiation of SqlConnection can throw an exception after certain updates have been installed.
See details >OS Build 15063.1292
August 30, 2018
KB4343889Resolved
KB4480959January 15, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details >OS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4480959January 15, 2019
10:00 AM PTUnable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details >OS Build 15063.1387
October 09, 2018
KB4462937Resolved
KB4471327December 11, 2018
10:00 AM PTLongonUI.exe stops working intermittently
LongonUI.exe stops working intermittently.
See details >OS Build 15063.1387
October 09, 2018
KB4462937Resolved
KB4467699November 27, 2018
10:00 AM PTError message beginning with “Hosted by…” when launching Microsoft Edge
Some users may encounter an error message beginning with “Hosted by…” when launching Microsoft Edge.
See details >OS Build 15063.1387
October 09, 2018
KB4462937Resolved
KB4462939October 18, 2018
10:00 AM PT
+ "
+
+- title: February 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Custom URI schemes may not start corresponding application
Back to topOS Build 15063.1689
March 12, 2019
KB4489871Resolved
KB4493436Resolved:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
Back to topOS Build 15063.1716
March 19, 2019
KB4489888Resolved
KB4493474Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 19, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4493474Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 15063.1659
February 19, 2019
KB4487011Resolved
KB4489871Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 19, 2019
02:00 PM PTInternet Explorer may fail to load images
Back to topOS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4487011Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4487011Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
+ "
+
+- title: October 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History MSXML6 may cause applications to stop responding
Back to topOS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4493474Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
Back to topOS Build 15063.1596
January 15, 2019
KB4480959Resolved
KB4487011Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 15, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topOS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4487020Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Back to topOS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4487020Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Back to topOS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4480959Resolved:
January 15, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: August 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Unable to use Seek bar in Windows Media Player
Back to topOS Build 15063.1387
October 09, 2018
KB4462937Resolved
KB4471327Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PTLongonUI.exe stops working intermittently
Back to topOS Build 15063.1387
October 09, 2018
KB4462937Resolved
KB4467699Resolved:
November 27, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PTError message beginning with “Hosted by…” when launching Microsoft Edge
Back to topOS Build 15063.1387
October 09, 2018
KB4462937Resolved
KB4462939Resolved:
October 18, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT
+ "
diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml
new file mode 100644
index 0000000000..2893c090ed
--- /dev/null
+++ b/windows/release-information/resolved-issues-windows-10-1709.yml
@@ -0,0 +1,113 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Resolved issues in Windows 10, version 1709 and Windows Server, vesion 1709
+metadata:
+ document_id:
+ title: Resolved issues in Windows 10, version 1709 and Windows Server, vesion 1709
+ description: Resolved issues in Windows 10, version 1709 and Windows Server 1709
+ keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1709"]
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ See a list of known issues that have been resolved for Windows 10, version 1709 and Windows Server, version 1709 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History SqlConnection instantiation exception on .NET 4.6 and later
Back to topOS Build 15063.1292
August 30, 2018
KB4343889Resolved
KB4480959Resolved:
January 15, 2019
10:00 AM PT
Opened:
August 30, 2018
05:00 PM PT
+ "
+
+- title: Resolved issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Date resolved Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 16299.1029
March 12, 2019
KB4489886Resolved
KB4493440April 25, 2019
02:00 PM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
See details >OS Build 16299.1059
March 19, 2019
KB4489890Resolved
KB4493441April 09, 2019
10:00 AM PTMSXML6 causes applications to stop responding if an exception was thrown
MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4493441April 09, 2019
10:00 AM PTStop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.
See details >OS Build 16299.1029
March 12, 2019
KB4489886Resolved
KB4493441April 09, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >OS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4493441April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4489886March 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >OS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4487021February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 16299.936
January 15, 2019
KB4480967Resolved
KB4487021February 19, 2019
02:00 PM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4487021February 19, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >OS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4486996February 12, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.
See details >OS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4486996February 12, 2019
10:00 AM PTSqlConnection instantiation exception on .NET 4.6 and later
Instantiation of SqlConnection can throw an exception after certain updates have been installed.
See details >OS Build 16299.637
August 30, 2018
KB4343893Resolved
KB4480967January 15, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details >OS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4480967January 15, 2019
10:00 AM PTUnable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details >OS Build 16299.726
October 09, 2018
KB4462918Resolved
KB4471329December 11, 2018
10:00 AM PTError message beginning with “Hosted by…” when launching Microsoft Edge
Some users may encounter an error message beginning with “Hosted by…” when launching Microsoft Edge.
See details >OS Build 16299.726
October 09, 2018
KB4462918Resolved
KB4462932October 18, 2018
10:00 AM PT
+ "
+
+- title: February 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Custom URI schemes may not start corresponding application
Back to topOS Build 16299.1029
March 12, 2019
KB4489886Resolved
KB4493440Resolved:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
Back to topOS Build 16299.1059
March 19, 2019
KB4489890Resolved
KB4493441Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 19, 2019
10:00 AM PTStop error when attempting to start SSH from WSL
Back to topOS Build 16299.1029
March 12, 2019
KB4489886Resolved
KB4493441Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4493441Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4489886Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4487021Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topOS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4487021Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
+ "
+
+- title: October 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History MSXML6 causes applications to stop responding if an exception was thrown
Back to topOS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4493441Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
Back to topOS Build 16299.936
January 15, 2019
KB4480967Resolved
KB4487021Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 15, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topOS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4486996Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Back to topOS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4486996Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Back to topOS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4480967Resolved:
January 15, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: August 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Unable to use Seek bar in Windows Media Player
Back to topOS Build 16299.726
October 09, 2018
KB4462918Resolved
KB4471329Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PTError message beginning with “Hosted by…” when launching Microsoft Edge
Back to topOS Build 16299.726
October 09, 2018
KB4462918Resolved
KB4462932Resolved:
October 18, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT
+ "
diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml
new file mode 100644
index 0000000000..8eaaa3f3c9
--- /dev/null
+++ b/windows/release-information/resolved-issues-windows-10-1803.yml
@@ -0,0 +1,147 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Resolved issues in Windows 10, version 1803
+metadata:
+ document_id:
+ title: Resolved issues in Windows 10, version 1803
+ description: Resolved issues in Windows 10, version 1803
+ keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1803"]
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ See a list of known issues that have been resolved for Windows 10, version 1803 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History SqlConnection instantiation exception on .NET 4.6 and later
Back to topOS Build 16299.637
August 30, 2018
KB4343893Resolved
KB4480967Resolved:
January 15, 2019
10:00 AM PT
Opened:
August 30, 2018
05:00 PM PT
+ "
+
+- title: Resolved issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Date resolved Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 17134.648
March 12, 2019
KB4489868Resolved
KB4493437April 25, 2019
02:00 PM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
See details >OS Build 17134.677
March 19, 2019
KB4489894Resolved
KB4493464April 09, 2019
10:00 AM PTFirst character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 17134.556
January 15, 2019
KB4480976Resolved
KB4487029April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4493464April 09, 2019
10:00 AM PTStop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.
See details >OS Build 17134.648
March 12, 2019
KB4489868Resolved
KB4493464April 09, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >OS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4493464April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4489868March 12, 2019
10:00 AM PTCannot pin a web link on the Start menu or the taskbar
Some users cannot pin a web link on the Start menu or the taskbar.
See details >OS Build 17134.471
December 11, 2018
KB4471324Resolved
KB4487029February 19, 2019
02:00 PM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4487029February 19, 2019
02:00 PM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >OS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4487017February 12, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.
See details >OS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4487017February 12, 2019
10:00 AM PTSqlConnection instantiation exception on .NET 4.6 and later
After you install the August Preview of Quality Rollup or the September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception.
See details >OS Build 17134.285
September 11, 2018
KB4457128Resolved
KB4480976January 15, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details >OS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4480976January 15, 2019
10:00 AM PTBlue or black screen with \"System thread exception not handled\" error
Some users may get a blue or black screen with the error code, “System thread exception not handled.”
See details >OS Build 17134.441
November 27, 2018
KB4467682Resolved
KB4471324December 11, 2018
10:00 AM PTCustom Start menu layouts display incorrectly
Custom Start menu layouts may display incorrectly.
See details >OS Build 17134.441
November 27, 2018
KB4467682Resolved
KB4471324December 11, 2018
10:00 AM PTUnable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details >OS Build 17134.345
October 09, 2018
KB4462919Resolved
KB4471324December 11, 2018
10:00 AM PTUsers cannot set Win32 program defaults
Some users cannot set Win32 program defaults for certain app and file type combinations.
See details >OS Build 17134.320
September 26, 2018
KB4458469Resolved
KB4467682November 27, 2018
10:00 AM PTDeveloper Tools (F12) fail to start in Microsoft Edge
Developer Tools (F12) may fail to start in Microsoft Edge.
See details >OS Build 17134.376
October 24, 2018
KB4462933Resolved
KB4467702November 13, 2018
10:00 AM PTGuest VMs running Unicast NLB fail to respond after restart
All guest virtual machines running Unicast NLB fail to respond to NLB requests after the virtual machines restart.
See details >OS Build 17134.285
September 11, 2018
KB4457128Resolved
KB4458469September 26, 2018
10:00 AM PTMicrosoft Intune takes a long time to deliver user profiles
Windows no longer recognizes the Personal Information exchange (PFX) certificate used for Wi-Fi or VPN authentication, causing delays in Microsoft Intune delivering user profiles.
See details >OS Build 17134.191
July 24, 2018
KB4340917Resolved
KB4464218September 17, 2018
10:00 AM PT
+ "
+
+- title: February 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Custom URI schemes may not start corresponding application
Back to topOS Build 17134.648
March 12, 2019
KB4489868Resolved
KB4493437Resolved:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
Back to topOS Build 17134.677
March 19, 2019
KB4489894Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 19, 2019
10:00 AM PTStop error when attempting to start SSH from WSL
Back to topOS Build 17134.648
March 12, 2019
KB4489868Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4489868Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topOS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4487029Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
+ "
+
+- title: December 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History First character of the Japanese era name not recognized
Back to topOS Build 17134.556
January 15, 2019
KB4480976Resolved
KB4487029Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
Back to topOS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4487017Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Back to topOS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4487017Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Back to topOS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4480976Resolved:
January 15, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: November 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Cannot pin a web link on the Start menu or the taskbar
Back to topOS Build 17134.471
December 11, 2018
KB4471324Resolved
KB4487029Resolved:
February 19, 2019
02:00 PM PT
Opened:
December 11, 2018
10:00 AM PT
+ "
+
+- title: October 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Blue or black screen with \"System thread exception not handled\" error
Back to topOS Build 17134.441
November 27, 2018
KB4467682Resolved
KB4471324Resolved:
December 11, 2018
10:00 AM PT
Opened:
November 27, 2018
10:00 AM PTCustom Start menu layouts display incorrectly
Back to topOS Build 17134.441
November 27, 2018
KB4467682Resolved
KB4471324Resolved:
December 11, 2018
10:00 AM PT
Opened:
November 27, 2018
10:00 AM PT
+ "
+
+- title: September 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Unable to use Seek bar in Windows Media Player
Back to topOS Build 17134.345
October 09, 2018
KB4462919Resolved
KB4471324Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PTDeveloper Tools (F12) fail to start in Microsoft Edge
Back to topOS Build 17134.376
October 24, 2018
KB4462933Resolved
KB4467702Resolved:
November 13, 2018
10:00 AM PT
Opened:
October 24, 2018
02:00 PM PT
+ "
+
+- title: July 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History SqlConnection instantiation exception on .NET 4.6 and later
Back to topOS Build 17134.285
September 11, 2018
KB4457128Resolved
KB4480976Resolved:
January 15, 2019
10:00 AM PT
Opened:
September 11, 2018
10:00 AM PTUsers cannot set Win32 program defaults
Back to topOS Build 17134.320
September 26, 2018
KB4458469Resolved
KB4467682Resolved:
November 27, 2018
10:00 AM PT
Opened:
September 26, 2018
02:00 PM PTGuest VMs running Unicast NLB fail to respond after restart
Back to topOS Build 17134.285
September 11, 2018
KB4457128Resolved
KB4458469Resolved:
September 26, 2018
10:00 AM PT
Opened:
September 11, 2018
10:00 AM PT
+ "
diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
new file mode 100644
index 0000000000..b0d3c9f294
--- /dev/null
+++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
@@ -0,0 +1,151 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Resolved issues in Windows 10, version 1809 and Windows Server 2019
+metadata:
+ document_id:
+ title: Resolved issues in Windows 10, version 1809 and Windows Server 2019
+ description: Resolved issues in Windows 10, version 1809 or Windows Server 2019
+ keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10 1809"]
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ See a list of known issues that have been resolved for Windows 10, version 1809 and Windows Server 2019 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Microsoft Intune takes a long time to deliver user profiles
Back to topOS Build 17134.191
July 24, 2018
KB4340917Resolved
KB4464218Resolved:
September 17, 2018
10:00 AM PT
Opened:
July 24, 2018
10:00 AM PT
+ "
+
+- title: Resolved issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Date resolved Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.
See details >OS Build 17763.475
May 03, 2019
KB4495667Resolved May 08, 2019
03:37 PM PTSystem may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809
See details >OS Build 17763.437
April 09, 2019
KB4493509Resolved May 08, 2019
03:30 PM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 17763.379
March 12, 2019
KB4489899Resolved
KB4495667May 03, 2019
12:40 PM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
See details >OS Build 17763.404
April 02, 2019
KB4490481Resolved
KB4493509April 09, 2019
10:00 AM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
See details >OS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4493509April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4493509April 09, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >OS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4493509April 09, 2019
10:00 AM PTApps may stop working after selecting an audio output device other than the default
Users with multiple audio devices that select an audio output device different from the \"Default Audio Device\" may find certain applications stop working unexpectedly.
See details >OS Build 17763.348
March 01, 2019
KB4482887Resolved
KB4490481April 02, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4489899March 12, 2019
10:00 AM PTGlobal DNS outage affects Windows Update customers
Windows Update customers were recently affected by a network infrastructure event caused by an external DNS service provider's global outage.
See details >N/A Resolved March 08, 2019
11:15 AM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887March 01, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 9 file format may randomly stop working.
See details >OS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887March 01, 2019
10:00 AM PTFirst character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887March 01, 2019
10:00 AM PTShared albums may not sync with iCloud for Windows
Upgrade block: Apple has identified an incompatibility with iCloud for Windows (version 7.7.0.27) where users may experience issues updating or synching Shared Albums.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887March 01, 2019
10:00 AM PTIntel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Upgrade block: Users may see an Intel Audio Display (intcdaud.sys) notification during setup for devices with certain Intel Display Audio Drivers.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887March 01, 2019
10:00 AM PTF5 VPN clients losing network connectivity
Upgrade block: After updating to Window 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887March 01, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.
See details >OS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4487044February 12, 2019
10:00 AM PTIssues with lock screen and Microsoft Edge tabs for certain AMD Radeon video cards
Upgrade block: Devices utilizing AMD Radeon HD2000 or HD4000 series video cards may experience issues with the lock screen and Microsoft Edge tabs.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4487044February 12, 2019
10:00 AM PTTrend Micro OfficeScan and Worry-Free Business Security AV software not compatible
Upgrade block: Microsoft and Trend Micro identified a compatibility issue with the Trend Micro business endpoint security solutions OfficeScan and Worry-Free Business Security.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved February 01, 2019
09:00 AM PTUnable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details >OS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4476976January 22, 2019
02:00 PM PTUnable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details >OS Build 17763.55
October 09, 2018
KB4464330Resolved
KB4471332December 11, 2018
10:00 AM PTAudio stops working after installing Intel audio driver
Upgrade block: Windows 10 audio stops working after installing Intel Smart Sound Technology driver (version 09.21.00.3755).
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4468550December 07, 2018
10:00 AM PTOffice apps (32-bit) unable to use 'Save As…' function
Upgrade block: Devices using Morphisec Protector (or other application that uses the Morphisec SDK) may be unable to save documents when using 32-bit Microsoft Office apps.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved December 06, 2018
12:00 PM PTUsers cannot set Win32 program defaults
Some users cannot set Win32 program defaults for certain app and file type combinations.
See details >OS Build 17763.55
October 09, 2018
KB4464330Resolved
KB4469342December 05, 2018
02:00 PM PTMapped drives fail to reconnect after login
Upgrade block: Mapped drives may fail to reconnect after booting and logging on to a Windows device.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4469342December 05, 2018
02:00 PM PTMicrosoft Edge may crash or hang while playing video
Following an nVidia driver update, Microsoft Edge may crash or hang while playing video.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved December 05, 2018
10:00 AM PT
+ "
+
+- title: April 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Latest cumulative update (KB 4495667) installs automatically
Back to topOS Build 17763.475
May 03, 2019
KB4495667Resolved Resolved:
May 08, 2019
03:37 PM PT
Opened:
May 05, 2019
12:01 PM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History System may be unresponsive after restart if ArcaBit antivirus software installed
Back to topOS Build 17763.437
April 09, 2019
KB4493509Resolved Resolved:
May 08, 2019
03:30 PM PT
Opened:
April 09, 2019
10:00 AM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
Back to topOS Build 17763.404
April 02, 2019
KB4490481Resolved
KB4493509Resolved:
April 09, 2019
10:00 AM PT
Opened:
April 02, 2019
10:00 AM PT
+ "
+
+- title: February 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Custom URI schemes may not start corresponding application
Back to topOS Build 17763.379
March 12, 2019
KB4489899Resolved
KB4495667Resolved:
May 03, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PTApps may stop working after selecting an audio output device other than the default
Back to topOS Build 17763.348
March 01, 2019
KB4482887Resolved
KB4490481Resolved:
April 02, 2019
10:00 AM PT
Opened:
March 01, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4493509Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4489899Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topOS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTFirst character of the Japanese era name not recognized
Back to topOS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PT
+ "
+
+- title: November 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Internet Explorer 11 authentication issue with multiple concurrent logons
Back to topOS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4493509Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
Back to topOS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4493509Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTGlobal DNS outage affects Windows Update customers
Back to topN/A Resolved Resolved:
March 08, 2019
11:15 AM PT
Opened:
January 29, 2019
02:00 PM PTWebpages become unresponsive in Microsoft Edge
Back to topOS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4487044Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Back to topOS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4476976Resolved:
January 22, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: October 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Shared albums may not sync with iCloud for Windows
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PTIntel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PTF5 VPN clients losing network connectivity
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PTIssues with lock screen and Microsoft Edge tabs for certain AMD Radeon video cards
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4487044Resolved:
February 12, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PTTrend Micro OfficeScan and Worry-Free Business Security AV software not compatible
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved Resolved:
February 01, 2019
09:00 AM PT
Opened:
November 13, 2018
10:00 AM PTAudio stops working after installing Intel audio driver
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4468550Resolved:
December 07, 2018
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PTOffice apps (32-bit) unable to use 'Save As…' function
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved Resolved:
December 06, 2018
12:00 PM PT
Opened:
November 13, 2018
10:00 AM PTMapped drives fail to reconnect after login
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4469342Resolved:
December 05, 2018
02:00 PM PT
Opened:
November 13, 2018
10:00 AM PTMicrosoft Edge may crash or hang while playing video
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved Resolved:
December 05, 2018
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PT
+ "
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
new file mode 100644
index 0000000000..d034127b65
--- /dev/null
+++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -0,0 +1,109 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Resolved issues in Windows 7 and Windows Server 2008 R2 SP1
+metadata:
+ document_id:
+ title: Resolved issues in Windows 7 and Windows Server 2008 R2 SP1
+ description: Resolved issues in Windows 7 and Windows Server 2008 R2 SP1
+ keywords: ["Resolved issues in Windows 7", "Windows 7", "Windows Server 2008 R2 SP1"]
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ See a list of known issues that have been resolved for Windows 7 and Windows Server 2008 R2 SP1 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Unable to use Seek bar in Windows Media Player
Back to topOS Build 17763.55
October 09, 2018
KB4464330Resolved
KB4471332Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PTUsers cannot set Win32 program defaults
Back to topOS Build 17763.55
October 09, 2018
KB4464330Resolved
KB4469342Resolved:
December 05, 2018
02:00 PM PT
Opened:
October 09, 2018
10:00 AM PT
+ "
+
+- title: Resolved issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Date resolved Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.
See details >April 09, 2019
KB4493472Resolved April 25, 2019
02:00 PM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
See details >January 08, 2019
KB4480970Resolved
KB4493472April 09, 2019
10:00 AM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >March 12, 2019
KB4489878Resolved
KB4493472April 09, 2019
10:00 AM PTNETDOM.EXE fails to run
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.
See details >March 12, 2019
KB4489878Resolved
KB4493472April 09, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >February 12, 2019
KB4486563Resolved
KB4493472April 09, 2019
10:00 AM PTEvent Viewer may not show some event descriptions for network interface cards
The Event Viewer may not show some event descriptions for network interface cards (NIC).
See details >October 18, 2018
KB4462927Resolved
KB4489878March 12, 2019
10:00 AM PTVirtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.
See details >January 08, 2019
KB4480970Resolved
KB4490511February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >January 17, 2019
KB4480955Resolved
KB4486565February 19, 2019
02:00 PM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >February 12, 2019
KB4486563Resolved
KB4486565February 19, 2019
02:00 PM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >February 12, 2019
KB4486563Resolved
KB4486565February 19, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >January 08, 2019
KB4480970Resolved
KB4486563February 12, 2019
10:00 AM PTLocal Administrators unable to remotely access shares
Local users who are part of the local Administrators group may not be able to remotely access shares on Windows Server 2008 R2 and Windows 7 machines.
See details >January 08, 2019
KB4480970Resolved
KB4487345January 11, 2019
02:00 PM PTUnable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details >October 09, 2018
KB4462923Resolved
KB4471318December 11, 2018
10:00 AM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Devices may not respond at login or Welcome screen if running certain Avast software
Back to topApril 09, 2019
KB4493472Resolved Resolved:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PT
+ "
+
+- title: February 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Custom URI schemes may not start corresponding application
Back to topMarch 12, 2019
KB4489878Resolved
KB4493472Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PTNETDOM.EXE fails to run
Back to topMarch 12, 2019
KB4489878Resolved
KB4493472Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Embedded objects may display incorrectly
Back to topFebruary 12, 2019
KB4486563Resolved
KB4493472Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topFebruary 12, 2019
KB4486563Resolved
KB4486565Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topFebruary 12, 2019
KB4486563Resolved
KB4486565Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
+ "
+
+- title: October 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Internet Explorer 11 authentication issue with multiple concurrent logons
Back to topJanuary 08, 2019
KB4480970Resolved
KB4493472Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTVirtual machines fail to restore
Back to topJanuary 08, 2019
KB4480970Resolved
KB4490511Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
Back to topJanuary 17, 2019
KB4480955Resolved
KB4486565Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 17, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topJanuary 08, 2019
KB4480970Resolved
KB4486563Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTLocal Administrators unable to remotely access shares
Back to topJanuary 08, 2019
KB4480970Resolved
KB4487345Resolved:
January 11, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
new file mode 100644
index 0000000000..1ef62bfe75
--- /dev/null
+++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
@@ -0,0 +1,109 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Resolved issues in Windows 8.1 and Windows Server 2012 R2
+metadata:
+ document_id:
+ title: Resolved issues in Windows 8.1 and Windows Server 2012 R2
+ description: Resolved issues in Windows 8.1 and Windows Server 2012 R2
+ keywords: ["Resolved issues in Windows 8.1", "Windows 8.1", "Windows Server 2012 R2"]
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ See a list of known issues that have been resolved for Windows 8.1 and Windows Server 2012 R2 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Event Viewer may not show some event descriptions for network interface cards
Back to topOctober 18, 2018
KB4462927Resolved
KB4489878Resolved:
March 12, 2019
10:00 AM PT
Opened:
October 18, 2018
10:00 AM PTUnable to use Seek bar in Windows Media Player
Back to topOctober 09, 2018
KB4462923Resolved
KB4471318Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT
+ "
+
+- title: Resolved issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Date resolved Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.
See details >April 09, 2019
KB4493446Resolved April 25, 2019
02:00 PM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
See details >January 08, 2019
KB4480963Resolved
KB4493446April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding.
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >January 08, 2019
KB4480963Resolved
KB4493446April 09, 2019
10:00 AM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >March 12, 2019
KB4489881Resolved
KB4493446April 09, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >February 12, 2019
KB4487000Resolved
KB4493446April 09, 2019
10:00 AM PTDevices with winsock kernel client may receive error
Devices with a winsock kernel client may receive D1, FC, and other errors.
See details >March 12, 2019
KB4489881Resolved
KB4489893March 19, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
See details >February 19, 2019
KB4487016Resolved
KB4489881March 12, 2019
10:00 AM PTVirtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.
See details >January 08, 2019
KB4480963Resolved
KB4490512February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >January 15, 2019
KB4480969Resolved
KB4487016February 19, 2019
02:00 PM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >February 12, 2019
KB4487000Resolved
KB4487016February 19, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >January 08, 2019
KB4480963Resolved
KB4487000February 12, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details >January 08, 2019
KB4480963Resolved
KB4480969January 15, 2019
10:00 AM PTUnable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details >October 09, 2018
KB4462926Resolved
KB4471320December 11, 2018
10:00 AM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Devices may not respond at login or Welcome screen if running certain Avast software
Back to topApril 09, 2019
KB4493446Resolved Resolved:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PT
+ "
+
+- title: February 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Custom URI schemes may not start corresponding application
Back to topMarch 12, 2019
KB4489881Resolved
KB4493446Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PTDevices with winsock kernel client may receive error
Back to topMarch 12, 2019
KB4489881Resolved
KB4489893Resolved:
March 19, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Embedded objects may display incorrectly
Back to topFebruary 12, 2019
KB4487000Resolved
KB4493446Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topFebruary 19, 2019
KB4487016Resolved
KB4489881Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 19, 2019
02:00 PM PTInternet Explorer may fail to load images
Back to topFebruary 12, 2019
KB4487000Resolved
KB4487016Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
+ "
+
+- title: October 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Internet Explorer 11 authentication issue with multiple concurrent logons
Back to topJanuary 08, 2019
KB4480963Resolved
KB4493446Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTMSXML6 may cause applications to stop responding.
Back to topJanuary 08, 2019
KB4480963Resolved
KB4493446Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTVirtual machines fail to restore
Back to topJanuary 08, 2019
KB4480963Resolved
KB4490512Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
Back to topJanuary 15, 2019
KB4480969Resolved
KB4487016Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 15, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topJanuary 08, 2019
KB4480963Resolved
KB4487000Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Back to topJanuary 08, 2019
KB4480963Resolved
KB4480969Resolved:
January 15, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
new file mode 100644
index 0000000000..fe19c4b36e
--- /dev/null
+++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
@@ -0,0 +1,91 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Resolved issues in Windows Server 2008 SP2
+metadata:
+ document_id:
+ title: Resolved issues in Windows Server 2008 SP2
+ description: Resolved issues in Windows Server 2008 SP2
+ keywords: ["Resolved issues in Windows Server 2008 SP2", "Windows Server 2008 SP2"]
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ See a list of known issues that have been resolved for Windows Server 2008 SP2 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Unable to use Seek bar in Windows Media Player
Back to topOctober 09, 2018
KB4462926Resolved
KB4471320Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT
+ "
+
+- title: Resolved issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Date resolved Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >February 12, 2019
KB4487023Resolved
KB4493471April 09, 2019
10:00 AM PTNETDOM.EXE fails to run
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.
See details >March 12, 2019
KB4489880Resolved
KB4493471April 09, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >January 17, 2019
KB4480974Resolved
KB4489880March 12, 2019
10:00 AM PTVirtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.
See details >January 08, 2019
KB4480968Resolved
KB4490514February 19, 2019
02:00 PM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >February 12, 2019
KB4487023Resolved
KB4487022February 19, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >January 08, 2019
KB4480968Resolved
KB4487023February 12, 2019
10:00 AM PTLocal Administrators unable to remotely access shares
Local users who are part of the local Administrators group may not be able to remotely access shares on Windows Server 2008 R2 and Windows 7 machines.
See details >January 08, 2019
KB4480968Resolved
KB4487354January 11, 2019
02:00 PM PTUnable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details >October 09, 2018
KB4463097Resolved
KB4471325December 11, 2018
10:00 AM PT
+ "
+
+- title: February 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History NETDOM.EXE fails to run
Back to topMarch 12, 2019
KB4489880Resolved
KB4493471Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Embedded objects may display incorrectly
Back to topFebruary 12, 2019
KB4487023Resolved
KB4493471Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topFebruary 12, 2019
KB4487023Resolved
KB4487022Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
+ "
+
+- title: October 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History First character of the Japanese era name not recognized as an abbreviation
Back to topJanuary 17, 2019
KB4480974Resolved
KB4489880Resolved:
March 12, 2019
10:00 AM PT
Opened:
January 17, 2019
10:00 AM PTVirtual machines fail to restore
Back to topJanuary 08, 2019
KB4480968Resolved
KB4490514Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topJanuary 08, 2019
KB4480968Resolved
KB4487023Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTLocal Administrators unable to remotely access shares
Back to topJanuary 08, 2019
KB4480968Resolved
KB4487354Resolved:
January 11, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml
new file mode 100644
index 0000000000..b2a7ce07c1
--- /dev/null
+++ b/windows/release-information/resolved-issues-windows-server-2012.yml
@@ -0,0 +1,97 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Resolved issues in Windows Server 2012
+metadata:
+ document_id:
+ title: Resolved issues in Windows Server 2012
+ description: Resolved issues in Windows Server 2012
+ keywords: ["Resolved issues in Windows Server 2012", "Windows Server 2012"]
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ See a list of known issues that have been resolved for Windows Server 2012 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Unable to use Seek bar in Windows Media Player
Back to topOctober 09, 2018
KB4463097Resolved
KB4471325Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT
+ "
+
+- title: Resolved issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Date resolved Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
See details >January 08, 2019
KB4480975Resolved
KB4493451April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >January 08, 2019
KB4480975Resolved
KB4493451April 09, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >February 12, 2019
KB4487025Resolved
KB4493451April 09, 2019
10:00 AM PTEvent Viewer may not show some event descriptions for network interface cards
The Event Viewer may not show some event descriptions for network interface cards (NIC).
See details >September 11, 2018
KB4457135Resolved
KB4489891March 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
See details >February 12, 2019
KB4487025Resolved
KB4489891March 12, 2019
10:00 AM PTVirtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.
See details >January 08, 2019
KB4480975Resolved
KB4490516February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >January 15, 2019
KB4480971Resolved
KB4487024February 19, 2019
02:00 PM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >February 12, 2019
KB4487025Resolved
KB4487024February 19, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >January 08, 2019
KB4480975Resolved
KB4487025February 12, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details >January 08, 2019
KB4480975Resolved
KB4480971January 15, 2019
10:00 AM PTUnable to use Seek bar in Windows Media Player
Users may not be able to use the Seek bar in Windows Media Player when playing specific files.
See details >October 09, 2018
KB4462929Resolved
KB4471330December 11, 2018
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Embedded objects may display incorrectly
Back to topFebruary 12, 2019
KB4487025Resolved
KB4493451Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topFebruary 12, 2019
KB4487025Resolved
KB4489891Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topFebruary 12, 2019
KB4487025Resolved
KB4487024Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
+ "
+
+- title: October 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Internet Explorer 11 authentication issue with multiple concurrent logons
Back to topJanuary 08, 2019
KB4480975Resolved
KB4493451Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
Back to topJanuary 08, 2019
KB4480975Resolved
KB4493451Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTVirtual machines fail to restore
Back to topJanuary 08, 2019
KB4480975Resolved
KB4490516Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
Back to topJanuary 15, 2019
KB4480971Resolved
KB4487024Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 15, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topJanuary 08, 2019
KB4480975Resolved
KB4487025Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Back to topJanuary 08, 2019
KB4480975Resolved
KB4480971Resolved:
January 15, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: September 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Unable to use Seek bar in Windows Media Player
Back to topOctober 09, 2018
KB4462929Resolved
KB4471330Resolved:
December 11, 2018
10:00 AM PT
Opened:
October 09, 2018
10:00 AM PT
+ "
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
new file mode 100644
index 0000000000..16bf511276
--- /dev/null
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -0,0 +1,81 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows 10, version 1507
+metadata:
+ document_id:
+ title: Windows 10, version 1507
+ description: View annoucements and review known issues and fixes for Windows 10 version 1507
+ keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ Find information on known issues for Windows 10, version 1507. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+ "
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+- items:
+ - type: markdown
+ text: "
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Event Viewer may not show some event descriptions for network interface cards
Back to topSeptember 11, 2018
KB4457135Resolved
KB4489891Resolved:
March 12, 2019
10:00 AM PT
Opened:
September 11, 2018
10:00 AM PT
+ "
+
+- title: Known issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Last updated Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 10240.18094
January 08, 2019
KB4480962Mitigated April 25, 2019
02:00 PM PT
+ "
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
new file mode 100644
index 0000000000..d444c69dac
--- /dev/null
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -0,0 +1,128 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows 10, version 1607 and Windows Server 2016
+metadata:
+ document_id:
+ title: Windows 10, version 1607 and Windows Server 2016
+ description: View annoucements and review known issues and fixes for Windows 10 version 1607 and Windows Server 2016
+ keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ Find information on known issues for Windows 10, version 1607 and Windows Server 2016. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+ "
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+- items:
+ - type: markdown
+ text: "
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Certain operations performed on a Cluster Shared Volume may fail
Back to topOS Build 10240.18094
January 08, 2019
KB4480962Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: Known issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Last updated Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details >OS Build 14393.2941
April 25, 2019
KB4493473Investigating April 25, 2019
02:00 PM PTLayout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >OS Build 14393.2931
April 25, 2019
KB4492241Mitigated May 10, 2019
10:35 AM PTCluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
See details >OS Build 14393.2639
November 27, 2018
KB4467684Mitigated April 25, 2019
02:00 PM PTIssue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details >OS Build 14393.2848
March 12, 2019
KB4489882Mitigated April 25, 2019
02:00 PM PTSCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
See details >OS Build 14393.2639
November 27, 2018
KB4467684Mitigated April 25, 2019
02:00 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 14393.2724
January 08, 2019
KB4480961Mitigated April 25, 2019
02:00 PM PTWindows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
See details >OS Build 14393.2608
November 13, 2018
KB4467691Mitigated February 19, 2019
10:00 AM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 14393.2848
March 12, 2019
KB4489882Resolved
KB4493473April 25, 2019
02:00 PM PT
+ "
+
+- title: April 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Layout and cell size of Excel sheets may change when using MS UI Gothic
Back to topOS Build 14393.2931
April 25, 2019
KB4492241Mitigated Last updated:
May 10, 2019
10:35 AM PT
Opened:
May 10, 2019
10:35 AM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Zone transfers over TCP may fail
Back to topOS Build 14393.2941
April 25, 2019
KB4493473Investigating Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 25, 2019
02:00 PM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Issue using PXE to start a device from WDS Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
+
Back to topOS Build 14393.2848
March 12, 2019
KB4489882Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PTCustom URI schemes may not start corresponding application
Back to topOS Build 14393.2848
March 12, 2019
KB4489882Resolved
KB4493473Resolved:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
+
+- title: November 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Certain operations performed on a Cluster Shared Volume may fail
Back to topOS Build 14393.2724
January 08, 2019
KB4480961Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
new file mode 100644
index 0000000000..c0cfa4ac36
--- /dev/null
+++ b/windows/release-information/status-windows-10-1703.yml
@@ -0,0 +1,101 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows 10, version 1703
+metadata:
+ document_id:
+ title: Windows 10, version 1703
+ description: View annoucements and review known issues and fixes for Windows 10 version 1703
+ keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ Find information on known issues for Windows 10, version 1703. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+ "
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+- items:
+ - type: markdown
+ text: "
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Cluster service may fail if the minimum password length is set to greater than 14
Back to topOS Build 14393.2639
November 27, 2018
KB4467684Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
November 27, 2018
10:00 AM PTSCVMM cannot enumerate and manage logical switches deployed on the host
Back to topOS Build 14393.2639
November 27, 2018
KB4467684Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
November 27, 2018
10:00 AM PTWindows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Back to topOS Build 14393.2608
November 13, 2018
KB4467691Mitigated Last updated:
February 19, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PT
+ "
+
+- title: Known issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Last updated Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >OS Build 15063.1771
April 25, 2019
KB4492242Mitigated May 10, 2019
10:35 AM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 15063.1563
January 08, 2019
KB4480973Mitigated April 25, 2019
02:00 PM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 15063.1689
March 12, 2019
KB4489871Resolved
KB4493436April 25, 2019
02:00 PM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Layout and cell size of Excel sheets may change when using MS UI Gothic
Back to topOS Build 15063.1771
April 25, 2019
KB4492242Mitigated Last updated:
May 10, 2019
10:35 AM PT
Opened:
May 10, 2019
10:35 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Custom URI schemes may not start corresponding application
Back to topOS Build 15063.1689
March 12, 2019
KB4489871Resolved
KB4493436Resolved:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
new file mode 100644
index 0000000000..2618d42ebf
--- /dev/null
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -0,0 +1,111 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows 10, version 1709 and Windows Server, version 1709
+metadata:
+ document_id:
+ title: Windows 10, version 1709 and Windows Server, version 1709
+ description: View annoucements and review known issues and fixes for Windows 10 version 1709 and Windows Server 1709
+ keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ Find information on known issues for Windows 10, version 1709 and Windows Server, version 1709. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+ "
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+- items:
+ - type: markdown
+ text: "
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Certain operations performed on a Cluster Shared Volume may fail
Back to topOS Build 15063.1563
January 08, 2019
KB4480973Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: Known issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Last updated Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details >OS Build 16299.1127
April 25, 2019
KB4493440Investigating April 25, 2019
02:00 PM PTLayout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >OS Build 16299.1111
April 25, 2019
KB4492243Mitigated May 10, 2019
10:35 AM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 16299.904
January 08, 2019
KB4480978Mitigated April 25, 2019
02:00 PM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 16299.1029
March 12, 2019
KB4489886Resolved
KB4493440April 25, 2019
02:00 PM PT
+ "
+
+- title: April 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Layout and cell size of Excel sheets may change when using MS UI Gothic
Back to topOS Build 16299.1111
April 25, 2019
KB4492243Mitigated Last updated:
May 10, 2019
10:35 AM PT
Opened:
May 10, 2019
10:35 AM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Zone transfers over TCP may fail
Back to topOS Build 16299.1127
April 25, 2019
KB4493440Investigating Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 25, 2019
02:00 PM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Custom URI schemes may not start corresponding application
Back to topOS Build 16299.1029
March 12, 2019
KB4489886Resolved
KB4493440Resolved:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
new file mode 100644
index 0000000000..9fea9cbeb3
--- /dev/null
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -0,0 +1,114 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows 10, version 1803
+metadata:
+ document_id:
+ title: Windows 10, version 1803
+ description: View annoucements and review known issues and fixes for Windows 10 version 1803
+ keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ Find information on known issues for Windows 10, version 1803. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+ "
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+- items:
+ - type: markdown
+ text: "
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Certain operations performed on a Cluster Shared Volume may fail
Back to topOS Build 16299.904
January 08, 2019
KB4480978Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: Known issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Last updated Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details >OS Build 17134.753
April 25, 2019
KB4493437Investigating April 25, 2019
02:00 PM PTLayout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >OS Build 17134.730
April 25, 2019
KB4492245Mitigated May 10, 2019
10:35 AM PTIssue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details >OS Build 17134.648
March 12, 2019
KB4489868Mitigated April 25, 2019
02:00 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 17134.523
January 08, 2019
KB4480966Mitigated April 25, 2019
02:00 PM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 17134.648
March 12, 2019
KB4489868Resolved
KB4493437April 25, 2019
02:00 PM PT
+ "
+
+- title: April 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Layout and cell size of Excel sheets may change when using MS UI Gothic
Back to topOS Build 17134.730
April 25, 2019
KB4492245Mitigated Last updated:
May 10, 2019
10:35 AM PT
Opened:
May 10, 2019
10:35 AM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Zone transfers over TCP may fail
Back to topOS Build 17134.753
April 25, 2019
KB4493437Investigating Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 25, 2019
02:00 PM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Issue using PXE to start a device from WDS Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
+
Back to topOS Build 17134.648
March 12, 2019
KB4489868Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PTCustom URI schemes may not start corresponding application
Back to topOS Build 17134.648
March 12, 2019
KB4489868Resolved
KB4493437Resolved:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
new file mode 100644
index 0000000000..afb53b80c9
--- /dev/null
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -0,0 +1,135 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows 10, version 1809 and Windows Server 2019
+metadata:
+ document_id:
+ title: Windows 10, version 1809 and Windows Server 2019
+ description: View annoucements and review known issues and fixes for Windows 10 version 1809 and Windows Server 2019
+ keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ Find information on known issues and the status of the rollout for Windows 10, version 1809 and Windows Server 2019. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+ Details Originating update Status History Certain operations performed on a Cluster Shared Volume may fail
Back to topOS Build 17134.523
January 08, 2019
KB4480966Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+
+ "
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+- items:
+ - type: markdown
+ text: "
+
+ "
+- items:
+ - type: markdown
+ text: "
+
+ Current status:
+ Windows 10, version 1809 is designated for broad deployment and available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.
+
+ "
+
+- title: Known issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Last updated Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >OS Build 17763.475
May 03, 2019
KB4495667Mitigated May 10, 2019
10:35 AM PTDevices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F
See details >OS Build 17763.437
April 09, 2019
KB4493509Mitigated May 03, 2019
10:59 AM PTPrinting from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.
See details >OS Build 17763.379
March 12, 2019
KB4489899Mitigated May 02, 2019
04:47 PM PTIssue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details >OS Build 17763.379
March 12, 2019
KB4489899Mitigated April 09, 2019
10:00 AM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 17763.253
January 08, 2019
KB4480116Mitigated April 09, 2019
10:00 AM PTAudio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers, which accidentally turn on unsupported features in Windows.
See details >OS Build 17763.134
November 13, 2018
KB4467708Mitigated March 15, 2019
12:00 PM PTLatest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.
See details >OS Build 17763.475
May 03, 2019
KB4495667Resolved May 08, 2019
03:37 PM PTSystem may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809
See details >OS Build 17763.437
April 09, 2019
KB4493509Resolved May 08, 2019
03:30 PM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 17763.379
March 12, 2019
KB4489899Resolved
KB4495667May 03, 2019
12:40 PM PT
+ "
+
+- title: April 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Layout and cell size of Excel sheets may change when using MS UI Gothic
Back to topOS Build 17763.475
May 03, 2019
KB4495667Mitigated Last updated:
May 10, 2019
10:35 AM PT
Opened:
May 10, 2019
10:35 AM PTDevices with some Asian language packs installed may receive an error
Back to topOS Build 17763.437
April 09, 2019
KB4493509Mitigated Last updated:
May 03, 2019
10:59 AM PT
Opened:
May 02, 2019
04:36 PM PTPrinting from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Back to topOS Build 17763.379
March 12, 2019
KB4489899Mitigated Last updated:
May 02, 2019
04:47 PM PT
Opened:
May 02, 2019
04:47 PM PTLatest cumulative update (KB 4495667) installs automatically
Back to topOS Build 17763.475
May 03, 2019
KB4495667Resolved Resolved:
May 08, 2019
03:37 PM PT
Opened:
May 05, 2019
12:01 PM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History System may be unresponsive after restart if ArcaBit antivirus software installed
Back to topOS Build 17763.437
April 09, 2019
KB4493509Resolved Resolved:
May 08, 2019
03:30 PM PT
Opened:
April 09, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Issue using PXE to start a device from WDS Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
+
Back to topOS Build 17763.379
March 12, 2019
KB4489899Mitigated Last updated:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PTCustom URI schemes may not start corresponding application
Back to topOS Build 17763.379
March 12, 2019
KB4489899Resolved
KB4495667Resolved:
May 03, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
+
+- title: November 2018
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Certain operations performed on a Cluster Shared Volume may fail
Back to topOS Build 17763.253
January 08, 2019
KB4480116Mitigated Last updated:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
new file mode 100644
index 0000000000..0ce3cb79c0
--- /dev/null
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -0,0 +1,109 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows 7 and Windows Server 2008 R2 SP1
+metadata:
+ document_id:
+ title: Windows 7 and Windows Server 2008 R2 SP1
+ description: View annoucements and review known issues and fixes for Windows 7 and Windows Server 2008 R2 SP1
+ keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ Find information on known issues for Windows 7 and Windows Server 2008 R2 SP1. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+ "
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+- items:
+ - type: markdown
+ text: "
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Back to topOS Build 17763.134
November 13, 2018
KB4467708Mitigated Last updated:
March 15, 2019
12:00 PM PT
Opened:
November 13, 2018
10:00 AM PT
+ "
+
+- title: Known issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Last updated Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >April 25, 2019
KB4493453Mitigated May 10, 2019
10:35 AM PTSystem may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493472Mitigated May 08, 2019
03:29 PM PTSystem may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493472Mitigated May 03, 2019
08:50 AM PTAuthentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details >March 12, 2019
KB4489878Mitigated April 25, 2019
02:00 PM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details >April 09, 2019
KB4493472Mitigated April 25, 2019
02:00 PM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details >April 09, 2019
KB4493472Mitigated April 25, 2019
02:00 PM PTDevices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.
See details >April 09, 2019
KB4493472Resolved April 25, 2019
02:00 PM PT
+ "
+
+- title: April 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Layout and cell size of Excel sheets may change when using MS UI Gothic
Back to topApril 25, 2019
KB4493453Mitigated Last updated:
May 10, 2019
10:35 AM PT
Opened:
May 10, 2019
10:35 AM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History System may be unresponsive after restart if ArcaBit antivirus software installed
Back to topApril 09, 2019
KB4493472Mitigated Last updated:
May 08, 2019
03:29 PM PT
Opened:
April 09, 2019
10:00 AM PTSystem may be unresponsive after restart if Avira antivirus software installed
Back to topApril 09, 2019
KB4493472Mitigated Last updated:
May 03, 2019
08:50 AM PT
Opened:
April 09, 2019
10:00 AM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Back to topApril 09, 2019
KB4493472Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Back to topApril 09, 2019
KB4493472Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PTDevices may not respond at login or Welcome screen if running certain Avast software
Back to topApril 09, 2019
KB4493472Resolved Resolved:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
new file mode 100644
index 0000000000..a16b0e0d20
--- /dev/null
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -0,0 +1,120 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows 8.1 and Windows Server 2012 R2
+metadata:
+ document_id:
+ title: Windows 8.1 and Windows Server 2012 R2
+ description: View annoucements and review known issues and fixes for Windows 8.1 and Windows Server 2012 R2
+ keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ Find information on known issues for Windows 8.1 and Windows Server 2012 R2. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+ "
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+- items:
+ - type: markdown
+ text: "
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Authentication may fail for services after the Kerberos ticket expires
Back to topMarch 12, 2019
KB4489878Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
+
+- title: Known issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Last updated Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >April 25, 2019
KB4493443Mitigated May 10, 2019
10:35 AM PTSystem may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493446Mitigated May 08, 2019
03:29 PM PTSystem may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493446Mitigated May 03, 2019
08:50 AM PTIssue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details >March 12, 2019
KB4489881Mitigated April 25, 2019
02:00 PM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details >April 09, 2019
KB4493446Mitigated April 25, 2019
02:00 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details >January 08, 2019
KB4480963Mitigated April 25, 2019
02:00 PM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details >April 09, 2019
KB4493446Mitigated April 18, 2019
05:00 PM PTDevices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.
See details >April 09, 2019
KB4493446Resolved April 25, 2019
02:00 PM PT
+ "
+
+- title: April 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Layout and cell size of Excel sheets may change when using MS UI Gothic
Back to topApril 25, 2019
KB4493443Mitigated Last updated:
May 10, 2019
10:35 AM PT
Opened:
May 10, 2019
10:35 AM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History System may be unresponsive after restart if ArcaBit antivirus software installed
Back to topApril 09, 2019
KB4493446Mitigated Last updated:
May 08, 2019
03:29 PM PT
Opened:
April 09, 2019
10:00 AM PTSystem may be unresponsive after restart if Avira antivirus software installed
Back to topApril 09, 2019
KB4493446Mitigated Last updated:
May 03, 2019
08:50 AM PT
Opened:
April 09, 2019
10:00 AM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Back to topApril 09, 2019
KB4493446Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Back to topApril 09, 2019
KB4493446Mitigated Last updated:
April 18, 2019
05:00 PM PT
Opened:
April 09, 2019
10:00 AM PTDevices may not respond at login or Welcome screen if running certain Avast software
Back to topApril 09, 2019
KB4493446Resolved Resolved:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Issue using PXE to start a device from WDS Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
+
Back to topMarch 12, 2019
KB4489881Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
new file mode 100644
index 0000000000..689abfde38
--- /dev/null
+++ b/windows/release-information/status-windows-server-2008-sp2.yml
@@ -0,0 +1,93 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows Server 2008 SP2
+metadata:
+ document_id:
+ title: Windows Server 2008 SP2
+ description: View annoucements and review known issues and fixes for Windows Server 2008 SP2
+ keywords: Windows, Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ Find information on known issues for Windows Server 2008 SP2. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+ "
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+- items:
+ - type: markdown
+ text: "
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Certain operations performed on a Cluster Shared Volume may fail
Back to topJanuary 08, 2019
KB4480963Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
+
+- title: Known issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Last updated System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493471Mitigated May 03, 2019
08:51 AM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details >April 09, 2019
KB4493471Mitigated April 25, 2019
02:00 PM PTAuthentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details >March 12, 2019
KB4489880Mitigated April 25, 2019
02:00 PM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History System may be unresponsive after restart if Avira antivirus software installed
Back to topApril 09, 2019
KB4493471Mitigated Last updated:
May 03, 2019
08:51 AM PT
Opened:
April 09, 2019
10:00 AM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Back to topApril 09, 2019
KB4493471Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
new file mode 100644
index 0000000000..be5f206c02
--- /dev/null
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -0,0 +1,114 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows Server 2012
+metadata:
+ document_id:
+ title: Windows Server 2012
+ description: View annoucements and review known issues and fixes for Windows Server 2012
+ keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+- items:
+ - type: markdown
+ text: "
+ Find information on known issues for Windows Server 2012. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+ "
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 3
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+- items:
+ - type: markdown
+ text: "
+
+ "
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Authentication may fail for services after the Kerberos ticket expires
Back to topMarch 12, 2019
KB4489880Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
+
+- title: Known issues
+- items:
+ - type: markdown
+ text: "
+
+ "
+
+- title: Issue details
+- items:
+ - type: markdown
+ text: "
+ Summary Originating update Status Last updated Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >April 25, 2019
KB4493462Mitigated May 10, 2019
10:35 AM PTSystem may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493451Mitigated May 03, 2019
08:51 AM PTIssue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details >March 12, 2019
KB4489891Mitigated April 25, 2019
02:00 PM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details >April 09, 2019
KB4493451Mitigated April 25, 2019
02:00 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details >January 08, 2019
KB4480975Mitigated April 25, 2019
02:00 PM PT
+ "
+
+- title: April 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Layout and cell size of Excel sheets may change when using MS UI Gothic
Back to topApril 25, 2019
KB4493462Mitigated Last updated:
May 10, 2019
10:35 AM PT
Opened:
May 10, 2019
10:35 AM PT
+ "
+
+- title: March 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History System may be unresponsive after restart if Avira antivirus software installed
Back to topApril 09, 2019
KB4493451Mitigated Last updated:
May 03, 2019
08:51 AM PT
Opened:
April 09, 2019
10:00 AM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Back to topApril 09, 2019
KB4493451Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PT
+ "
+
+- title: January 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Issue using PXE to start a device from WDS Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
+
Back to topMarch 12, 2019
KB4489891Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
+ "
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
new file mode 100644
index 0000000000..bcea3b01d7
--- /dev/null
+++ b/windows/release-information/windows-message-center.yml
@@ -0,0 +1,104 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows 10 message center
+metadata:
+ document_id:
+ title: Windows 10 message center
+ description: Windows 10 message center
+ keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+ ms.localizationpriority: high
+ author: greg-lindsay
+ ms.author: greglin
+ manager: dougkim
+ ms.topic: article
+ ms.devlang: na
+
+sections:
+
+- items:
+ - type: list
+ style: cards
+ className: cardsM
+ columns: 2
+ items:
+
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540
+ html: Read the announcement >
+ image:
+ src: https://docs.microsoft.com//media/common/i_deploy.svg
+ title: Windows 10, version 1809 designated for broad deployment
+ - href: https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency
+ html: Find out more >
+ image:
+ src: https://docs.microsoft.com/media/common/i_whats-new.svg
+ title: Improvements to the Windows 10 update experience are coming
+ - href: https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience
+ html: Learn about our approach >
+ image:
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: How do we measure and improve the quality of Windows?
+ - href: https://docs.microsoft.com/windows/windows-10/release-information
+ html: Visit the Windows 10 release information page >
+ image:
+ src: https://docs.microsoft.com/media/common/i_download-monitor.svg
+ title: Find a list of currently supported versions and previous releases
+
+- title: Recent announcements
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Certain operations performed on a Cluster Shared Volume may fail
Back to topJanuary 08, 2019
KB4480975Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
+ "
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 0b2f989db7..3b7f39ee7e 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -258,279 +258,286 @@ The following tables provide descriptions of the default groups that are located
Message Date Reminder: Windows 10 update servicing cadence
+
+
+ For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.May 10, 2019
10:00 AM PTTake action: Install servicing stack update for Windows Server 2008 SP2 for SHA-2 code sign support
A standalone update, KB4493730, that introduce SHA-2 code sign support for the servicing stack (SSU) was released today as a security update.April 19, 2019
10:00 AM PTThe benefits of Windows 10 Dynamic Update
+
+April 17, 2019
11:26 AM PTImprovements to the Windows 10 update experience are coming
Find out about the changes coming to the Windows update process that will improve the experience, offer users more control, and improve the quality of Windows updates.April 04, 2019
09:00 AM PTTake action: review your Windows Update for Business deferral values
+
+
+In order avoid this, you need to set your feature update deferral policy to 273 days or less.April 03, 2019
05:47 PM PTFind a list of currently supported versions and previous releases
Every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it is no longer serviced or supported. Knowing key dates in this lifecycle helps you make informed decisions about when to update, upgrade, or make other changes to your software. Check out the updated Windows 10 release information page for a list of current versions by servicing option as well as end of service dates.March 28, 2019
02:00 PM PTWindows 10, version 1809 designated for broad deployment
Based on the data and the feedback we’ve received from consumers, OEMs, ISVs, partners, and commercial customers, Windows 10, version 1809 has transitioned to broad deployment. With this, the Windows 10 release information page will now reflect Semi-Annual Channel (SAC) for version 1809.March 28, 2019
10:00 AM PTReminder: Additional servicing for the Windows 10 Enterprise, Education, and IoT Enterprise, version 1607 ends April 9, 2019 March 12, 2019
10:00 AM PTReminder: Windows 10 Home, Pro, Pro for Workstations, and IoT Core, version 1709 will reach end of service on April 9, 2019 March 12, 2019
10:00 AM PTTake action: Install standalone security updates to introduce SHA-2 code sign support for Windows 7 amd Windows Server 2008 R2
A standalone SHA-2 code signing support update for Windows Server 2008 R2 and Windows 7 is now available, as is a servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1 that includes the SHA-2 code signing support update.March 12, 2019
10:00 AM PTTake action: Install standalone update for WSUS 3.0 SP2 to support the delivery of SHA-2 signed updates
A standalone update, KB4484071 is available on Windows Update Catalog for WSUS 3.0 SP2 that supports delivering SHA-2 signed updates. For those customers using WSUS 3.0 SP2, this update should be manually installed no later than June 18, 2019.March 12, 2019
10:00 AM PTReminder: Final Delta update for Windows 10, version 1607, 1703, 1709, and 1803 will be April 9, 2019
March 12th and April 9th will be the last two Delta updates for Windows 10, version 1607, 1703, 1709, and 1803. Security and quality updates will continue to be available via the express and full cumulative update packages.March 12, 2019
10:00 AM PTHow do we measure and improve the quality of Windows?
+
+March 06, 2019
10:23 AM PTGetting to know the Windows update history pages February 21, 2019
06:37 PM PTShare your feedback: Windows update history
We read every comment you leave on our update history pages, and are always looking to improve these pages and the monthly knowledge base (KB) articles that accompany each monthly update. Take our survey and let us know how we can improve our transparency further and make these more compelling and useful to you and your organization.February 21, 2019
12:00 PM PTPlan for change: Windows Update for Business and the retirement of SAC-T
Beginning with Windows 10, version 1903 (the next feature update for Windows 10), the Windows 10 release information page will no longer list SAC-T information for version 1903 and future feature updates. Instead, you will find a single entry for each new SAC release. In addition, if you are using Windows Update for Business, you will see new UI and behavior to reflect that there is only one release date for each SAC release. If you use System Center Configuration Manager, Windows Server Update Services (WSUS), or other management tools, there will now only be one feature update published to WSUS, and this will occur at the time of release. Learn how this change will affect Windows Business for Update customers.February 14, 2019
12:00 PM PTChamps corner: Classifying Windows updates in common deployment tools
If you utilize automated update deployment tools, such as Windows Server Update Services (WSUS) or System Center Configuration Manager, you likely use automatic rules to streamline the approval and deployment of Windows updates. Using the correct update classification is, therefore, an important component of your organization’s device update process. Explore the options available and how to approach it in a WSUS or Configuration Manager environment.February 05, 2019
10:34 AM PTUpdate: Delta updates for Windows 10, version 1607, 1703, 1709, and 1803 will be available until April 9, 2019
Based on customer feedback, we are extending Delta update publication for Windows 10 versions 1607, 1703, 1709, and 1803. We will continue to provide Delta updates via the Microsoft Update Catalog through April 9th, 2019, which will be the last delta update available.February 05, 2019
09:00 AM PTGlobal DNS outage affecting Windows Update customers
Windows Update customers were affected by a network infrastructure event on January 29, 2019 (21:00 UTC), caused by an external DNS service provider’s global outage. A software update to the external provider’s DNS servers resulted in the distribution of corrupted DNS records that affected connectivity to the Windows Update service. The DNS records were restored by January 30, 2019 (00:10 UTC), and the majority of local Internet Service Providers (ISP) have refreshed their DNS servers and customer services have been restored.January 29, 2019
04:15 PM PTApplication compatibility in the Windows ecosystem
Our application ecosystem is incredibly diverse, encompassing tens of millions of applications (apps) with numerous versions, languages, architectures, services and configuration options. While our ecosystem is complex, our vision is simple. All apps on Windows devices should just work! Explore the various programs and technologies we use to improve application compatibility.January 15, 2019
10:00 AM PTModern desktop servicing: the year in review
2018 was a pivotal year for the modern desktop and the servicing transformation journey we have been taking with you and your organization. In this post, John Wilcox takes a look back and recaps the progress that has been made, highlighting significant events, and provideing nsight into what 2019 has in store.December 19, 2018
02:20 PM PTDriver quality in the Windows ecosystem
Ensuring Windows 10 works great with all the devices and accessories our customers use is a top priority. We work closely with this broad mix of partners to test new drivers, monitor health characteristics over time, and make Windows and our ecosystem more resilient architecturally. Our goal is to ensure that all the updates and drivers we deliver to non-Insider populations are validated and at production quality (including monthly optional releases) before pushing drivers broadly to all. Explore the driver distribution chain and learn how we measure driver quality and prevent conflicts.December 19, 2018
10:04 AM PTIntroducing the Modern Desktop podcast series
In this new podcast series, we'll explore the good, the bad, and, yes, the ugly of servicing and delivery for Windows 10 and Office 365 ProPlus. We'll talk about modern desktop management through Enterprise Mobility, security, and cloud-attached and co-managed environments. Listen to the first episode, in which we discuss monthly quality updates fpr Windows 10, the Microsoft 365 Stay Current pilot program, and interview a real customer to see how they ingest monthly updates in their organization.December 18, 2018
01:00 PM PTMeasuring Delivery Optimization and its impact to your network
If you've familiarized yourself with the configuration options for Delivery Optimization in Windows 10, and have started to configure the settings you feel will be the best fit for your organization’s network topology, now is the time to see how well those settings are working. This article provides tips on how evaluate performance at the device level or organization level.December 13, 2018
03:48 PM PTWindows monthly security and quality updates overview
Today’s global cybersecurity threats are both dynamic and sophisticated, and new vulnerabilities are discovered almost every day. We focus on protecting customers from these security threats by providing security updates on a timely basis and with high quality. Find out how how we deliver these critical updates on a massive scale as a key component of our ongoing Windows as a service effort.December 10, 2018
10:00 AM PTLTSC: What is it, and when should it be used?
With the Semi-Annual Channel, devices receive two feature updates per year, and benefit from the best performance, user experience, security, and stability. This servicing option continues to be our recommendation for managing Windows 10 updates; however, we acknowledge that certain devices and use cases (e.g. medical systems and industrial process controllers) dictate that functionality and features don’t change over time. Find out how we designed the Long-Term Servicing Channel (LTSC) with these types of use cases in mind, and what is offered through the LTSC.November 29, 2018
07:02 PM PTPlan for change: Local Experience Packs: What are they and when should you use them?
When we released Windows 10, version 1803, we introduced Local Experience Packs (LXPs), which are modern language packs delivered through the Microsoft Store or Microsoft Store for Business. Learn about the biggest advantage to LXPs, and the retirement of legacy language packs (lp.cab) for all Language Interface Packs (LIP).November 14, 2018
11:10 AM PTWindows 10 Quality approach for a complex ecosystem
While our measurements of quality show improving trends on aggregate for each successive Windows 10 release, if a single customer experiences an issue with any of our updates, we take it seriously. In this blog post, Windows CVP Mike Fortin shares an overview of how we work to continuously improve the quality of Windows and our Windows as a service approach. This blog will be the first in a series of more in-depth explanations of the work we do to deliver quality in our Windows releases.November 13, 2018
10:00 AM PTWindows 10, version 1809 rollout resumes; now available on VLSC
Today we are resuming the rollout of the latest Windows 10 feature update—Windows 10, version 1809—via the Software Download Center (via Update Assistant or the Media Creation Tool), Windows Server Update Services (WSUS), and Windows Update for Business. Windows 10, version 1809 is also now available on the Volume Licensing Service Center (VLSC).November 13, 2018
10:00 AM PTExpress updates for Windows Server 2016 re-enabled for November 2018 update
Starting with the November 13, 2018 Update Tuesday release, Windows will again publish Express updates for Windows Server 2016. That means that system administrators for WSUS and System Center Configuration Manager will once again see two packages for the Windows Server 2016 update: a Full update and an Express update. Read this article for more details.November 12, 2018
03:00 PM PTPlan for change: 2019 SHA-2 code signing support requirement for Windows and WSUS November 09, 2018
10:00 AM PT
[Device Owners](#bkmk-device-owners)
Yes
Yes
Yes
Yes
[Distributed COM Users](#bkmk-distributedcomusers)
Yes
Yes
Yes
Yes
[DnsUpdateProxy](#bkmk-dnsupdateproxy)
Yes
Yes
Yes
Yes
[DnsAdmins](#bkmk-dnsadmins)
Yes
Yes
Yes
Yes
[Domain Admins](#bkmk-domainadmins)
Yes
Yes
Yes
Yes
[Domain Computers](#bkmk-domaincomputers)
Yes
Yes
Yes
Yes
[Domain Controllers](#bkmk-domaincontrollers)
Yes
Yes
Yes
Yes
[Domain Guests](#bkmk-domainguests)
Yes
Yes
Yes
Yes
[Domain Users](#bkmk-domainusers)
Yes
Yes
Yes
Yes
[Enterprise Admins](#bkmk-entadmins)
Yes
Yes
Yes
Yes
[Enterprise Key Admins](#bkmk-enterprise-key-admins)
[Enterprise Key Admins](#enterprise-key-admins)
Yes
[Enterprise Read-only Domain Controllers](#bkmk-entrodc)
Yes
Yes
Yes
Yes
[Event Log Readers](#bkmk-eventlogreaders)
Yes
Yes
Yes
Yes
[Group Policy Creator Owners](#bkmk-gpcreatorsowners)
Yes
Yes
Yes
Yes
[Guests](#bkmk-guests)
Yes
Yes
Yes
Yes
[Hyper-V Administrators](#bkmk-hypervadministrators)
Yes
Yes
Yes
[IIS_IUSRS](#bkmk-iis-iusrs)
Yes
Yes
Yes
Yes
[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)
Yes
Yes
Yes
Yes
[Key Admins](#key-admins)
Yes
[Network Configuration Operators](#bkmk-networkcfgoperators)
Yes
Yes
Yes
Yes
[Performance Log Users](#bkmk-perflogusers)
Yes
Yes
Yes
Yes
[Performance Monitor Users](#bkmk-perfmonitorusers)
Yes
Yes
Yes
Yes
[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)
Yes
Yes
Yes
Yes
[Print Operators](#bkmk-printoperators)
Yes
Yes
Yes
Yes
[Protected Users](#bkmk-protectedusers)
Yes
Yes
[RAS and IAS Servers](#bkmk-rasandias)
Yes
Yes
Yes
Yes
[RDS Endpoint Servers](#bkmk-rdsendpointservers)
Yes
Yes
Yes
[RDS Management Servers](#bkmk-rdsmanagementservers)
Yes
Yes
Yes
[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)
Yes
Yes
Yes
[Read-only Domain Controllers](#bkmk-rodc)
Yes
Yes
Yes
Yes
[Remote Desktop Users](#bkmk-remotedesktopusers)
Yes
Yes
Yes
Yes
[Remote Management Users](#bkmk-remotemanagementusers)
Yes
Yes
Yes
[Replicator](#bkmk-replicator)
Yes
Yes
Yes
Yes
[Schema Admins](#bkmk-schemaadmins)
Yes
Yes
Yes
Yes
[Server Operators](#bkmk-serveroperators)
Yes
Yes
Yes
Yes
[Storage Replica Administrators](#storage-replica-administrators)
Yes
[System Managed Accounts Group](#system-managed-accounts-group)
Yes
[Terminal Server License Servers](#bkmk-terminalserverlic)
Yes
Yes
Yes
Yes
[Users](#bkmk-users)
Yes
Yes
Yes
Yes
[Windows Authorization Access Group](#bkmk-winauthaccess)
Yes
Yes
Yes
Yes
[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)
Yes
| Attribute | +Value | +
|---|---|
Well-Known SID/RID |
+S-1-5-32-583 |
+
Type |
+BuiltIn Local |
+
Default container |
+CN=BuiltIn, DC=<domain>, DC= |
+
Default members |
+None |
+
Default member of |
+None |
+
Protected by ADMINSDHOLDER? |
+No |
+
Safe to move out of default container? |
+Can be moved out but it is not recommended |
+
Safe to delegate management of this group to non-Service admins? |
+No |
+
Default User Rights |
+[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight +[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight +[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege +[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege + |
+
Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
-[Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)
-[Azure AD join authentication to Active Directory using a Key](#Azure-AD-join-authentication-to-Active-Directory-using-a-Key)
-[Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)
-[Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)
-[Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)
+[Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
+[Azure AD join authentication to Active Directory using a Key](#azure-ad-join-authentication-to-active-directory-using-a-key)
+[Azure AD join authentication to Active Directory using a Certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
+[Hybrid Azure AD join authentication using a Key](#hybrid-azure-ad-join-authentication-using-a-key)
+[Hybrid Azure AD join authentication using a Certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
## Azure AD join authentication to Azure Active Directory @@ -40,7 +40,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.| |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| -[Return to top](#Windows-Hello-for-Business-and-Authentication) ## Azure AD join authentication to Active Directory using a Key  @@ -52,7 +51,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.| -[Return to top](#Windows-Hello-for-Business-and-Authentication) ## Azure AD join authentication to Active Directory using a Certificate  @@ -62,7 +60,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.| -[Return to top](#Windows-Hello-for-Business-and-Authentication) ## Hybrid Azure AD join authentication using a Key  @@ -76,7 +73,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.| |G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.| -[Return to top](#Windows-Hello-for-Business-and-Authentication) ## Hybrid Azure AD join authentication using a Certificate  @@ -90,6 +86,3 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.| |G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.| -[Return to top](#Windows-Hello-for-Business-and-Authentication) - - diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 7eeaa651d5..23eed38ace 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -28,6 +28,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)
+[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
[Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
@@ -56,7 +57,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.| [Return to top](#windows-hello-for-business-provisioning) -## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment +## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment  | Phase | Description | diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index bf17a84426..84d389751b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -141,7 +141,7 @@ These procedures configure NTFS and share permissions on the web server to allow 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. -3. Select **Share this folder**. Type **cdp$** in **Share name:**. Click **Permissions**. +3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**.  4. In the **Permissions for cdp$** dialog box, click **Add**. 5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**. @@ -280,10 +280,10 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted 1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**. 2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**.  -3. In the **Create profle** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. +3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. 4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**.  -5. In the **Enterprise Root Certificate** blade, click **Assignmnets**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. +5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**.  6. Sign out of the Microsoft Azure Portal. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 2e3ac6b145..a1981cd9c2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -28,7 +28,7 @@ Windows Hello for Business involves configuring distributed technologies that ma * [Active Directory](#active-directory) * [Public Key Infrastructure](#public-key-infrastructure) * [Azure Active Directory](#azure-active-directory) -* [Multi-factor Authentication Services](#multi-factor-authentication-services) +* [Multifactor Authentication Services](#multifactor-authentication-services) New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration. @@ -80,7 +80,7 @@ If you do have an existing public key infrastructure, please review [Certificati ### Section Review ### > [!div class="checklist"] -> * Miniumum Windows Server 2012 Certificate Authority. +> * Minimum Windows Server 2012 Certificate Authority. > * Enterprise Certificate Authority. > * Functioning public key infrastructure. @@ -128,7 +128,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multufactor Authentiation features and settings. +> * Configure Azure Multifactor Authentication features and settings. > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary. @@ -141,7 +141,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. New Installation Baseline (*You are here*) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index bab9bcf458..273991ec82 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -28,13 +28,13 @@ Your environment is federated and you are ready to configure device registration > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. -Use this three phased approach for configuring device registration. +Use this three-phased approach for configuring device registration. 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) > [!NOTE] -> Before proceeding, you should familiarize yourself with device regisration concepts such as: +> Before proceeding, you should familiarize yourself with device registration concepts such as: > * Azure AD registered devices > * Azure AD joined devices > * Hybrid Azure AD joined devices @@ -100,7 +100,7 @@ Federation server proxies are computers that run AD FS software that have been c Use the [Setting of a Federation Proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. ### Deploy Azure AD Connect -Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. @@ -514,7 +514,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Azure Device Registration (*You are here*) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index ac6315a04d..8179a617a8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -27,10 +27,10 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infrastructure) +* [Public Key Infrastructure](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) -* [MultiFactor Authentication](#multifactor-authentication) +* [Multifactor Authentication](#multifactor-authentication) * [Device Registration](#device-registration) ## Directories ## @@ -57,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning ## Public Key Infrastructure ## The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. -Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment use the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. +Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AD FS) as a certificate registration authority. The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. @@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind ## Directory Synchronization ## The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. -Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect +Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema). ### Section Review > [!div class="checklist"] @@ -96,7 +96,7 @@ The AD FS farm used with Windows Hello for Business must be Windows Server 2016 ## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service, or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. ### Section Review > [!div class="checklist"] @@ -119,7 +119,7 @@ Hybrid certificate trust deployments need the device write back feature. Authen
### Next Steps ### -Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. +Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index f8613819f5..c622ab65bb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -37,10 +37,10 @@ This baseline provides detailed procedures to move your environment from an on-p ## Federated Baseline ## The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. -Regardless of the baseline you choose, you’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. > [!div class="nextstepaction"] -> [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +> [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
@@ -48,7 +48,7 @@ Regardless of the baseline you choose, you’re next step is to familiarize your ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. Overview (*You are here*) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index e295b98d48..22b4bd30cd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -18,7 +18,7 @@ ms.date: 08/19/2018 # Hybrid Windows Hello for Business Provisioning **Applies to** -- Windows10, version 1703 or later +- Windows 10, version 1703 or later - Hybrid deployment - Certificate trust @@ -55,17 +55,17 @@ The remainder of the provisioning includes Windows Hello for Business requesting > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). > The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. -> **This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. +> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] -> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers. +> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers. After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. -The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current users certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center. +The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.
@@ -73,9 +73,9 @@ The certificate authority validates the certificate was signed by the registrati ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) -6. Sign-in and Provision(*You are here*) +6. Sign-in and Provision (*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 3d78b7a719..f127c06ae9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -23,7 +23,7 @@ ms.date: 08/19/2018 - Certificate trust -You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. +Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. @@ -44,7 +44,7 @@ For the most efficient deployment, configure these technologies in order beginni ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. Configure Windows Hello for Business settings (*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index d9874f88c3..4a4a80eced 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -80,7 +80,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: > * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. -> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. +> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL. ### Section Review ### @@ -124,7 +124,7 @@ If your organization uses Azure MFA on a per-consumption model (no licenses), th Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. #### Azure MFA User States #### -After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. +After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. ### Azure MFA via ADFS ### Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section. @@ -135,7 +135,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multifactor Authentiation features and settings. +> * Configure Azure Multifactor Authentication features and settings. > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. @@ -148,7 +148,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. New Installation Baseline (*You are here*) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 9a49d7ab15..f7ec72d697 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -38,7 +38,7 @@ Begin configuring device registration to support Hybrid Windows Hello for Busine To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/) -Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark. +Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
@@ -47,7 +47,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. Configure Azure Device Registration (*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 2c4dc3093c..617e922f94 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -26,7 +26,7 @@ ms.date: 08/19/2018 You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect -Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). > [!NOTE] @@ -38,7 +38,7 @@ Next, you need to synchronizes the on-premises Active Directory with Azure Activ ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. Configure Directory Synchronization (*You are here*) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index f59a78c750..e7e22f7c8f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -85,7 +85,7 @@ Organizations using older directory synchronization technology, such as DirSync
## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. ### Section Review ### > [!div class="checklist"] @@ -97,7 +97,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat ## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multi-factor Authentication service or they can use multi-factor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multi-factor authentication into AD FS. +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. ### Section Review > [!div class="checklist"] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 303b6ce403..129be903cb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -34,10 +34,10 @@ The new deployment baseline helps organizations who are moving to Azure and Offi This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. -You’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +Your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. > [!div class="nextstepaction"] -> [Prerequistes](hello-hybrid-key-trust-prereqs.md) +> [Prerequisites](hello-hybrid-key-trust-prereqs.md)
@@ -45,7 +45,7 @@ You’re next step is to familiarize yourself with the prerequisites needed for ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. Overview (*You are here*) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 1700566e52..996e8121b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -77,7 +77,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers. Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller. +The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. #### Device registration @@ -101,7 +101,6 @@ Cloud only and hybrid deployments provide many choices for multi-factor authenti > * Azure Active Directory Premium > * Enterprise Mobility Suite > * Enterprise Cloud Suite ->* A per-user and per-authentication consumption-based model that is billed monthly against Azure monetary commitment (Read [Multi-Factor Authentication Pricing](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) for more information) #### Directory synchronization @@ -136,7 +135,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in ### Cloud -Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional. +Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional. ## Planning a Deployment @@ -150,13 +149,13 @@ Choose the deployment model based on the resources your users access. Use the f If your organization does not have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet. -If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet. +If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users' access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet. If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet. >[!NOTE] >If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results. >```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords``` ->* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then you environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type. +>* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type. >* If the command returns a value, compare that value with the values below. The value indicates the deployment model you should implement > * If the value begins with **azureADName:** – write **Hybrid** in box **1a**on your planning worksheet. > * If the value begins with **enterpriseDrsName:** – write **On-Premises** in box **1a** on your planning worksheet. @@ -197,7 +196,7 @@ If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet. -If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credential remain on the on-premises network. +If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credentials remain on the on-premises network. ### Multifactor Authentication @@ -274,7 +273,7 @@ Public key infrastructure prerequisites already exist in your planning worksheet If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments do not use a public key infrastructure. -If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. +If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section. The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index c9ba5464a6..9ea0ddd3dc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -529,7 +529,7 @@ Disable-BitLocker -MountPoint E:,F:,G: ``` ## See also -- [Prepare your organization for BitLocker: Planning and p\\olicies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md) - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) - [BitLocker overview](bitlocker-overview.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 9879494122..1325357065 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -29,12 +29,14 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h ## Managing devices joined to Azure Active Directory -Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. -Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones. +Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones. For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. +This is applicable to Azure Hybrid AD as well. + ## Managing workplace-joined PCs and phones @@ -51,7 +53,7 @@ If you are installing a server manually, such as a stand-alone server, then choo Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). - For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles). + For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles). ## PowerShell examples @@ -134,4 +136,4 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell) -[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs) \ No newline at end of file +[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 86ebe29111..72fd992131 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/17/2019 +ms.date: 04/24/2019 --- # Prepare your organization for BitLocker: Planning and policies @@ -201,8 +201,8 @@ However, you cannot use recovery passwords generated on a system in FIPS mode fo ## More information -- [Trusted Platform Module](/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md) -- [TPM Group Policy settings](/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md) +- [Trusted Platform Module](https://docs.microsoft.com/windows/security/information-protection/tpm/trusted-platform-module-top-node) +- [TPM Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) - [BitLocker](bitlocker-overview.md) - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index eacf850aab..f715eb932d 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -50,6 +50,24 @@ As a result, if the currently used PCR bank is switched all keys that have been Before switching PCR banks you should suspend or disable BitLocker – or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor. +## How can I identify which PCR bank is being used? + +A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. + +- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
+- DWORD: TPMActivePCRBanks
+- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.)
+ +Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met. + +You can identify which PCR bank is currently used by Windows by looking at the registry. + +- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
+- DWORD: TPMDigestAlgID
+- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.)
+ +Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted. + ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 3f858bbcb9..263963d4db 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -19,7 +19,7 @@ ms.date: 11/29/2018 # Trusted Platform Module Technology Overview **Applies to** -- Windows 10 +- Windows 10 - Windows Server 2016 - Windows Server 2019 @@ -53,13 +53,13 @@ Certificates can be installed or created on computers that are using the TPM. Af Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process. -Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. +Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). ## New and changed functionality -For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module). +For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module). ## Device health attestation @@ -78,7 +78,7 @@ Some things that you can check on the device are: ## Supported versions for device health attestation -| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 | +| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 | |-------------|-------------|---------------------|---------------------| | TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes | | TPM 2.0 | Yes | Yes | Yes | @@ -87,5 +87,12 @@ Some things that you can check on the device are: ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM) +- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal) +- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/) +- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) +- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) +- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 7728af0c4f..33ced2e6e3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/17/2019 +ms.date: 05/13/2019 --- # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -21,23 +21,25 @@ ms.date: 04/17/2019 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) -Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device. +Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device. ## Differences between MDM and MAM for WIP You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences: -- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. -- MAM supports only one user per device. -- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md). - MAM has additional **Access** settings for Windows Hello for Business. - MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device. - MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). - An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. +- MAM supports only one user per device. +- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md). +- Only MDM can use [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) policies. +- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. + ## Prerequisites -Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. +Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. ## Configure the MDM or MAM provider @@ -96,7 +98,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK**  -To add multiple Store apps, click the elipsis **…**. +To add multiple Store apps, click the ellipsis **…**. If you don't know the Store app publisher or product name, you can find them by following these steps. @@ -185,7 +187,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo -To add another Desktop app, click the elipsis **…**. After you’ve entered the info into the fields, click **OK**. +To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**.  @@ -401,7 +403,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor  ## Choose where apps can access enterprise data -After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include policy that defines your enterprise network locations. +After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations. There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). @@ -560,56 +562,50 @@ After you create and deploy your WIP policy to your employees, Windows begins to  ## Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. +After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings. -**To set your optional settings** - -1. Choose to set any or all optional settings: - -  - - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + + +**Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - **On.** Turns on the feature and provides the additional protection. +- **On.** Turns on the feature and provides the additional protection. - - **Off, or not configured.** Doesn't enable this feature. +- **Off, or not configured.** Doesn't enable this feature. - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: +**Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. +- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. +- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. - - **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: +**Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. +- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. +- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - - **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection. +**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). - - **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic. +- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. - - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. - - - **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. - - - **On.** Starts Windows Search Indexer to index encrypted files. - - - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. - -## Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. - -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. - -Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. This template will be applied to the protected data that is copied to a removable drive. - ->[!IMPORTANT] ->Curly braces -- {} -- are required around the RMS Template ID. + If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access. + +- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. >[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. +>Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. + +**Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. + +- **On.** Starts Windows Search Indexer to index encrypted files. + +- **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. + +## Encrypted file extensions + +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. + + ## Related topics diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 101b9976ad..8cb0bcd6e9 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/05/2019 +ms.date: 05/13/2019 --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager @@ -462,15 +462,6 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** 1. Choose to set any or all of the optional settings: - - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - - - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. - - - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - >[!IMPORTANT] - >The **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box** option is only available for Configuration Manager versions 1610 and below. - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - **Yes (recommended).** Turns on the feature and provides the additional protection. @@ -483,12 +474,14 @@ After you've decided where your protected apps can access enterprise data on you - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don’t specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to. + 2. After you pick all of the settings you want to include, click **Summary**. ## Review your configuration choices in the Summary screen diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 3de2479c2a..600663b95b 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/26/2019 +ms.date: 05/02/2019 --- # List of enlightened Microsoft apps for use with Windows Information Protection (WIP) @@ -70,6 +70,9 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Remote Desktop +>[!NOTE] +>Microsoft Visio and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. + ## List of WIP-work only apps from Microsoft Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md index cfcae5b9de..02d2fe3e81 100644 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -13,15 +13,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/15/2019 +ms.date: 04/30/2019 --- # How Windows Information Protection (WIP) protects a file that has a sensitivity label **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Windows 10, version 1903 - Windows 10, version 1809 +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. Microsoft information protection technologies work together as an integrated solution to help enterprises: @@ -38,52 +43,73 @@ Microsoft information protection technologies include: - [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization. -End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps: +## How WIP protects sensitivity labels with endpoint data loss prevention + +You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center. +When you create a sensitivity label, you can specify that endpoint data loss prevention applies to content with that label. + + + +Office app users can choose a sensitivity label from a menu and apply it to a file.  -## Default WIP behaviors for a sensitivity label +WIP enforces default endpoint protection as follows: -Enterprises can create and manage sensitivity labels on the **Labels** page in the Office 365 Security & Compliance Center. -When you create a sensitivity label, you can specify that endpoint protection should apply to content with that label. -WIP enforces default endpoint protection depending on how the sensitivity label is configured: +- If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label +- If endpoint data loss prevention is not enabled: + - The device enforces work protection to a file downloaded from a work site + - The device does not enforce work protection to a file downloaded from a personal site -- When the sensitivity label is configured for endpoint protection of content that includes business data, the device enforces work protection for documents with the label -- When the sensitivity label is *not configured* for endpoint protection, the device reverts to whatever WIP policy has been defined in Intune or System Center Configuration Manager (SCCM): - - If the document is downloaded from a work site, the device enforces work protection - - If the document is downloaded from a personal site, no work protection is applied - -For more information about labels, see [Overview of labels](https://docs.microsoft.com/office365/securitycompliance/labels). - -## Use cases - -This section covers how WIP works with sensitivity labels in specific use cases. - -### User downloads from or creates a document on a work site - -If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regardless of whether the document has a sensitivity label. - -If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label. - -### User downloads a confidential Office or PDF document from a personal site - -Windows Defender Advanced Threat Protection (Windows Defender ATP) scans for any file that gets modified or created, including files that were created on a personal site. -If the file has a sensitivity label, the corresponding WIP protection gets applied even though the file came from a personal site. -For example: +Here's an example where a file remains protected without any work context beyond the sensitivity label: 1. Sara creates a PDF file on a Mac and labels it as **Confidential**. -2. She emails the PDF from her Gmail account to Laura. -3. Laura opens the PDF file on her Windows 10 device. -4. WIP policy gets applied and the file is protected. +1. She emails the PDF from her Gmail account to Laura. +1. Laura opens the PDF file on her Windows 10 device. +1. Windows Defender Advanced Threat Protection (Windows Defender ATP) scans Windows 10 for any file that gets modified or created, including files that were created on a personal site. +1. Windows Defender ATP triggers WIP policy. +1. WIP policy protects the file even though it came from a personal site. -The PDF file doesn't need any work context beyond the sensitivity label. +## How WIP protects automatically classified files + +The next sections cover how Windows Defender ATP extends discovery and protection of sensitive information with improvements in Windows 10 version 1903. + +### Discovery + +Windows Defender ATP can extract the content of the file itself and evaluate whether it contains sensitive information types such as credit card numbers or employee ID numbers. +When you create a sensitivity label, you can specify that the label be added to any file that contains a sensitive information type. + + + +A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver’s license numbers, and so on. +You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate. + +### Protection + +When a file is created or edited on a Windows 10 endpoint, Windows Defender ATP extracts the content and evaluates if it contains any default or custom sensitive information types that have been defined. +If the file has a match, Windows Defender ATP applies endpoint data loss prevention even if the file had no label previously. + +Windows Defender ATP is integrated with Azure Information Protection for data discovery and reports sensitive information types that were discovered. +Azure Information Protection aggregates the files with sensitivity labels and the sensitive information types they contain across the enterprise. + + + +You can see sensitive information types in Microsoft 365 compliance under **Classifications**. Default sensitive information types have Microsoft as the publisher. The publisher for custom types is the tenant name. + + + +>[!NOTE] +>Automatic classification does not change the file itself, but it applies protection based on the label. +>WIP protects a file that contains a sensitive information type as a work file. +>Azure Information Protection works differently in that it extends a file with a new attribute so the protection persists if the file is copied. ## Prerequisites -- Windows 10, version 1809 -- [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) scans content for a label and applies corresponding WIP protection -- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in the Office 365 Security & Compliance Center -- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md). +- Endpoint data loss prevention requires Windows 10, version 1809 +- Auto labelling requires Windows 10, version 1903 +- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy +- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center +- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md) diff --git a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png b/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png new file mode 100644 index 0000000000..0148a800b2 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png b/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png new file mode 100644 index 0000000000..58f675399a Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png new file mode 100644 index 0000000000..dd6450af37 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png new file mode 100644 index 0000000000..3dbbb4e09b Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index cd8e0d0388..785925efdf 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png b/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png new file mode 100644 index 0000000000..8ec000d2a7 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png index e6c9769e68..5da4686e3f 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png index 4b66070098..89c1eae2a8 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png index 8d1815ddf9..b2fc9ee966 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png index 495fdfdb95..8af8967001 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png index c2c85c62d4..2d6cadb5c6 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png index c52e7a4fdb..f3d12e7f2f 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png differ diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 6574cf15e2..bb80483994 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -24,7 +24,7 @@ ms.date: 02/26/2019 - Windows 10, version 1703 and later - Windows 10 Mobile, version 1703 and later -With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS). +With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune. The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. @@ -44,59 +44,42 @@ In the **Website learning report**, you can view a summary of the devices that h  -Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS). +Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. -## View the WIP app learning report in Microsoft Operations Management Suite +## Use the WIP section of Device Health -From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events: +You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more. - - -If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information. - ->[!NOTE] ->Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention. +If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information. Once you have WIP policies in place, by using the WIP section of Device Health, you can: - Reduce disruptive prompts by adding rules to allow data sharing from approved apps. - Tune WIP rules by confirming that certain apps are allowed or denied by current policy. - +## Use Device Health and Intune to adjust WIP protection policy -The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs. +The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). - +1. In **Device Health** click the app you want to add to your policy and copy the publisher information. -In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy: - - +2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to. -Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies. +3. Click **Protected apps**, and then click **Add Apps**. -## Use OMS and Intune to adjust WIP protection policy - -1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy. - -2. Click the app you want to add to your policy and copy the publisher information from the app details screen. - -3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to. - -4. Click **Protected apps**, and then click **Add Apps**. - -5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). +4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).  -6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above. +5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.  -7. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). +6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). -8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required). +7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required). -9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** +8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 4f4b1669a9..70be976126 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -277,7 +277,7 @@ ######## [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md) ######## [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation.md) -####### [Indicators (preview)](microsoft-defender-atp/ti-indicator.md) +####### [Indicators](microsoft-defender-atp/ti-indicator.md) ######## [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md) ######## [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md) ######## [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md) @@ -322,14 +322,14 @@ ###### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md) -##### API for custom alerts -###### [Enable the custom threat intelligence application](microsoft-defender-atp/enable-custom-ti.md) -###### [Use the threat intelligence API to create custom alerts](microsoft-defender-atp/use-custom-ti.md) -###### [Create custom threat intelligence alerts](microsoft-defender-atp/custom-ti-api.md) -###### [PowerShell code examples](microsoft-defender-atp/powershell-example-code.md) -###### [Python code examples](microsoft-defender-atp/python-example-code.md) -###### [Experiment with custom threat intelligence alerts](microsoft-defender-atp/experiment-custom-ti.md) -###### [Troubleshoot custom threat intelligence issues](microsoft-defender-atp/troubleshoot-custom-ti.md) +##### API for custom alerts (Deprecated) +###### [Enable the custom threat intelligence application (Deprecated)](microsoft-defender-atp/enable-custom-ti.md) +###### [Use the threat intelligence API to create custom alerts (Deprecated)](microsoft-defender-atp/use-custom-ti.md) +###### [Create custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/custom-ti-api.md) +###### [PowerShell code examples (Deprecated)](microsoft-defender-atp/powershell-example-code.md) +###### [Python code examples (Deprecated)](microsoft-defender-atp/python-example-code.md) +###### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md) +###### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md) ##### [Pull alerts to your SIEM tools](microsoft-defender-atp/configure-siem.md) @@ -347,7 +347,7 @@ ###### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md) ##### Interoperability -###### [Partner applications](windows-defender-atp/partner-applications.md) +###### [Partner applications](microsoft-defender-atp/partner-applications.md) ##### Role-based access control @@ -388,7 +388,7 @@ ######## [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) ##### APIs -###### [Enable Threat intel](microsoft-defender-atp/enable-custom-ti.md) +###### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md) ###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) #####Rules diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index ea200b936f..4387af7e0b 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -224,7 +224,7 @@ The most common values: | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | | 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. | | 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. | -| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. | +| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | This error occurs because the service is missing an SPN. | | 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. | | 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. | | 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 59fe69c754..7f303aadf3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -249,43 +249,43 @@ ###### [Advanced Hunting](run-advanced-query-api.md) -###### [Alert](alerts.md) -####### [List alerts](get-alerts.md) -####### [Create alert](create-alert-by-reference.md) -####### [Update Alert](update-alert.md) -####### [Get alert information by ID](get-alert-info-by-id.md) -####### [Get alert related domains information](get-alert-related-domain-info.md) -####### [Get alert related file information](get-alert-related-files-info.md) -####### [Get alert related IPs information](get-alert-related-ip-info.md) -####### [Get alert related machine information](get-alert-related-machine-info.md) -####### [Get alert related user information](get-alert-related-user-info.md) +###### [Alert](alerts-.md) +####### [List alerts](get-alerts-.md) +####### [Create alert](create-alert-by-reference-.md) +####### [Update Alert](update-alert-.md) +####### [Get alert information by ID](get-alert-info-by-id-.md) +####### [Get alert related domains information](get-alert-related-domain-info-.md) +####### [Get alert related file information](get-alert-related-files-info-.md) +####### [Get alert related IPs information](get-alert-related-ip-info-.md) +####### [Get alert related machine information](get-alert-related-machine-info-.md) +####### [Get alert related user information](get-alert-related-user-info-.md) -###### [Machine](machine.md) -####### [List machines](get-machines.md) -####### [Get machine by ID](get-machine-by-id.md) -####### [Get machine log on users](get-machine-log-on-users.md) -####### [Get machine related alerts](get-machine-related-alerts.md) -####### [Add or Remove machine tags](add-or-remove-machine-tags.md) -####### [Find machines by IP](find-machines-by-ip.md) +###### [Machine](machine-.md) +####### [List machines](get-machines-.md) +####### [Get machine by ID](get-machine-by-id-.md) +####### [Get machine log on users](get-machine-log-on-users-.md) +####### [Get machine related alerts](get-machine-related-alerts-.md) +####### [Add or Remove machine tags](add-or-remove-machine-tags-.md) +####### [Find machines by IP](find-machines-by-ip-.md) -###### [Machine Action](machineaction.md) -####### [List Machine Actions](get-machineactions-collection.md) -####### [Get Machine Action](get-machineaction-object.md) -####### [Collect investigation package](collect-investigation-package.md) -####### [Get investigation package SAS URI](get-package-sas-uri.md) -####### [Isolate machine](isolate-machine.md) -####### [Release machine from isolation](unisolate-machine.md) -####### [Restrict app execution](restrict-code-execution.md) -####### [Remove app restriction](unrestrict-code-execution.md) -####### [Run antivirus scan](run-av-scan.md) -####### [Offboard machine](offboard-machine-api.md) -####### [Stop and quarantine file](stop-and-quarantine-file.md) -####### [Initiate investigation (preview)](initiate-autoir-investigation.md) +###### [Machine Action](machineaction-.md) +####### [List Machine Actions](get-machineactions-collection-.md) +####### [Get Machine Action](get-machineaction-object-.md) +####### [Collect investigation package](collect-investigation-package-.md) +####### [Get investigation package SAS URI](get-package-sas-uri-.md) +####### [Isolate machine](isolate-machine-.md) +####### [Release machine from isolation](unisolate-machine-.md) +####### [Restrict app execution](restrict-code-execution-.md) +####### [Remove app restriction](unrestrict-code-execution-.md) +####### [Run antivirus scan](run-av-scan-.md) +####### [Offboard machine](offboard-machine-api-.md) +####### [Stop and quarantine file](stop-and-quarantine-file-.md) +####### [Initiate investigation (preview)](initiate-autoir-investigation-.md) -###### [Indicators (preview)](ti-indicator.md) -####### [Submit Indicator](post-ti-indicator.md) -####### [List Indicators](get-ti-indicators-collection.md) -####### [Delete Indicator](delete-ti-indicator-by-id.md) +###### [Indicators](ti-indicator-.md) +####### [Submit Indicator](post-ti-indicator-.md) +####### [List Indicators](get-ti-indicators-collection-.md) +####### [Delete Indicator](delete-ti-indicator-by-id-.md) ###### Domain ####### [Get domain related alerts](get-domain-related-alerts.md) @@ -396,8 +396,7 @@ - -## [Troubleshoot Microsoft Defender ATP](troubleshoot-overview.md) +## [Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md) ###Troubleshoot sensor state #### [Check sensor state](check-sensor-status.md) #### [Fix unhealthy sensors](fix-unhealthy-sensors.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index af72d5f0a0..628b631dbc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -91,11 +91,10 @@ When you enable this feature, you'll be able to incorporate data from Office 365 To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). ## Microsoft Threat Experts -This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it. +Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it. >[!NOTE] ->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. - +>The Microsoft Threat Experts capability in Windows Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). ## Microsoft Cloud App Security Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index a413656b87..7be4edfc77 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 12/04/2018 --- # Overview of Automated investigations @@ -34,8 +33,10 @@ The Automated investigations list shows all the investigations that have been in Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start. >[!NOTE] ->Currently, Automated investigation only supports Windows 10, version 1803 or later. ->Some investigation playbooks, like memory investigations, require Windows 10, version 1809 or later. +>Currently, Automated investigation only supports the following OS versions: +>- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)) or later +>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/en-us/help/4493464/windows-10-update-kb4493464)) or later +>- Later versions of Windows 10 The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index 460880caa2..05c041475c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2018 --- # Configure alert notifications in Microsoft Defender ATP @@ -70,7 +69,7 @@ You can create rules that determine the machines and alert severities to send em Here's an example email notification: - + ## Edit a notification rule 1. Select the notification rule you'd like to edit. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index f3d4f3bdce..359337dcde 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -28,47 +28,40 @@ ms.topic: article -Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. +Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. + + +## Onboarding non-Windows machines You'll need to take the following steps to onboard non-Windows machines: -1. Turn on third-party integration -2. Run a detection test +1. Select your preferred method of onboarding: -## Turn on third-party integration + - For macOS devices, you can choose to onboard through Windows Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac). + - For other non-Windows devices choose **Onboard non-Windows machines through third-party integration**. + + 1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed. -1. In the navigation pane, select **Settings** > **Onboarding**. Make sure the third-party solution is listed. + 2. In the **Partner Applications** tab, select the partner that supports your non-Windows devices. -2. Select **Linux, macOS, iOS and Android** as the operating system. + 3. Select **Open partner page** to open the partner's page. Follow the instructions provided on the page. -3. Turn on the third-party solution integration. + 4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it is aligned with the service that you require. -4. Click **Generate access token** button and then **Copy**. - -5. You’ll need to copy and paste the token to the third-party solution you’re using. The implementation may vary depending on the solution. - - ->[!WARNING] ->The access token has a limited validity period. If needed, regenerate the token close to the time you need to share it with the third-party solution. - -### Run detection test -Create an EICAR test file by saving the string displayed on the portal in an empty text file. Then, introduce the test file to a machine running the third-party antivirus solution. - -The file should trigger a detection and a corresponding alert on Microsoft Defender ATP. + +2. Run a detection test by following the instructions of the third-party solution. ## Offboard non-Windows machines -To effectively offboard the machine from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Microsoft Defender Security Center. The toggle in the portal only blocks the data inbound flow. +1. Follow the third-party's documentation to disconnect the third-party solution from Windows Defender ATP. -1. Follow the third-party documentation to opt-out on the third-party service side. +2. Remove permissions for the third-party solution in your Azure AD tenant. + 1. Sign in to the [Azure portal](https://portal.azure.com). + 2. Select **Azure Active Directory > Enterprise Applications**. + 3. Select the application you'd like to offboard. + 4. Select the **Delete** button. -2. In the navigation pane, select **Settings** > **Onboarding**. - -3. Turn off the third-party solution integration. - ->[!WARNING] ->If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on machines. ## Related topics - [Onboard Windows 10 machines](configure-endpoints.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index b1b0d49ae7..0342d470bd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -26,27 +26,26 @@ ms.date: 02/28/2019 [!include[Prerelease information](prerelease.md)] ## Before you begin -To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need to have a valid Premier customer service and support account. However, Premier charges will not be incurred during the preview. +To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges will not be incurred during for the capability in preview, but for the generally available capability, there will be charges. You also need to ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. ## Register to Microsoft Threat Experts preview -If you're already a Microsoft Defender ATP customer, you can apply for preview through the Microsoft Defender ATP portal. +If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. -1. From the navigation pane, go to **Settings > General > Advanced features > Threat Experts**. +1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**. -2. Click **Apply for preview**. +2. Click **Apply**. + -3. In the **Apply for preview** dialog box, read and make sure you understand the preview's terms of agreement. +3. Enter your name and email address so that Microsoft can get back to you on your application. + -4. Enter your name and email address so that Microsoft can get back to you on your application. - -5. Read the privacy statement, then click **Submit** when you're done. - - >[!NOTE] - >You will receive a welcome email once your application is approved. Then, from the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**. +4. Read the privacy statement, then click **Submit** when you're done. You will receive a welcome email once your application is approved. + +6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**. ## Receive targeted attack notification from Microsoft Threat Experts You can receive targeted attack notification from Microsoft Threat Experts through the following: @@ -56,7 +55,7 @@ You can receive targeted attack notification from Microsoft Threat Experts throu To receive targeted attack notifications through email, you need to create an email notification rule. ### Create an email notification rule -You can create rules to send email notifications for notification recipients. See Configure alert notifications to create, edit, delete, or troubleshoot email notification, for details. +You can create rules to send email notifications for notification recipients. See [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) to create, edit, delete, or troubleshoot email notification, for details. ## View the targeted attack notification @@ -68,6 +67,9 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert ## Ask a Microsoft threat expert about suspicious cybersecurity activities in your organization +>[!NOTE] +>The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. + You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry. @@ -115,7 +117,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w **Threat intelligence details** - This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link? -- I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection WDATP provides against this threat actor? +- I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Windows Defender ATP provides against this threat actor? **Microsoft Threat Experts’ alert communications** - Can your incident response team help us address the targeted attack notification that we got? diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 07cedb408e..6e843641a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -87,6 +87,12 @@ netsh winhttp set proxy
- On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). - -3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings). - -Once completed, you should see onboarded servers in the portal within an hour. - - -### Configure server proxy and Internet connectivity settings - -- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service: - -Agent Resource | Ports -:---|:--- -| *.oms.opinsights.azure.com | 443 | -| *.blob.core.windows.net | 443 | -| *.azure-automation.net | 443 | -| *.ods.opinsights.azure.com | 443 | -| winatp-gw-cus.microsoft.com | 443 | -| winatp-gw-eus.microsoft.com | 443 | -| winatp-gw-neu.microsoft.com | 443 | -| winatp-gw-weu.microsoft.com | 443 | -|winatp-gw-uks.microsoft.com | 443 | -|winatp-gw-ukw.microsoft.com | 443 | -| winatp-gw-aus.microsoft.com | 443| -| winatp-gw-aue.microsoft.com |443 | - -## Windows Server, version 1803 and Windows Server 2019 -To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. - -Supported tools include: -- Local script -- Group Policy -- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 -- VDI onboarding scripts for non-persistent machines - - For more information, see [Onboard Windows 10 machines](configure-endpoints.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. - -1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). - -2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: - - a. Set the following registry entry: - - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - - Name: ForceDefenderPassiveMode - - Value: 1 - - b. Run the following PowerShell command to verify that the passive mode was configured: - - ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` - - c. Confirm that a recent event containing the passive mode event is found: - -  - -3. Run the following command to check if Windows Defender AV is installed: - - ```sc query Windefend``` - - If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). - - -## Integration with Azure Security Center -Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. - ->[!NOTE] ->You'll need to have the appropriate license to enable this feature. - -The following capabilities are included in this integration: -- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). - - >[!NOTE] - > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. - -- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. -- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach - ->[!IMPORTANT] ->- When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. ->- If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. - - - -## Offboard servers -You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. - -For other server versions, you have two options to offboard servers from the service: -- Uninstall the MMA agent -- Remove the Microsoft Defender ATP workspace configuration - ->[!NOTE] ->Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months. - -### Uninstall servers by uinstalling the MMA agent -To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Microsoft Defender ATP. -For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). - -### Remove the Microsoft Defender ATP workspace configuration -To offboard the server, you can use either of the following methods: - -- Remove the Microsoft Defender ATP workspace configuration from the MMA agent -- Run a PowerShell command to remove the configuration - -#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent - -1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. - -2. Select the Microsoft Defender ATP workspace, and click **Remove**. - -  - -#### Run a PowerShell command to remove the configuration - -1. Get your Workspace ID: - a. In the navigation pane, select **Settings** > **Onboarding**. - - b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: - -  - -2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: - - ``` - # Load agent scripting object - $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg - # Remove OMS Workspace - $AgentCfg.RemoveCloudWorkspace($WorkspaceID) - # Reload the configuration and apply changes - $AgentCfg.ReloadConfiguration() - ``` - -## Related topics -- [Onboard Windows 10 machines](configure-endpoints.md) -- [Onboard non-Windows machines](configure-endpoints-non-windows.md) -- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) -- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +--- +title: Onboard servers to the Microsoft Defender ATP service +description: Onboard servers so that they can send sensor data to the Microsoft Defender ATP sensor. +keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Onboard servers to the Microsoft Defender ATP service + +**Applies to:** + +- Windows Server 2012 R2 +- Windows Server 2016 +- Windows Server, version 1803 +- Windows Server, 2019 +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink) + + +Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console. + +The service supports the onboarding of the following servers: +- Windows Server 2012 R2 +- Windows Server 2016 +- Windows Server, version 1803 +- Windows Server 2019 + + +For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). + +## Windows Server 2012 R2 and Windows Server 2016 + +There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP: + +- **Option 1**: Onboard through Azure Security Center +- **Option 2**: Onboard through Microsoft Defender Security Center + +### Option 1: Onboard servers through Azure Security Center +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + +2. Select Windows Server 2012 R2 and 2016 as the operating system. + +3. Click **Onboard Servers in Azure Security Center**. + +4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). + +### Option 2: Onboard servers through Microsoft Defender Security Center +You'll need to tak the following steps if you choose to onboard servers through Microsoft Defender Security Center. + +- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. + + >[!NOTE] + >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. + +- Turn on server monitoring from Microsoft Defender Security Center. +- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). + + +>[!TIP] +> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). + +### Configure and update System Center Endpoint Protection clients +>[!IMPORTANT] +>This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. + +Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting + + +### Turn on Server monitoring from the Microsoft Defender Security Center portal + +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + +2. Select Windows Server 2012 R2 and 2016 as the operating system. + +3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. + + +### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP + +1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). + +2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server: + - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
+ On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + +3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings). + +Once completed, you should see onboarded servers in the portal within an hour. + + +### Configure server proxy and Internet connectivity settings + +- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). +- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service: + +Agent Resource | Ports +:---|:--- +| *.oms.opinsights.azure.com | 443 | +| *.blob.core.windows.net | 443 | +| *.azure-automation.net | 443 | +| *.ods.opinsights.azure.com | 443 | +| winatp-gw-cus.microsoft.com | 443 | +| winatp-gw-eus.microsoft.com | 443 | +| winatp-gw-neu.microsoft.com | 443 | +| winatp-gw-weu.microsoft.com | 443 | +|winatp-gw-uks.microsoft.com | 443 | +|winatp-gw-ukw.microsoft.com | 443 | +| winatp-gw-aus.microsoft.com | 443| +| winatp-gw-aue.microsoft.com |443 | + +## Windows Server, version 1803 and Windows Server 2019 +To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. + +Supported tools include: +- Local script +- Group Policy +- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 +- VDI onboarding scripts for non-persistent machines + + For more information, see [Onboard Windows 10 machines](configure-endpoints.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. + +1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). + +2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: + + a. Set the following registry entry: + - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` + - Name: ForceDefenderPassiveMode + - Value: 1 + + b. Run the following PowerShell command to verify that the passive mode was configured: + + ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` + + c. Confirm that a recent event containing the passive mode event is found: + +  + +3. Run the following command to check if Windows Defender AV is installed: + + ```sc query Windefend``` + + If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + + +## Integration with Azure Security Center +Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. + +>[!NOTE] +>You'll need to have the appropriate license to enable this feature. + +The following capabilities are included in this integration: +- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). + + >[!NOTE] + > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. + +- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. +- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach + +>[!IMPORTANT] +>- When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. +>- If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. + + + +## Offboard servers +You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. + +For other server versions, you have two options to offboard servers from the service: +- Uninstall the MMA agent +- Remove the Microsoft Defender ATP workspace configuration + +>[!NOTE] +>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months. + +### Uninstall servers by uinstalling the MMA agent +To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Microsoft Defender ATP. +For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). + +### Remove the Microsoft Defender ATP workspace configuration +To offboard the server, you can use either of the following methods: + +- Remove the Microsoft Defender ATP workspace configuration from the MMA agent +- Run a PowerShell command to remove the configuration + +#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent + +1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. + +2. Select the Microsoft Defender ATP workspace, and click **Remove**. + +  + +#### Run a PowerShell command to remove the configuration + +1. Get your Workspace ID: + a. In the navigation pane, select **Settings** > **Onboarding**. + + b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: + +  + +2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: + + ``` + # Load agent scripting object + $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg + # Remove OMS Workspace + $AgentCfg.RemoveCloudWorkspace($WorkspaceID) + # Reload the configuration and apply changes + $AgentCfg.ReloadConfiguration() + ``` + +## Related topics +- [Onboard Windows 10 machines](configure-endpoints.md) +- [Onboard non-Windows machines](configure-endpoints-non-windows.md) +- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) +- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md index daf80ba68b..d8c343030c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md @@ -15,10 +15,9 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- -# Create custom alerts using the threat intelligence (TI) application program interface (API) +# Create custom alerts using the threat intelligence (TI) application program interface (API) (Deprecated) **Applies to:** @@ -26,7 +25,6 @@ ms.date: 04/24/2018 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md index 5f4decb253..b1ed34fe60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md @@ -15,17 +15,17 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 --- -# Enable the custom threat intelligence API in Microsoft Defender ATP +# Enable the custom threat intelligence API in Microsoft Defender ATP (Deprecated) **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - +>[!TIP] +>This topic has been deprecated. See [Indicators](ti-indicator-windows-defender-advanced-threat-protection-new.md) for the updated content. >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md index 46b9862de4..741e7bde03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md @@ -18,7 +18,7 @@ ms.topic: article ms.date: 11/09/2017 --- -# Experiment with custom threat intelligence (TI) alerts +# Experiment with custom threat intelligence (TI) alerts (Deprecated) **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md index 7e7425c210..2dc83b0d07 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md @@ -20,9 +20,10 @@ ms.topic: article # Machine health and compliance report in Microsoft Defender ATP **Applies to:** - - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!include[Prerelease information](prerelease.md)] + The machines status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions. The dashboard is structured into two sections: diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index ae0a28fb34..c02a9598e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -104,8 +104,7 @@ Alternatively, the team leader might assign the alert to the **Resolved** queue ## Alert classification -You can choose not to set a classification, or specify if an alert is a true alert or a false alert. - +You can choose not to set a classification, or specify whether an alert is a true alert or a false alert. It's important to provide the classification of true positive/false positive. This classification is used to monitor alert quality, and make alerts more accurate. The "determination" field defines additional fidelity for a "true positive" classification. ## Add comments and view the history of an alert You can add comments and view historical events about an alert to see previous changes made to the alert. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 24817cb48c..a96e4fe4a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/03/2018 --- # Learn about the automated investigations dashboard @@ -161,7 +160,7 @@ This tab is only displayed when an investigation is complete and shows all pendi ## Pending actions If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image. - + When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md index b844902e72..b30f739163 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md @@ -64,5 +64,5 @@ You can define the conditions for when entities are identified as malicious or s ## Related topics - [Manage automation file uploads](manage-automation-file-uploads.md) -- [Manage allowed/blocked lists](manage-allowed-blocked-list.md) +- [Manage indicators](manage-indicators.md) - [Manage automation folder exclusions](manage-automation-folder-exclusions.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index db76c00fda..c74b1a805e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -22,7 +22,6 @@ ms.topic: article **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) @@ -39,7 +38,7 @@ On the top navigation you can: - Apply filters ## Create an indicator -1. In the navigation pane, select **Settings** > **Allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Indicators**. 2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities: - File hash @@ -63,7 +62,7 @@ On the top navigation you can: ## Manage indicators -1. In the navigation pane, select **Settings** > **Allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Indicators**. 2. Select the tab of the entity type you'd like to manage. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index fd97704d03..df943f147c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 --- # Microsoft Threat Experts @@ -24,6 +23,7 @@ ms.date: 02/28/2019 [!include[Prerelease information](prerelease.md)] + Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed. This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. @@ -36,7 +36,11 @@ Microsoft Threat Experts provides proactive hunting for the most important threa - Scope of compromise and as much context as can be quickly delivered to enable fast SOC response. ## Collaborate with experts, on demand -Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can: +>[!NOTE] +>The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. + +Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can: + - Get additional clarification on alerts including root cause or scope of the incident - Gain clarity into suspicious machine behavior and next steps if faced with an advanced attacker - Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques @@ -44,4 +48,4 @@ Customers can engage our security experts directly from within Microsoft Defende ## Related topic -- [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) \ No newline at end of file +- [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index de7725645a..5fb7636dda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -31,7 +31,8 @@ Topic | Description [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. [Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization. -Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP. +[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts. +Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Windows Defender ATP. Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. [Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md index 24ba042fc8..4f2cd61854 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md @@ -31,7 +31,7 @@ The support for third-party solutions help to further streamline, integrate, and Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems. ## SIEM integration -Microsoft Defender ATP supports SIEM integration through a variety of methods specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md). +Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md). ## Ticketing and IT service management Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. @@ -49,12 +49,12 @@ External alerts can be pushed into Microsoft Defender ATP and is presented side- ## Indicators matching You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs). -Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when theres a match. +Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there's a match. Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators. ## Support for non-Windows platforms -Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products sensor data giving you a unified experience. +Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data giving you a unified experience. diff --git a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md index ed590c851e..23d24eaf40 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md +++ b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# PowerShell code examples for the custom threat intelligence API +# PowerShell code examples for the custom threat intelligence API (Deprecated) **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md b/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md index d855f619a5..d0dd4808c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md +++ b/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md @@ -17,15 +17,12 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Python code examples for the custom threat intelligence API +# Python code examples for the custom threat intelligence API (Deprecated) **Applies to:** - - - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ## Before you begin You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md index 200d9396de..b7440c607e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md @@ -22,7 +22,6 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md index 96e1e19431..159081aa19 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: troubleshooting --- -# Troubleshoot custom threat intelligence issues +# Troubleshoot custom threat intelligence issues (Deprecated) **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 34c56e61d6..071bb7c778 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -23,45 +23,38 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Here are the new features in the latest release of Microsoft Defender ATP as well as security features in Windows 10 and Windows Server. +The following features are generally available (GA) in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server. + + +For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). + +## May 2019 + +- [Threat protection reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
The threat protection report provides high-level information about alerts generated in your organization. + + +- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
Microsoft Threat Experts is the new managed threat hunting service in Windows Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. + +- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/ti-indicator)
APIs for indicators are now generally available. + + +- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/partner-applications)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. + ## April 2019 -The following capability is generally available (GA). +- [Microsoft Threat Experts Targeted Attack Notification capability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification)
Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as much information as can be quickly delivered thus bringing attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion. -- [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. +- [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use-apis)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. -### In preview -The following capabilities are included in the April 2019 preview release. - -- [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. - -- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/partner-applications)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. - -## March 2019 -### In preview -The following capability are included in the March 2019 preview release. - -- [Machine health and compliance report](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection)
The machine health and compliance report provides high-level information about the devices in your organization. - ## February 2019 -The following capabilities are generally available (GA). -- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
Incident is a new entity in Microsoft Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. +- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. -- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender ATP sensor. - -### In preview -The following capability are included in the February 2019 preview release. - -- [Reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
The threat protection report provides high-level information about alerts generated in your organization. - -- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. ## October 2018 -The following capabilities are generally available (GA). - - [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
All Attack surface reduction rules are now supported on Windows Server 2019. - [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
Controlled folder access is now supported on Windows Server 2019. @@ -89,28 +82,6 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans. -### In preview -The following capabilities are included in the October 2018 preview release. - -For more information on how to turn on preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). - -- [Information protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview)
-Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. -Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. - - >[!NOTE] - >Partially available from Windows 10, version 1809. - -- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored machines. - - >[!NOTE] - >Available from Windows 10, version 1809 or later. - -- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. - -- [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. - ## March 2018 - [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 7cd6b91162..95a0914890 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -38,26 +38,11 @@ Constant: SeIncreaseBasePriorityPrivilege ### Best practices -- Allow the default value, Administrators and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. +- Retain the default value as the only accounts responsible for controlling process scheduling priorities. ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment - -### Default values - -By default this setting is Administrators on domain controllers and on stand-alone servers. - -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - -| Server type or GPO | Default value | -| - | - | -| Default Domain Policy| Not defined| -| Default Domain Controller Policy| Not defined| -| Stand-Alone Server Default Settings | Administrators and Window Manager/Window Manager Group| -| Domain Controller Effective Default Settings | Administrators and Window Manager/Window Manager Group| -| Member Server Effective Default Settings | Administrators and Window Manager/Window Manager Group| -| Client Computer Effective Default Settings | Administrators and Window Manager/Window Manager Group| ## Policy management @@ -97,3 +82,4 @@ None. Restricting the **Increase scheduling priority** user right to members of ## Related topics - [User Rights Assignment](user-rights-assignment.md) +- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11)) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index de780c12e7..09d1d73345 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 05/01/2019 --- # Enable block at first sight @@ -22,15 +22,12 @@ ms.date: 09/03/2018 Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds. -It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled. +It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. -> [!IMPORTANT] -> There is no specific individual setting in System Center Configuration Manager to enable or disable block at first sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature. - >[!TIP] >You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. @@ -48,7 +45,7 @@ In many cases, this process can reduce the response time for new malware from ho ## Confirm and validate that block at first sight is enabled -Block at first sight requires a number of Group Policy settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments. +Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments. ### Confirm block at first sight is enabled with Intune @@ -64,10 +61,29 @@ Block at first sight requires a number of Group Policy settings to be configured - **Time extension for file scanning by the cloud**: **50** - **Prompt users before sample submission**: **Send all data without prompting** +  + For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus). +### Enable block at first sight with SCCM + +1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. +1. Click **Home** > **Create Antimalware Policy**. +1. Enter a name and a description, and add these settings: + - **Real time protection** + - **Advanced** + - **Cloud Protection Service** +1. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. +  +1. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. +  +1. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. +  +1. Click **OK** to create the policy. + + ### Confirm block at first sight is enabled with Group Policy 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index d2a25e408c..3d0eb6ba8b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -20,6 +20,9 @@ ms.date: 12/10/2018 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +> [!IMPORTANT] +> [Windows Defender Advanced Threat Protection ](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection) does not adhere to Windows Defender Antivirus exclusion settings. This means that any Windows Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP. + You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 3185d40ef9..1e2938b2f4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -20,9 +20,9 @@ ms.date: 10/02/2018 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. -These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation. +These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. Typical PUA behavior includes: @@ -37,25 +37,17 @@ These applications can increase the risk of your network being infected with mal ## How it works -PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions: +Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantined. -- The file is being scanned from the browser -- The file is in a folder with "**downloads**" in the path -- The file is in a folder with "**temp**" in the path -- The file is on the user's desktop -- The file does not meet one of these conditions and is not under *%programfiles%*, *%appdata%*, or *%windows%* - -The file is placed in the quarantine section so it won't run. - -When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). +When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). ## View PUA events -PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. +PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or Intune. -Hoever, PUA detections will be reported if you have set up email notifications for detections. +You can turn on email notifications for PUA detections. See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160. diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png new file mode 100644 index 0000000000..dc000099d3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png new file mode 100644 index 0000000000..1fb1745a5f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png new file mode 100644 index 0000000000..3a47dcf6d8 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png new file mode 100644 index 0000000000..1a7467f581 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index bb6efd9718..d23ba3dc74 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -143,6 +143,9 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi 4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following: 1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**. 2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**. + +> [!NOTE] +> "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md new file mode 100644 index 0000000000..5652662325 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -0,0 +1,120 @@ +--- +title: Installing Microsoft Defender ATP for Mac manually +description: Describes how to install Microsoft Defender ATP for Mac manually, from the command line. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Manual deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + +  + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +## Application installation + +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + +  + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + +  + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + +  + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + +  + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +## Client configuration + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` + +2. Install the configuration file on a client machine: + + ```bash + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` + +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + +  + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md new file mode 100644 index 0000000000..15bfabbd53 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -0,0 +1,170 @@ +--- +title: Installing Microsoft Defender ATP for Mac with Microsoft Intune +description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Microsoft Intune-based deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). + +  + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +7. Make IntuneAppUtil an executable: + + ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ```bash + mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +## Client Machine Setup + +You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You'll be asked to confirm device management. + + + +Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: + + + +2. Select the **Continue** button and complete the enrollment. + +You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. + +3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: + + + +## Create System Configuration profiles + +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. + +  + +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat these steps with the second profile. +7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. + +After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: + + + +## Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. + +  + +6. Select **OK** and **Add**. + +  + +7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. + +  + +8. Change **Assignment type=Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + +  + +10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: + +  + +## Verify client machine state + +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + +  +  + +2. Verify the three profiles listed there: +  + +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: + +  + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md new file mode 100644 index 0000000000..d0ad4df2aa --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -0,0 +1,205 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# JAMF-based deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. + +In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + +  + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +## Create JAMF Policies + +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. + +### Configuration Profile + +The configuration profile contains one custom settings payload that includes: + +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run + +1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. + + >[!NOTE] + > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. + +  + +### Approved Kernel Extension + +To approve the kernel extension: + +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + + + +#### Configuration Profile's Scope + +Configure the appropriate scope to specify the machines that will receive this configuration profile. + +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. + + + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled machine. + +### Package + +1. Create a package in **Settings > Computer Management > Packages**. + +  + +2. Upload wdav.pkg to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, wdav.pkg. + +### Policy + +Your policy should contain a single package for Microsoft Defender. + + + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. + +## Client machine setup + +You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. + +> [!NOTE] +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). + +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + + + + +After some time, the machine's User Approved MDM status will change to Yes. + + + +You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. + +## Deployment + +Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. + +### Status on server + +You can monitor the deployment status in the Logs tab: + +- **Pending** means that the deployment is scheduled but has not yet happened +- **Completed** means that the deployment succeeded and is no longer scheduled + + + +### Status on client machine + +After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. + + + +After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + + +You can monitor policy installation on a machine by following the JAMF's log file: + +```bash + mavel-mojave:~ testuser$ tail -f /var/log/jamf.log + Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. + Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... + Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV + Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: + +```bash + mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +``` + +- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. + +- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. + +## Check onboarding status + +You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: + +```bash + sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +``` + +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md new file mode 100644 index 0000000000..7f138a6ca7 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -0,0 +1,157 @@ +--- +title: Microsoft Defender ATP for Mac Resources +description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Resources + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Collecting diagnostic information + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1. Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2. Reproduce the problem + +3. Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4. Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Logging installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. + +## Uninstalling + +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. + +### Within the GUI + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +### From the command line + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +### With a script + +Create a script in **Settings > Computer Management > Scripts**. + + + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +```bash + echo "Is WDAV installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Uninstalling WDAV..." + rm -rf '/Applications/Microsoft Defender ATP.app' + + echo "Is WDAV still installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Done!" +``` + +### With a JAMF policy + +If you are running JAMF, your policy should contain a single script: + + + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. + +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | + +## Microsoft Defender ATP portal information + +In the Microsoft Defender ATP portal, you'll see two categories of information: + +- AV alerts, including: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) +- Device information, including: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine + +## Known issues + +- Not fully optimized for performance or disk space yet. +- Full Windows Defender ATP integration is not available yet. +- Mac devices that switch networks may appear multiple times in the APT portal. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index c3f81f1e8e..d1d0dbd9cd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -20,20 +20,48 @@ ms.topic: conceptual # Microsoft Defender ATP for Mac >[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +This topic describes how to install and use Microsoft Defender ATP for Mac. + +## What’s new in the public preview + +We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include: + +- Full accessibility +- Improved performance +- Localization for 37 languages +- Improved anti-tampering protections +- Feedback and samples can now be submitted via the GUI. +- Product health can be queried with JAMF or the command line. +- Admins can set their cloud preference for any location, not just for those in the US. + +## Installing and configuring + +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +In general you'll need to take the following steps: + +- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal +- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md) + - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) + - [Manual deployment](microsoft-defender-atp-mac-install-manually.md) + +### Prerequisites -## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. You should also have access to Microsoft Defender Security Center. ### System Requirements -Microsoft Defender ATP for Mac system requirements: + - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) -- Disk space during preview: 1GB +- Disk space during preview: 1GB + +Beta versions of macOS are not supported. + +> [!CAUTION] +> Running other third-party endpoint protection along with Microsoft Defender ATP for Mac may lead to performance problems and unpredictable side effects. After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. @@ -45,465 +73,14 @@ The following table lists the services and their associated URLs that your netwo To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: -``` +```bash mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. -## Installation and configuration overview -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. -In general you'll need to take the following steps: - - Ensure you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal - - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - * [JAMF based deployment](#jamf-based-deployment) - * [Manual deployment](#manual-deployment) +## Resources -## Microsoft Intune based deployment - -### Download installation and onboarding packages -Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. - -  - -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: - - ``` - mavel-macmini:Downloads test$ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` -7. Make IntuneAppUtil an executable: - - ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` - -8. Create the wdav.pkg.intunemac package from wdav.pkg: - - ``` - mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation - - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. - - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` - -### Client Machine Setup -You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). - -1. You'll be asked to confirm device management. - - - -Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: - - - -2. Select the **Continue** button and complete the enrollment. - -You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. - -3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: - - - -### Create System Configuration profiles -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. - -  - -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -7. Repeat these steps with the second profile. -8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. - -After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: - - - -### Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. - -  - -6. Select **OK** and **Add**. - -  - -7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. - -  - -8. Change **Assignment type=Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - -  - -10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: - -  - -### Verify client machine state -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. - -  -  - -2. Verify the three profiles listed there: -  - -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: - -  - -## JAMF based deployment -### Prerequsites -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. - - -### Download installation and onboarding packages -Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - -  - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ``` - mavel-macmini:Downloads test$ ls -l - total 721160 - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -### Create JAMF Policies -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. - -#### Configuration Profile -The configuration profile contains one custom settings payload that includes: - -- Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - - -1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - - >[!NOTE] - > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - -  - -#### Approved Kernel Extension - -To approve the kernel extension: -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. - - - -#### Configuration Profile's Scope -Configure the appropriate scope to specify the machines that will receive this configuration profile. - -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. - - - -Save the **Configuration Profile**. - -Use the **Logs** tab to monitor deployment status for each enrolled machine. - -#### Package -1. Create a package in **Settings > Computer Management > Packages**. - -  - -2. Upload wdav.pkg to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, wdav.pkg. - -#### Policy -Your policy should contain a single package for Microsoft Defender. - - - -Configure the appropriate scope to specify the computers that will receive this policy. - -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. - -### Client machine setup -You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. - -> [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). - -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - - - - -After some time, the machine's User Approved MDM status will change to Yes. - - - -You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - -### Deployment -Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - -#### Status on server -You can monitor the deployment status in the Logs tab: - - **Pending** means that the deployment is scheduled but has not yet happened - - **Completed** means that the deployment succeeded and is no longer scheduled - - - - -#### Status on client machine -After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. - - - -After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - - - -You can monitor policy installation on a machine by following the JAMF's log file: - -``` -mavel-mojave:~ testuser$ tail -f /var/log/jamf.log -Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. -Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... -Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV -Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. -``` - -You can also check the onboarding status: -``` -mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py -uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 -orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -``` - -- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. - -- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. - -### Uninstalling Microsoft Defender ATP for Mac -#### Uninstalling with a script - -Create a script in **Settings > Computer Management > Scripts**. - - - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -``` -echo "Is WDAV installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Uninstalling WDAV..." -rm -rf '/Applications/Microsoft Defender ATP.app' - -echo "Is WDAV still installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Done!" -``` - -#### Uninstalling with a policy -Your policy should contain a single script: - - - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. - -### Check onboarding status - -You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: - -``` -sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' -``` - -This script returns 0 if Microsoft Defender ATP is registered with the Microsoft Defender ATP service, and another exit code if it is not installed or registered. - -## Manual deployment - -### Download installation and onboarding packages -Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - -  - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ``` - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` - -### Application installation -To complete this process, you must have admin privileges on the machine. - -1. Navigate to the downloaded wdav.pkg in Finder and open it. - -  - -2. Select **Continue**, agree with the License terms, and enter the password when prompted. - -  - - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - -  - -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - -  - - -The installation will proceed. - -> [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. - -### Client configuration -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. - - The client machine is not associated with orgId. Note that the orgid is blank. - - ``` - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` -2. Install the configuration file on a client machine: - - ``` - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` - -3. Verify that the machine is now associated with orgId: - - ``` - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - -  - -## Uninstallation -### Removing Microsoft Defender ATP from Mac devices -To remove Microsoft Defender ATP from your macOS devices: - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -Or, from a command line: - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - -## Known issues -- Microsoft Defender ATP is not yet optimized for performance or disk space. -- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). -- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. -- Full Microsoft Defender ATP integration is not yet available -- Not localized yet -- There might be accessibility issues - -## Collecting diagnostic information -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: -``` - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ``` - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: -``` - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded -``` - - -### Installation issues -If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. You can also contact _**xplatpreviewsupport@microsoft.com**_ for support on onboarding issues. - - -For feedback on the preview, contact: _**mdatpfeedback@microsoft.com**_. +For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources.md) page. diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md new file mode 100644 index 0000000000..16fceaea85 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -0,0 +1,52 @@ +--- +title: Prevent security settings changes with Tamper Protection +description: Use tamper protection to prevent malicious apps from changing important security settings. +keywords: malware, defender, antivirus, tamper protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +--- + +# Prevent security settings changes with tamper protection + +**Applies to:** + +- Windows 10 + +Tamper protection helps prevent malicious apps from changing important security settings. These settings include: + +- Real-time protection +- Cloud-delivered protection +- IOfficeAntivirus (IOAV) +- Behavior monitoring +- Removing security intelligence updates + +With tamper protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: + +- Mobile device management (MDM) apps like Intune +- Enterprise configuration management apps like System Center Configuration Manager (SCCM) +- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures +- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup) +- Group Policy +- Other Windows Management Instrumentation (WMI) apps + +The tamper protection setting doesn't affect how third party antivirus apps register with the Windows Security app. + +On computers running Windows 10 Enterprise E5, users can't change the tamper protection setting. + +Tamper protection is On by default. If you set tamper protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & threat protection**. + +## Configure tamper protection + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. +3. Set **Tamper Protection** to **On** or **Off**. + +>[!NOTE] +>If your computer is running Windows 10 Enterprise E5, you can't change the tamper protection settings from within Windows Security App. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 7ae28017bf..9990a39719 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -36,6 +36,6 @@ Your environment needs the following software to run Windows Defender Applicatio |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Education edition, version 1709 or higher
Windows 10 Pro Education edition, version 1803 or higher| +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | |Browser|Microsoft Edge and Internet Explorer| |Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)
**-OR-**
[System Center Configuration Manager](https://docs.microsoft.com/sccm/)
**-OR-**
[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md new file mode 100644 index 0000000000..f3b11e8133 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-started.md @@ -0,0 +1,73 @@ +--- +title: Get started with Windows Defender Advanced Threat Protection +description: Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. +keywords: get started, minimum requirements, setup, subscription, features, data storage, privacy, user access +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 11/20/2018 +--- + +# Get started with Windows Defender Advanced Threat Protection +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + +Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. + +The following capabilities are available across multiple products that make up the Windows Defender ATP platform. + +**Threat & Vulnerability Management**
+Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR) insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing threat resilience. + +**Attack surface reduction**
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. + +**Next generation protection**
+To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. + +**Endpoint detection and response**
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. + +**Auto investigation and remediation**
+In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. + +**Secure score**
+Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. + +**Microsoft Threat Experts**
+Microsoft Threat Experts is the new managed threat hunting service in Windows Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. + +**Advanced hunting**
+Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. + +**Management and APIs**
+Integrate Windows Defender Advanced Threat Protection into your existing workflows. + +**Microsoft threat protection**
+Bring the power of Microsoft Threat Protection to your organization. + +## In this section +Topic | Description +:---|:--- +[Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | Learn about the requirements for onboarding machines to the platform. +[Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) | Get guidance on how to check that licenses have been provisioned to your organization and how to access the portal for the first time. +[Preview features](preview-windows-defender-advanced-threat-protection.md) | Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +[Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) | Explains the data storage and privacy details related to Windows Defender ATP. +[Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC). +[Evaluate Windows Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Windows Defender ATP and test features out. +[Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. diff --git a/windows/security/threat-protection/windows-defender-atp/images/MTE_applicationconfirmation.png b/windows/security/threat-protection/windows-defender-atp/images/MTE_applicationconfirmation.png new file mode 100644 index 0000000000..2c04ad2fc8 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/MTE_applicationconfirmation.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/MTE_apply.png b/windows/security/threat-protection/windows-defender-atp/images/MTE_apply.png new file mode 100644 index 0000000000..a7096ee4aa Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/MTE_apply.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/MTE_collaboratewithmte.png b/windows/security/threat-protection/windows-defender-atp/images/MTE_collaboratewithmte.png new file mode 100644 index 0000000000..862c5ffbd7 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/MTE_collaboratewithmte.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/email-notification.png b/windows/security/threat-protection/windows-defender-atp/images/email-notification.png new file mode 100644 index 0000000000..1b9875fcad Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/email-notification.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/pending-actions.png b/windows/security/threat-protection/windows-defender-atp/images/pending-actions.png new file mode 100644 index 0000000000..8cb0f643a6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/pending-actions.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md index f91e35c7df..d2421506b2 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview.md +++ b/windows/security/threat-protection/windows-defender-atp/overview.md @@ -38,9 +38,10 @@ Topic | Description [Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. [Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md) | In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place. +[Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand. [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) | Use a powerful search and query language to create custom queries and detection rules. [Management and APIs](management-apis.md) | Windows Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. -[Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. +[Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) |Learn to navigate your way around Windows Defender Security Center. diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..1556c307d3 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -0,0 +1,74 @@ +--- +title: Windows Defender ATP preview features +description: Learn how to access Windows Defender Advanced Threat Protection preview features. +keywords: preview, preview experience, Windows Defender Advanced Threat Protection, features, updates +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Windows Defender ATP preview features + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities. + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink) + + +Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. + +For more information on capabilities that are generally available, see [What's new in Windows Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp). + + + +## Turn on preview features +You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. + +Turn on the preview experience setting to be among the first to try upcoming features. + +1. In the navigation pane, select **Settings** > **Advanced features** > **Preview features**. + +2. Toggle the setting between **On** and **Off** and select **Save preferences**. + +## Preview features +The following features are included in the preview release: + +- [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. + + +- [Machine health and compliance report](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection) The machine health and compliance report provides high-level information about the devices in your organization. + +- [Information protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview)
+Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. +Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. + + >[!NOTE] + >Partially available from Windows 10, version 1809. + +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. + + >[!NOTE] + >Available from Windows 10, version 1809 or later. + +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. + +- [Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. + + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) + diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index be38700ccf..410ee5f85b 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -17,12 +17,13 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Use the threat intelligence API to create custom alerts +# Use the threat intelligence API to create custom alerts (Deprecated) **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - +>[!TIP] +>This topic has been deprecated. See [Indicators](ti-indicator-windows-defender-advanced-threat-protection-new.md) for the updated content. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index a44ac96a93..3a27c990a9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha -ms.date: 04/02/2019 +author: andreabichsel +ms.author: v-anbic +ms.date: 05/07/2019 --- # Reduce attack surfaces with attack surface reduction rules @@ -20,9 +20,12 @@ ms.date: 04/02/2019 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: @@ -79,6 +82,7 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported +Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps. @@ -264,6 +268,15 @@ SCCM name: Not applicable GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +### Block persistence through WMI event subscription + +Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository. + +Intune name: Block persistence through WMI event subscription + +SCCM name: Not yet available + +GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 0bc78c8573..95be5ed8d8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -27,7 +27,9 @@ You might want to do this when testing how the features will work in your organi While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. -You can use Microsoft Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**. + +You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 99f4b9d52c..4171f5879d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha -ms.date: 12/19/2018 +author: andreabichsel +ms.author: v-anbic +ms.date: 05/13/2019 --- # Customize attack surface reduction rules @@ -20,6 +20,9 @@ ms.date: 12/19/2018 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. @@ -28,20 +31,18 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. - -This could potentially allow unsafe files to run and infect your devices. +You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running. >[!WARNING] ->Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. -> ->If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). +>This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. -You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions. +An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules. + +An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). -Exclusions apply to all attack surface reduction rules. Rule description | GUID -|:-:|- @@ -59,6 +60,7 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. @@ -72,9 +74,9 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to 4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. -### Use PowerShell to exclude files and folderss +### Use PowerShell to exclude files and folders -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 88e1a4623b..0367233536 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic +ms.date: 05/13/2019 --- # Customize controlled folder access @@ -24,14 +25,14 @@ Controlled folder access helps you protect valuable data from malicious apps and This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): - [Add additional folders to be protected](#protect-additional-folders) -- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders) +- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) >[!WARNING] >Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files. > >This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact. - ## Protect additional folders +## Protect additional folders Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop. @@ -41,7 +42,6 @@ Adding other folders to controlled folder access can be useful, for example, if You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). - You can use the Windows Security app or Group Policy to add and remove additional protected folders. ### Use the Windows Security app to protect additional folders @@ -89,13 +89,14 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. >[!IMPORTANT] ->By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. +>By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. >You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. -You can use the Windows Security app or Group Policy to add and remove apps that should be allowed to access protected folders. - When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access. +An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. + + ### Use the Windows Defender Security app to allow specific apps 1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -106,7 +107,7 @@ When you add an app, you have to specify the app's location. Only the app in tha 4. Click **Add an allowed app** and follow the prompts to add apps. -  +  ### Use Group Policy to allow specific apps @@ -120,7 +121,7 @@ When you add an app, you have to specify the app's location. Only the app in tha ### Use PowerShell to allow specific apps -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 9d654b3721..6bde089355 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -9,16 +9,33 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic +ms.date: 05/13/2019 --- # Enable attack surface reduction rules [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. +Each ASR rule contains three settings: + +* Not configured: Disable the ASR rule +* Block: Enable the ASR rule +* Audit: Evaluate how the ASR rule would impact your organization if enabled + To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. +You can enable attack surface reduction rules by using any of these methods: + +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [System Center Configuration Manager (SCCM)](#sccm) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) + +Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup. + ## Exclude files and folders from ASR rules You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. @@ -26,7 +43,7 @@ You can exclude files and folders from being evaluated by most attack surface re >[!WARNING] >Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. > ->If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). +>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). >[!IMPORTANT] >File and folder exclusions do not apply to the following ASR rules: @@ -34,49 +51,61 @@ You can exclude files and folders from being evaluated by most attack surface re >- Block process creations originating from PSExec and WMI commands >- Block JavaScript or VBScript from launching downloaded executable content -You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. - ->[!IMPORTANT] ->The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. +You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). The following procedures for enabling ASR rules include instructions for how to exclude files and folders. -## Enable and audit attack surface reduction rules +## Intune -It's best to use an enterprise-level management platform like Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or third-party mobile device management (MDM) CSPs. +1. In Intune, select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**. ->[!WARNING] ->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy or PowerShell settings on startup. +2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule. -For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md). - -Each ASR rule contains three settings: - -* Not configured: Disable the ASR rule -* Block: Enable the ASR rule -* Audit: Evaluate how the ASR rule would impact your organization if enabled - -For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md). - -### Enable ASR rules in Intune - -1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*. - -2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule. - -3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: - +3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: + *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path* -4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one. +4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one. -### Enable ASR rules in SCCM +## MDM -For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy). +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. -### Enable ASR rules with Group Policy +The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). + +OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules + +Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 + +The values to enable, disable, or enable in audit mode are: + +- Disable = 0 +- Block (enable ASR rule) = 1 +- Audit = 2 + +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. + +Example: + +OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions + +Value: c:\path|e:\path|c:\Whitelisted.exe + +>[!NOTE] +>Be sure to enter OMA-URI values without spaces. + +## SCCM + +1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Click **Home** > **Create Exploit Guard Policy**. +1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. +1. Choose which rules will block or audit actions and click **Next**. +1. Review the settings and click **Next** to create the policy. +1. After the policy is created, click **Close**. + +## Group Policy >[!WARNING] >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup. @@ -97,12 +126,12 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. -### Enable ASR rules with PowerShell +## PowerShell >[!WARNING] >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: @@ -148,32 +177,6 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr >[!IMPORTANT] >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. -### Enable ASR rules with MDM CSPs - -Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. - -The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). - -OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules - -Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 - -The values to enable, disable, or enable in audit mode are: - -- Disable = 0 -- Block (enable ASR rule) = 1 -- Audit = 2 - -Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. - -Example: - -OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions - -Value: c:\path|e:\path|c:\Whitelisted.exe - ->[!NOTE] ->Be sure to enter OMA-URI values without spaces. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 6c8a9ba1d5..b0dce6c339 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha -ms.date: 03/29/2019 +author: andreabichsel +ms.author: v-anbic +ms.date: 05/13/2019 --- # Enable controlled folder access @@ -20,28 +20,24 @@ ms.date: 03/29/2019 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. +[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019. -You can enable controlled folder access by using any of the these methods: +You can enable controlled folder access by using any of these methods: -- Windows Security app -- Intune -- MDM -- Group Policy -- PowerShell cmdlets +- [Windows Security app](#windows-security-app) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [System Center Configuration Manager (SCCM)](#sccm) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) - Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. +[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine. ->[!NOTE] ->The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**. ->If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. ->If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. ->See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works. ->
->Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include: ->- Windows Defender Antivirus **Configure local administrator merge behavior for lists** ->- System Center Endpoint Protection **Allow users to add exclusions and overrides** ->For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). +Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include: +- Windows Defender Antivirus **Configure local administrator merge behavior for lists** +- System Center Endpoint Protection **Allow users to add exclusions and overrides** + +For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). ## Windows Security app @@ -51,6 +47,10 @@ You can enable controlled folder access by using any of the these methods: 3. Set the switch for **Controlled folder access** to **On**. +>[!NOTE] +>If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. +>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. + ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. @@ -59,7 +59,12 @@ You can enable controlled folder access by using any of the these methods:  1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. 1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. +  + + >[!NOTE] + >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. + 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. @@ -67,6 +72,17 @@ You can enable controlled folder access by using any of the these methods: Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. +## SCCM + +1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Click **Home** > **Create Exploit Guard Policy**. +1. Enter a name and a description, click **Controlled folder access**, and click **Next**. +1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. + >[!NOTE] + >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. +1. Review the settings and click **Next** to create the policy. +1. After the policy is created, click **Close**. + ## Group Policy 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -80,14 +96,14 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. -  +  >[!IMPORTANT] >To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. ## PowerShell -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index da528e3360..28ebf8d7e3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha -ms.date: 03/29/2019 +author: andreabichsel +ms.author: v-anbic +ms.date: 05/09/2019 --- # Enable exploit protection @@ -26,13 +26,14 @@ Many features from the Enhanced Mitigation Experience Toolkit (EMET) are include You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. -You can enable each mitigation separately by using any of the these methods: +You can enable each mitigation separately by using any of these methods: -- Windows Security app -- Intune -- MDM -- Group Policy -- PowerShell cmdlets +- [Windows Security app](#windows-security-app) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [System Center Configuration Manager (SCCM)](#sccm) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) They are configured by default in Windows 10. @@ -124,6 +125,15 @@ CFG will be enabled for *miles.exe*. Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode. +## SCCM + +1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Click **Home** > **Create Exploit Guard Policy**. +1. Enter a name and a description, click **Exploit protection**, and click **Next**. +1. Browse to the location of the exploit protection XML file and click **Next**. +1. Review the settings and click **Next** to create the policy. +1. After the policy is created, click **Close**. + ## Group Policy 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -231,15 +241,6 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. - - - - - - - - - ## Related topics - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 291b023277..d2d9ebc1e0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha -ms.date: 04/01/2019 +author: andreabichsel +ms.author: v-anbic +ms.date: 05/13/2019 --- # Enable network protection @@ -22,13 +22,14 @@ ms.date: 04/01/2019 [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. -You can enable network protection by using any of the these methods: -- Intune -- MDM -- Group Policy -- PowerShell cmdlets -- Registry +You can enable network protection by using any of these methods: + +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [System Center Configuration Manager (SCCM)](#sccm) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) ## Intune @@ -45,9 +46,18 @@ You can enable network protection by using any of the these methods: Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. +## SCCM + +1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Click **Home** > **Create Exploit Guard Policy**. +1. Enter a name and a description, click **Network protection**, and click **Next**. +1. Choose whether to block or audit access to suspicious domains and click **Next**. +1. Review the settings and click **Next** to create the policy. +1. After the policy is created, click **Close**. + ## Group Policy -You can use the following procedure to enable network protection on a standalone computer or for domain-joined computers. +You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. 1. On a standalone computer, click **Start**, type and then click **Edit group policy**. @@ -78,7 +88,7 @@ You can confirm network protection is enabled on a local computer by using Regis ## PowerShell -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ``` @@ -91,11 +101,8 @@ You can enable the feature in audit mode using the following cmdlet: Set-MpPreference -EnableNetworkProtection AuditMode ``` -Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. +Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. -## - -Network protection can't be turned on using the Windows Security app, but you can enable it by ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 029b5392e1..97b520be30 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha +author: Justinha ms.author: justinha ms.date: 04/02/2019 --- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index a7de3f8d9d..1760cd9977 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha -ms.date: 04/02/2019 +author: andreabichsel +ms.author: v-anbic +ms.date: 05/10/2019 --- # Evaluate network protection @@ -22,7 +22,7 @@ ms.date: 04/02/2019 [Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visted a malicious site or domain. +This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain. >[!TIP] @@ -34,7 +34,7 @@ You can enable network protection in audit mode to see which IP addresses and do You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png new file mode 100644 index 0000000000..1253d68613 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png new file mode 100644 index 0000000000..00225ec18c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png new file mode 100644 index 0000000000..dfb1cb201b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png new file mode 100644 index 0000000000..2868712541 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png new file mode 100644 index 0000000000..bd2e57d73f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png new file mode 100644 index 0000000000..d7a896332a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png new file mode 100644 index 0000000000..1d16250401 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png new file mode 100644 index 0000000000..0655fdad69 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png new file mode 100644 index 0000000000..a9f11a2e95 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png new file mode 100644 index 0000000000..312167da41 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index d259d88575..74446e97d9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha -ms.date: 02/14/2019 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2019 --- # Protect your network @@ -24,7 +24,7 @@ Network protection helps reduce the attack surface of your devices from Internet It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). -Network protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later. +Network protection is supported beginning with Windows 10, version 1709. >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 3feaedade3..b9c76c1343 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -72,11 +72,11 @@ If you've tested the feature with the demo site and with audit mode, and network When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 1. Open an elevated command prompt and change to the Windows Defender directory: - ```console + ``` cd c:\program files\windows defender ``` 2. Run this command to generate the diagnostic logs: - ```console + ``` mpcmdrun -getfiles ``` 3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index 00899f714f..ccc35c4967 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -50,12 +50,23 @@ Windows Defender SmartScreen helps to provide an early warning system against we ## Viewing Windows Defender SmartScreen anti-phishing events When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). + +## Viewing Windows event logs for SmartScreen +SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. + + +|EventID | Description | +| :---: | :---: | +|1000 | Application SmartScreen Event| +|1001 | Uri SmartScreen Event| +|1002 | User Decision SmartScreen Event| + ## Related topics - [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) -- [How to recognize phishing email messages, links, or phone calls](https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx) - - [Threat protection](../index.md) ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +- [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).