diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 7fd2c3cd5a..3c5cf80686 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -3256,7 +3256,7 @@ The following list shows the supported values: > [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. +> This policy is *only* recommended for managing mobile devices. If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 1d4d3a7e86..310b0192c6 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -17,7 +17,7 @@ ms.date: 02/23/2018 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates. > [!Note] -> All aspects of the Update CSP aside from Rollback are not recommended for managing desktop devices. To manage desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation. Rollback can be used for desktop devices on 1803 and above. +> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. The following diagram shows the Update configuration service provider in tree format. diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index 73e8c9e0fd..14db2c3cc4 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -85,6 +85,7 @@ The following methodology was used to derive these network endpoints: |||HTTPS|*ow1.res.office365.com| |||HTTPS|office.com| |||HTTPS|blobs.officehome.msocdn.com| +|||HTTPS|self.events.data.microsoft.com| |OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)| |||TLSv1.2|*g.live.com| |||TLSv1.2|oneclient.sfx.ms| diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 1fe945f148..4fa6b49fc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -60,19 +60,21 @@ For more information about disabling local list merging, see [Prevent or allow u ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -1. Click **Device configuration** > **Profiles** > **Create profile**. -1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) -1. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**. -1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. - ![Enable controlled folder access in Intune](../images/enable-cfa-intune.png) +2. Click **Device configuration** > **Profiles** > **Create profile**. + +3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
+ +4. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**. + +5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)
> [!NOTE] > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. -1. Click **OK** to save each open blade and click **Create**. -1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. +6. Click **OK** to save each open blade and click **Create**. + +7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. ## MDM @@ -81,12 +83,17 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt ## Microsoft Endpoint Configuration Manager 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. + 2. Click **Home** > **Create Exploit Guard Policy**. + 3. Enter a name and a description, click **Controlled folder access**, and click **Next**. + 4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. > [!NOTE] > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. + 5. Review the settings and click **Next** to create the policy. + 6. After the policy is created, click **Close**. ## Group Policy