deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-05 17:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into URadditions

Browse Source
This commit is contained in:
jaimeo 2018-05-31 10:27:29 -07:00
commit fe4089db6c
93 changed files with 1029 additions and 1004 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
[!NOTE] Normal file
View File

13
browsers/edge/available-policies.md
View File

@ -444,13 +444,22 @@ This policy setting specifies whether you can use the Sync your Settings option
|URI full path |./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings |
|Location |Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Employees cannot sync settings between PCs.</li><li>**1 (default)** - Employees can sync between PCs.</li></ul> |
|Allowed values |<ul><li>**0** - Disable syncing between PCs.</li><li>**1 (default)** - Allow syncing between PCs.</li></ul> |
## Do not sync browser settings
>*Supported versions: Windows 10*
This policy setting specifies whether a browser group can use the Sync your Settings options to sync their information to and from their device. Settings include information like History and Favorites. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. If enabled, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting.
**MDM settings in Microsoft Intune**
| | |
|---|---|
|MDM name |Experience/DoNotSynBrowserSettings |
|Supported devices |Desktop<br>Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Experience/DoNotSynBrowserSettings |
|Data type |Integer |
|Allowed values |<ul><li>**0** - Disable browser syncing.</li><li>**1 (default)** - Allow browser syncing.</li></ul> |
## Keep favorites in sync between Internet Explorer and Microsoft Edge
>*Supported versions: Windows 10, version 1703 or later*
@ -463,7 +472,7 @@ This policy setting specifies whether favorites are kept in sync between Interne
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge |
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Synchronization is turned off.</li><li>**1** - Synchronization is turned on.</li></ul> |
|Allowed values |<ul><li>**0 (default)** - Turn off synchronization.</li><li>**1** - Turn on synchronization.</li></ul> |
## Prevent access to the about:flags page
>*Supported versions: Windows 10, version 1607 or later*

3
devices/hololens/change-history-hololens.md
View File

@ -10,7 +10,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/21/2018
ms.date: 05/22/2018
---
# Change history for Microsoft HoloLens documentation
@ -24,6 +24,7 @@ New or changed topic | Description
[Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | New
[Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) | New
[Microsoft Layout app](hololens-microsoft-layout-app.md) | New
[Set up HoloLens in kiosk mode](hololens-kiosk.md) | Added instructions for setting up a guest account for kiosk mode.
## Windows 10 Holographic for Business, version 1803

20
devices/hololens/hololens-kiosk.md
View File

@ -9,14 +9,14 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/30/2018
ms.date: 05/22/2018
---
# Set up HoloLens in kiosk mode
In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks.
In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#guest)
When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they dont need to access.
@ -116,6 +116,22 @@ Follow [the instructions for creating a kiosk configuration XML file for desktop
- Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens.
- Use the [placeholder Start XML](#start-kiosk) for HoloLens.
<span id="guest" />
#### Add guest access to the kiosk configuration (optional)
In the [Configs section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out.
Use the following snippet in your kiosk configuration XML to enable the **Guest** account:
```xml
<Configs>
<Config>
<SpecialGroup Name="Visitor" />
<DefaultProfile Id="enter a profile ID"/>
</Config>
</Configs>
```
<span id="add-xml"/>
### Add the kiosk configuration XML file to a provisioning package

5
devices/hololens/hololens-microsoft-remote-assist-app.md
View File

@ -9,7 +9,7 @@ author: alhopper-msft
ms.author: alhopper
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/21/2018
ms.date: 05/22/2018
---
# Microsoft Remote Assist
@ -25,7 +25,6 @@ Below are the technical requirements to deploy and use Microsoft Remote Assist t
|:---------------------------|:----------------------------------|:-----------------------------------------------------------|
| HoloLens | Build 10.0.14393.0 or above | See [Manage updates to HoloLens](https://docs.microsoft.com/en-us/HoloLens/hololens-updates) for instructions on using Windows Update for Business, MDM, and Windows Server Update Service (WSUS) to deploy updates to HoloLens. |
| Windows 10 PC (optional) | Any Windows 10 build | A Windows 10 PC can collaborate with the HoloLens using Microsoft Teams. |
| Mobile device (optional) | Android or iOS | A mobile device can collaborate with the HoloLens using Microsoft Teams. Inking, annotations, and image insertion are not currently available on mobile. |
> [!Note]
> HoloLens build 10.0.14393.0 is the minimum that supports Remote Assist. We recommend updating the HoloLens to newer versions when they are available.
@ -42,7 +41,7 @@ Below are the technical requirements to deploy and use Microsoft Remote Assist t
1.5 MB/s is the recommended bandwidth for optimal performance of Microsoft Remote Assist. Though audio/video calls may be possible in environments with reduced bandwidth, you may experience HoloLens feature degradation, limiting the user experience. To test your companys network bandwidth, follow these steps:
1. Have a mobile Teams user (iOS or Android) video call a desktop Teams user.
1. Have a Teams user video call another Teams user.
2. Add another separate video call between a 3rd and 4th user, and another for a 5th and 6th user.
3. Continue adding video callers to stress test your network bandwidth until confident that multiple users can successfully connect on video calls at the same time.

2
devices/hololens/index.md
View File

@ -9,7 +9,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/22/2018
ms.date: 05/21/2018
---
# Microsoft HoloLens

218
education/index.md
View File

@ -9,64 +9,6 @@ ms.author: celested
ms.date: 10/30/2017
---
<div id="main" class="v2">
<div class="container">
<ul class="cardsY panelContent featuredContent">
<li>
<a href="https://www.microsoft.com/education" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_advanced.svg" src="/media/common/i_advanced.svg" alt="" />
</div>
</div>
<div class="cardText">
<span class="likeAnH3">Learn about Microsoft Education</span>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="https://docs.microsoft.com/education/get-started/get-started-with-microsoft-education" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_get-started.svg" src="/media/common/i_get-started.svg" alt="" />
</div>
</div>
<div class="cardText">
<span class="likeAnH3">For IT Pros: Get Started using Microsoft Education</span>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/education/windows/test-windows10s-for-edu" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_download-install.svg" src="/media/common/i_download-install.svg" alt="" />
</div>
</div>
<div class="cardText">
<span class="likeAnH3">Test Windows 10 S for Education</span>
</div>
</div>
</div>
</div>
</a>
</li>
</ul>
</div>
<div class="container">
<h1>Microsoft Education documentation and resources</h1>
<ul class="pivots">
@ -88,11 +30,11 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/M365-education.svg" alt="" />
<img src="https://docs.microsoft.com/en-us/media/hubs/microsoft365/M365-education.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Microsoft 365 Education</h3>
<h3>Learn Why Microsoft 365 Education</h3>
<p>Find out how to empower educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education.</p>
</div>
</div>
@ -101,18 +43,18 @@ ms.date: 10/30/2017
</a>
</li>
<li>
<a href="https://docs.microsoft.com/education/get-started/get-started-with-microsoft-education" target="_blank">
<a href="/microsoft-365/education/deploy/" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-get-started.svg" alt="" />
<img src="https://docs.microsoft.com/en-us/media/hubs/education/education-pro-get-started.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Get started for IT Pros</h3>
<p>Get started with Microsoft Education and set up a cloud infrastructure for your school, acquire apps, and configure and deploy settings to your Windows 10 devices.</p>
<h3>Deployment Overview</h3>
<p>Learn how to deploy our suite of education offerings. Set up a cloud infrastructure for your school, acquire apps, and configure and manage Windows 10 devices.</p>
</div>
</div>
</div>
@ -120,18 +62,20 @@ ms.date: 10/30/2017
</a>
</li>
<li>
<a href="https://support.office.com/en-us/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa?ui=en-US&amp;rs=en-US&amp;ad=US&amp;fromAR=1#ID0EAAAAEAAA=Education" target="_blank">
</li>
<li>
<a href="/microsoft-365/education/index?branch=m365-integration#pivot=itpro&amp;panel=itpro-scd" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-office365.svg" alt="" />
<img src="https://docs.microsoft.com/en-us/media/hubs/education/education-pro-office365.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Office 365 for Education</h3>
<p>Manage Office 365 users and groups, get reports, and more.</p>
<h3>1. Cloud deployment</h3>
<p>Get started by creating your Office 365 tenant, setting up a cloud infrastructure for your school, and creating, managing, and syncing user accounts.</p>
</div>
</div>
</div>
@ -139,121 +83,7 @@ ms.date: 10/30/2017
</a>
</li>
<li>
<a href="/intune-education" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-intune.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Microsoft Intune for Education</h3>
<p>Manage apps and settings on your Windows 10 devices.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/education/windows" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-windows10.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Windows 10 for Education</h3>
<p>Configure and deploy the most secure Windows version for your school.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="https://docs.microsoft.com/schooldatasync/" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-school-data.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>School Data Sync</h3>
<p>Import Student Information System (SIS) into Office 365.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/azure/active-directory/" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-azure-directory.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Azure Active Directory</h3>
<p>Use to create and manage user and group accounts.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/microsoft-store/index?toc=/microsoft-store/education/toc.json" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-store.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Microsoft Store for Education</h3>
<p>Purchase and manage apps and licenses for your school.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/education/windows/school-get-minecraft" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-minecraft.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Minecraft: Education Edition</h3>
<p>Learn how to get, distribute, and manage permissions for Minecraft: Education Edition.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/education/windows/use-set-up-school-pcs-app" target="_blank">
<a href="/microsoft-365/education/index?branch=m365-integration#pivot=itpro&amp;panel=itpro-sdm" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -263,8 +93,8 @@ ms.date: 10/30/2017
</div>
</div>
<div class="cardText">
<h3>Set up School PCs</h3>
<p>Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.</p>
<h3>2. Device Management</h3>
<p>Improve student learning outcomes through connected classrooms and engaging new technologies with streamlined device management.</p>
</div>
</div>
</div>
@ -272,7 +102,7 @@ ms.date: 10/30/2017
</a>
</li>
<li>
<a href="https://docs.microsoft.com/en-us/microsoftteams/teams-quick-start-edu" target="_blank">
<a href="/microsoft-365/education/index?branch=m365-integration#pivot=itpro&amp;panel=itpro-atft" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -282,8 +112,8 @@ ms.date: 10/30/2017
</div>
</div>
<div class="cardText">
<h3>Microsoft Teams</h3>
<p>Make the most of Microsoft Teams and find out how to deploy, launch pilot teams, and launch Teams to the rest of your organization.</p>
<h3>3. Tools for Teachers</h3>
<p>The latest classroom resources at teachers fingertips when you deploy Learning Tools, OneNote Class Notebooks, Teams, and more.</p>
</div>
</div>
</div>
@ -617,7 +447,7 @@ ms.date: 10/30/2017
</div>
</li>
<li>
<a href="https://www.mepn.com" target="_blank">
<a href="https://partner.microsoft.com/solutions/education" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -627,8 +457,8 @@ ms.date: 10/30/2017
</div>
</div>
<div class="cardText">
<h3>Microsoft Education Partner Network</h3>
<p>Find out the latest news and announcements for Microsoft Education partners.</p>
<h3>Microsoft Partner Network</h3>
<p>Discover the latest news and resources for Microsoft Education products, solutions, licensing, and readiness.</p>
</div>
</div>
</div>
@ -636,7 +466,7 @@ ms.date: 10/30/2017
</a>
</li>
<li>
<a href="https://www.mepn.com/MEPN/AEPHome.aspx" target="_blank">
<a href="https://www.mepn.com" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -646,8 +476,8 @@ ms.date: 10/30/2017
</div>
</div>
<div class="cardText">
<h3>Authorized Education Partner (AEP) home page</h3>
<p>Access the essentials and find out what it takes to become an AEP.</p>
<h3>Authorized Education Partner (AEP) program</h3>
<p>Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEU).</p>
</div>
</div>
</div>

2
education/windows/get-minecraft-for-education.md
View File

@ -24,7 +24,7 @@ ms.topic: conceptual
[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft.
<iframe width="501" height="282" src="https://www.youtube.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe>
<iframe width="501" height="282" src="https://www.youtube-nocookie.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe>
Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution.

6
education/windows/s-mode-switch-to-edu.md
View File

@ -1,7 +1,7 @@
---
title: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
description: Overview of Windows 10 Pro Education in S mode, switching options, and system requirements
keywords: Windows 10 Pro Education in S mode, S mode, system requirements, Overview, Windows 10 Pro in S mode, Education, EDU
keywords: S mode Switch, switch in S mode, Switch S mode, Windows 10 Pro Education in S mode, S mode, system requirements, Overview, Windows 10 Pro in S mode, Education, EDU
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.prod: w10
@ -53,9 +53,7 @@ Tenant-wide Windows 10 Pro in S mode > Pro Education in S mode <BR>
Tenant-wide Windows 10 Pro > Pro Education
> [!IMPORTANT]
> While its free to switch to Windows 10 Pro, its not reversible. The only way to rollback this kind of switch is through a BMR factory reset..
[Recovery media (bare metal recovery)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) helps restore a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
> While its free to switch to Windows 10 Pro, its not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
### Devices running Windows 10, version 1709

28
mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md Normal file
View File

@ -0,0 +1,28 @@
---
title: Applying hotfixes on MBAM 2.5 SP1
description: Applying hotfixes on MBAM 2.5 SP1
author: ppriya-msft
ms.assetid:
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 5/30/2018
---
# Applying hotfixes on MBAM 2.5 SP1
This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126)
#### Steps to update the MBAM Server for existing MBAM environment
1. Remove MBAM server feature(do this by opening the MBAM Server Configuration Tool, then select Remove Features).
2. Remove MDOP MBAM from Control Panel | Programs and Features.
3. Install MBAM 2.5 SP1 RTM server components.
4. Install lastest MBAM 2.5 SP1 hotfix rollup.
5. Configure MBAM features using MBAM Server Configurator.
#### Steps to install the new MBAM 2.5 SP1 server hotfix
refer to the document for new server installation.
https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/deploying-the-mbam-25-server-infrastructure

730
mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
View File

@ -7,20 +7,25 @@ ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 06/16/2016
ms.date: 05/23/2018
---
# How to Move the MBAM 2.5 Databases
Use these procedures to move the following databases from one computer to another, that is, to move the databases from Server A to Server B:
Use these procedures to move the following databases from one computer to another; from Server A to Server B, for example:
- Compliance and Audit Database
- Recovery Database
If you are moving multiple features, move them in the following order:
>[!NOTE]
>It is important that the databases be restored to Machine B PRIOR to running the MBAM Configuration Wizard to update/configure them.
If the databases are NOT present, the Configuration Wizard creates NEW, empty, databases. When your existing databases are then restored, this process will break the MBAM configuration.
Restore the databases FIRST, then run the MBAM Configuration Wizard, choose the database option, and the Configuration Wizard will “connect” to the databases you restored; upgrading them if needed as part of the process.
**If you are moving multiple features, move them in the following order:**
1. Recovery Database
@ -32,13 +37,10 @@ If you are moving multiple features, move them in the following order:
5. Self-Service Portal
**Note**  
To run the example Windows PowerShell scripts provided in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](http://technet.microsoft.com/library/ee176949.aspx) for instructions.
 
## Moving the Recovery Database
>[!Note]
>To run the example Windows PowerShell scripts provided in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](http://technet.microsoft.com/library/ee176949.aspx) for instructions.
## Move the Recovery Database
The high-level steps for moving the Recovery Database are:
@ -46,473 +48,537 @@ The high-level steps for moving the Recovery Database are:
2. Back up the Recovery Database on Server A
3. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
3. Move the Recovery Database from Server A to Server B
4. Move the Recovery Database from Server A to Server B
4. Restore the Recovery Database on Server B
5. Restore the Recovery Database on Server B
5. Configure access to the Database on Server B and update connection data
6. Configure access to the Database on Server B and update connection data
6. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
7. Resume the instance of the Administration and Monitoring Website
**How to move the Recovery Database**
### How to move the Recovery Database
1. **Stop all instances of the MBAM Administration and Monitoring Website**
**Stop all instances of the MBAM Administration and Monitoring Website.** On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website.
- On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website.
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
```syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
``` syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
```
```
**Note**  
To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell.
>[!NOTE]
>To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell.
 
### Back up the Recovery Database on Server A
2. **Install MBAM Server software and run the MBAM Server Configuration wizard on Server B**
1. Use the **Back Up** task in SQL Server Management Studio to back up the Recovery Database on Server A. By default, the database name is **MBAM Recovery Database**.
1. Install the MBAM 2.5 Server software on Server B. For instructions, see [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md).
2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script, and change the MBAM Recovery Database to use the full recovery mode:
2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Recovery Database** feature.
```
USE master;
GO
ALTER DATABASE "MBAM Recovery and Hardware"
SET RECOVERY FULL;
GO
-- Create MBAM Recovery Database Data and MBAM Recovery logical backup devices.
USE master
GO
EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device',
'Z:\MBAM Recovery Database Data.bak';
GO
-- Back up the full MBAM Recovery Database.
BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device];
GO
BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate]
TO FILE = 'Z:\SQLServerInstanceCertificateFile'
WITH PRIVATE KEY
(
FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',
ENCRYPTION BY PASSWORD = '$PASSWORD$'
);
GO
```
Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Recovery Database.
3. Use the following value to replace the values in the code example with values that match your environment:
For instructions on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md).
**$PASSWORD$** - password that you use to encrypt the Private Key file.
3. **Back up the Recovery Database on Server A**
4. In Windows PowerShell, run the script that is stored in the file and similar to the following:
1. Use the **Back Up** task in SQL Server Management Studio to back up the Recovery Database on Server A. By default, the database name is **MBAM Recovery Database**.
```syntax
PS C:\> Invoke-Sqlcmd -InputFile
'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
5. Use the following value to replace the values in the code example with values that match your environment:
To automate this procedure, create a SQL file (.sql) that contains the following SQL script, and change the MBAM Recovery Database to use the full recovery mode:
**$SERVERNAME$\$SQLINSTANCENAME$** - server name and instance from which the Recovery Database will be backed up.
``` syntax
USE master;
GO
ALTER DATABASE "MBAM Recovery and Hardware"
SET RECOVERY FULL;
GO
-- Create MBAM Recovery Database Data and MBAM Recovery logical backup devices.
USE master
GO
EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device',
'Z:\MBAM Recovery Database Data.bak';
GO
-- Back up the full MBAM Recovery Database.
BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device];
GO
BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate]
TO FILE = 'Z:\SQLServerInstanceCertificateFile'
WITH PRIVATE KEY
(
FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',
ENCRYPTION BY PASSWORD = '$PASSWORD$'
);
GO
```
### Move the Recovery Database from Server A to Server B
Use the following value to replace the values in the code example with values that match your environment.
Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B.
**$PASSWORD$** - password that you will use to encrypt the Private Key file.
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
2. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
```syntax
PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak”
\\$SERVERNAME$\$DESTINATIONSHARE$
``` syntax
PS C:\> Invoke-Sqlcmd -InputFile 'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile”
\\$SERVERNAME$\$DESTINATIONSHARE$
Use the following value to replace the values in the code example with values that match your environment:
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey”
\\$SERVERNAME$\$DESTINATIONSHARE$
**$SERVERNAME$\\$SQLINSTANCENAME$** - server name and instance from which the Recovery Database will be backed up.
```
Use the information in the following table to replace the values in the code example with values that match your environment.
4. **Move the Recovery Database from Server A to Server B**
| **Parameter** | **Description** |
|----------------------|---------------------------------------------------------------|
| $SERVERNAME$ | Name of the server to which the files will be copied. |
| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
|---|---|
- Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B.
### Restore the Recovery Database on Server B
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
1. Restore the Recovery Database on Server B by using the **Restore Database** task in SQL Server Management Studio.
``` syntax
PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak” \\$SERVERNAME$\$DESTINATIONSHARE$
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile” \\$SERVERNAME$\$DESTINATIONSHARE$
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey” \\$SERVERNAME$\$DESTINATIONSHARE$
```
2. When the previous task finishes, select **From Device**, and then select the database backup file.
Use the information in the following table to replace the values in the code example with values that match your environment.
3. Use the **Add** command to select the **MBAM Recovery Database Data.bak** file, and click **OK** to complete the restoration process.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$</p></td>
<td align="left"><p>Name of the server to which the files will be copied.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DESTINATIONSHARE$</p></td>
<td align="left"><p>Name of the share and path to which the files will be copied.</p></td>
</tr>
</tbody>
</table>
4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
 
```syntax
-- Restore MBAM Recovery Database.
5. **Restore the Recovery Database on Server B**
USE master
1. Restore the Recovery Database on Server B by using the **Restore Database** task in SQL Server Management Studio.
GO
2. When the previous task finishes, select **From Device**, and then select the database backup file.
-- Drop certificate created by MBAM Setup.
3. Use the **Add** command to select the **MBAM Recovery Database Data.bak** file, and click **OK** to complete the restoration process.
DROP CERTIFICATE [MBAM Recovery Encryption Certificate]
To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
GO
``` syntax
-- Restore MBAM Recovery Database.
USE master
GO
-- Drop certificate created by MBAM Setup.
DROP CERTIFICATE [MBAM Recovery Encryption Certificate]
GO
--Add certificate
CREATE CERTIFICATE [MBAM Recovery Encryption Certificate]
FROM FILE = 'Z: \SQLServerInstanceCertificateFile'
WITH PRIVATE KEY
(
FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',
DECRYPTION BY PASSWORD = '$PASSWORD$'
);
GO
-- Restore the MBAM Recovery Database data and log files.
RESTORE DATABASE [MBAM Recovery and Hardware]
FROM DISK = 'Z:\MBAM Recovery Database Data.bak'
WITH REPLACE
```
--Add certificate
Use the following value to replace the values in the code example with values that match your environment.
CREATE CERTIFICATE [MBAM Recovery Encryption Certificate]
**$PASSWORD$** - password that you used to encrypt the Private Key file.
FROM FILE = 'Z:\SQLServerInstanceCertificateFile'
4. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
WITH PRIVATE KEY
``` syntax
PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
(
Use the following value to replace the values in the code example with values that match your environment.
FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',
**$SERVERNAME$\\$SQLINSTANCENAME$** - Server name and instance to which the Recovery Database will be restored.
DECRYPTION BY PASSWORD = '$PASSWORD$'
6. **Configure access to the Database on Server B and update connection data**
);
1. Verify that the Microsoft SQL Server user login that enables Recovery Database access on the restored database is mapped to the access account that you provided during the configuration process.
GO
If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
-- Restore the MBAM Recovery Database data and log files.
2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites.
RESTORE DATABASE [MBAM Recovery and Hardware]
3. Edit the following registry key: **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString**
FROM DISK = 'Z:\MBAM Recovery Database Data.bak'
4. Update the **Data Source** value with the name of the server and instance (for example, $SERVERNAME$\\$SQLINSTANCENAME) to which the Recovery Database was moved.
WITH REPLACE
```
5. Update the **Initial Catalog** value with the recovered database name.
5. Use the following value to replace the values in the code example with values that match your environment.
To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
**$PASSWORD$** - password that you used to encrypt the Private Key file.
``` syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;”
PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;”
```
6. In Windows PowerShell, run the script that is stored in the file and similar to the following:
**Note**  
This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
```syntax
PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
7. Use the following value to replace the values in the code example with values that match your environment.
 
**$SERVERNAME$\$SQLINSTANCENAME$** - Server name and instance to which the Recovery Database will be restored.
Use the following table to replace the values in the code example with values that match your environment.
### Configure access to the Database on Server B and update connection data
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the Recovery database.</p></td>
</tr>
</tbody>
</table>
1. Verify that the Microsoft SQL Server user login that enables Recovery Database access on the restored database is mapped to the access account that you provided during the configuration process.
 
>[!NOTE]
>If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
7. **Resume the instance of the Administration and Monitoring Website**
2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites.
1. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website.
3. Edit the following registry key:
2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
**HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString**
``` syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```
4. Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved.
**Note**  
To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell.
5. Update the **Initial Catalog** value with the recovered database name.
 
6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
## Moving the Compliance and Audit Database
```syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
PS C:\> Set-WebConfigurationProperty
'connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath
"IIS:\sites\Microsoft Bitlocker Administration and
Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data
Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and
Hardware;Integrated Security=SSPI;”
PS C:\> Set-WebConfigurationProperty
'connectionStrings/add[\@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]'
-PSPath "IIS:\sites\Microsoft Bitlocker Administration and
Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value
"Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery
and Hardware;Integrated Security=SSPI;”
```
>[!Note]
>This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
7. Use the following table to replace the values in the code example with values that match your environment.
```html
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the Recovery database.</p></td>
</tr>
</tbody>
</table>
```
### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
1. Install the MBAM 2.5 Server software on Server B. For details, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software).
2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Recovery Database** feature. For details on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases).
>[!TIP]
>Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Recovery Database.
### Resume the instance of the Administration and Monitoring Website
On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website.
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```
>[!NOTE]
>To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell.
## Move the Compliance and Audit Database
The high-level steps for moving the Compliance and Audit Database are:
1. Stop all instances of the MBAM Administration and Monitoring Website
2. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
2. Back up the Compliance and Audit Database on Server A
3. Back up the Compliance and Audit Database on Server A
3. Move the Compliance and Audit Database from Server A to Server B
4. Move the Compliance and Audit Database from Server A to Server B
4. Restore the Compliance and Audit Database on Server B
5. Restore the Compliance and Audit Database on Server B
5. Configure access to the Database on Server B and update connection data
6. Configure access to the Database on Server B and update connection data
6. Install MBAM Server software and run the MBAM Server Configuration wizard on
Server B
7. Resume the instance of the Administration and Monitoring Website
**How to move the Compliance and Audit Database**
### How to move the Compliance and Audit Database
1. **Stop all instances of the MBAM Administration and Monitoring Website**
**Stop all instances of the MBAM Administration and Monitoring Website.** On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website.
- On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website.
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
```syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
``` syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
```
```
**Note**  
To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell.
>[!NOTE]
>To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell.
 
### Back up the Compliance and Audit Database on Server A
2. **Install MBAM Server software and run the MBAM Server Configuration wizard on Server B**
1. Use the **Back Up** task in SQL Server Management Studio to back up the Compliance and Audit Database on Server A. By default, the database name is **MBAM Compliance Status Database**.
1. Install the MBAM 2.5 Server software on Server B. For instructions, see [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md).
2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Compliance and Audit Database** feature.
```syntax
Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Compliance and Audit Database.
USE master;
For instructions on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md).
GO
3. **Back up the Compliance and Audit Database on Server A**
ALTER DATABASE "MBAM Compliance Status"
1. Use the **Back Up** task in SQL Server Management Studio to back up the Compliance and Audit Database on Server A. By default, the database name is **MBAM Compliance Status Database**.
SET RECOVERY FULL;
To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
GO
``` syntax
USE master;
GO
ALTER DATABASE "MBAM Compliance Status"
SET RECOVERY FULL;
GO
-- Create MBAM Compliance Status Data logical backup devices.
USE master
GO
EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device',
'Z: \MBAM Compliance Status Database Data.bak';
GO
-- Back up the full MBAM Compliance Recovery database.
BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device];
GO
```
-- Create MBAM Compliance Status Data logical backup devices.
2. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
USE master
``` syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
GO
Using the following value, replace the values in the code example with values that match your environment:
EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device',
**$SERVERNAME$\\$SQLINSTANCENAME$** - server name and instance from which the Compliance and Audit Database will be backed up.
'Z: \MBAM Compliance Status Database Data.bak';
4. **Move the Compliance and Audit Database from Server A to Server B**
GO
- Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B.
-- Back up the full MBAM Compliance Recovery database.
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device];
``` syntax
PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak" \\$SERVERNAME$\$DESTINATIONSHARE$
```
GO
Using the following table, replace the values in the code example with values that match your environment.
```
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$</p></td>
<td align="left"><p>Name of the server to which the files will be copied.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DESTINATIONSHARE$</p></td>
<td align="left"><p>Name of the share and path to which the files will be copied.</p></td>
</tr>
</tbody>
</table>
3. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
 
```syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
5. **Restore the Compliance and Audit Database on Server B**
```
1. Restore the Compliance and Audit Database on Server B by using the **Restore Database** task in SQL Server Management Studio.
4. Using the following value, replace the values in the code example with values that match your environment:
2. When the previous task finishes, select **From Device**, and then select the database backup file.
**$SERVERNAME$\$SQLINSTANCENAME$** - server name and instance from which the Compliance and Audit Database will be backed up.
3. Use the **Add** command to select the **MBAM Compliance Status Database Data.bak** file, and click **OK** to complete the restoration process.
### Move the Compliance and Audit Database from Server A to Server B**
To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
1. Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B.
``` syntax
-- Create MBAM Compliance Status Database Data logical backup devices.
Use master
GO
-- Restore the MBAM Compliance Status database data files.
RESTORE DATABASE [MBAM Compliance Status]
FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak'
WITH REPLACE
```
2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
4. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
```syntax
PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak"
\\$SERVERNAME$\$DESTINATIONSHARE$
``` syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
```
Using the following value, replace the values in the code example with values that match your environment.
3. Using the following table, replace the values in the code example with values that match your environment.
**$SERVERNAME$\\$SQLINSTANCENAME$** - Server name and instance to which the Compliance and Audit Database will be restored.
| **Parameter** | **Description** |
|----------------------|---------------------------------------------------------------|
| $SERVERNAME$ | Name of the server to which the files will be copied. |
| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
|---|---|
6. **Configure access to the Database on Server B and update connection data**
### Restore the Compliance and Audit Database on Server B
1. Verify that the Microsoft SQL Server user login that enables Compliance and Audit Database access on the restored database is mapped to the access account that you provided during the configuration process.
1. Restore the Compliance and Audit Database on Server B by using the **Restore Database** task in SQL Server Management Studio.
If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
2. When the previous task finishes, select **From Device**, and then select the database backup file.
2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website.
3. Use the **Add** command to select the **MBAM Compliance Status Database Data.bak** file and click **OK** to complete the restoration process.
3. Edit the following registry key: **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString**
4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
4. Update the **Data Source** value with the name of the server and instance (for example, $SERVERNAME$\\$SQLINSTANCENAME) to which the Recovery Database was moved.
```syntax
-- Create MBAM Compliance Status Database Data logical backup devices.
5. Update the **Initial Catalog** value with the recovered database name.
Use master
To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
GO
``` syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
```
-- Restore the MBAM Compliance Status database data files.
**Note**  
This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
RESTORE DATABASE [MBAM Compliance Status]
 
FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak'
Using the following table, replace the values in the code example with values that match your environment.
WITH REPLACE
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the recovered database.</p></td>
</tr>
</tbody>
</table>
```
 
5. In Windows PowerShell, run the script that is stored in the file and similar to the following:
7. **Resume the instance of the Administration and Monitoring Website**
```syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
1. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website.
```
2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
6. Using the following value, replace the values in the code example with values that match your environment.
``` syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```
**$SERVERNAME$\$SQLINSTANCENAME$** - Server name and instance to which the Compliance and Audit Database will be restored.
**Note**  
To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell.
### Configure access to the Database on Server B and update connection data
 
1. Verify that the Microsoft SQL Server user login that enables Compliance and Audit Database access on the restored database is mapped to the access account that you provided during the configuration process.
>[!NOTE]
>If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website.
## Related topics
3. Edit the following registry key:
**HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString**
[How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md)
4. Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved.
[Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
5. Update the **Initial Catalog** value with the recovered database name.
[Moving MBAM 2.5 Features to Another Server](moving-mbam-25-features-to-another-server.md)
6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
 
```syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
 
## Got a suggestion for MBAM?
- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
```
>[!NOTE]
>This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
7. Using the following table, replace the values in the code example with values that match your environment.
```html
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the recovered database.</p></td>
</tr>
</tbody>
</table>
```
### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
1. Install the MBAM 2.5 Server software on Server B. For details, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software).
2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Compliance and Audit Database** feature. For details on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases).
>[!TIP]
>Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Compliance and Audit Database.
### Resume the instance of the Administration and Monitoring Website
On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website.
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```
>[!NOTE]
>To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell.

4
mdop/mbam-v25/index.md
View File

@ -58,6 +58,10 @@ To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlin
Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method.
- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md)
Guide of how to apply MBAM 2.5 SP1 Server hotfixes
## Got a suggestion for MBAM?
- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).

BIN
store-for-business/images/edu-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.7 KiB

4
store-for-business/manage-private-store-settings.md
View File

@ -98,9 +98,9 @@ We've recently made performance improvements for changes in the private store. T
| Action | Estimated time |
| ------------------------------------------------------ | -------------- |
| Add a product to the private store <br> - Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory. <br> - It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab <br> - 36 hours: searchable in private store <br> - 36 hours: available on private store tab, if the product has just been added to inventory |
| Add a product to the private store <br> - Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory. <br> - It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab <br> - 36 hours: searchable in private store <br> - 36 hours: searchable in private store tab |
| Remove a product from private store | - 15 minutes: private store tab <br> - 36 hours: searchable in private store |
| Accept a new LOB app into your inventory (under **Products & services)**) | 36 hours |
| Accept a new LOB app into your inventory (under **Products & services)**) | - 15 minutes: available on private store tab <br> - 36 hours: searchable in private store |
| Create a new collection | 15 minutes|
| Edit or remove a collection | 15 minutes |
| Create private store tab | 4-6 hours |

7
store-for-business/release-history-microsoft-store-business-education.md
View File

@ -8,7 +8,7 @@ ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.date: 4/26/2018
ms.date: 5/31/2018
---
# Microsoft Store for Business and Education release history
@ -17,6 +17,11 @@ Microsoft Store for Business and Education regularly releases new and improved f
Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
## April 2018
- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. Well figure out whos in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, well let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.
- **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections.
- **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period.
## March 2018
- **Performance improvements in private store** - We've made it significantly faster for you to udpate the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)
- **Private store collection updates** - Weve made it easier to find apps when creating private store collections now you can search and filter results.

23
store-for-business/whats-new-microsoft-store-business-education.md
View File

@ -8,7 +8,7 @@ ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.date: 4/26/2018
ms.date: 5/31/2018
---
# What's new in Microsoft Store for Business and Education
@ -17,27 +17,36 @@ Microsoft Store for Business and Education regularly releases new and improved f
## Latest updates for Store for Business and Education
**April 2018**
**May 2018**
| | |
|--------------------------------------|---------------------------------|
| ![License assign icon](images/license-assign-icon.png) |**Assign apps to larger groups**<br /><br /> We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. Well figure out whos in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, well let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Private store icon](images/private-store-icon.png) |**Change collection order in private store**<br /><br /> Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Office logo icon](images/office-logo.png) |**Office 365 subscription management**<br /><br /> We know that sometimes customers need to cancel subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![performance icon](images/edu-icon.png) |**Immersive Reader app in Microsoft Store for Education**<br /><br /> Microsoft Immersive Reader is now available for education organizations using Microsoft Store for Education. This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. Check out and download [Immersive Reader](https://educationstore.microsoft.com/en-us/store/details/immersive-reader/9PJZQZ821DQ2). <br /><br /> **Applies to**:<br /> Microsoft Store for Education |
<!---
| | |
|--------------------------------------|---------------------------------|
| ![Private store icon](images/private-store-icon.png) |**Change order within private store collection**<br /><br /> Following last month's update to customize the order of your private store collections, now you can customize the order of products in each collection. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We continue to work on performance improvements in the private store. Now, most products new to your inventory are available in your private store within 15 minutes of adding them. <br /><br /> [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-->
<!---
Weve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
| | |
|-----------------------|---------------------------------|
| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| <iframe width="288" height="232" src="https://www.youtube.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| <iframe width="288" height="232" src="https://www.youtube-nocookie.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
|| ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-->
## Previous releases and updates
[April 2018](release-history-microsoft-store-business-education.md#april-2018)
- Assign apps to larger groups
- Change collection order in private store
- Office 365 subscription management
[March 2018](release-history-microsoft-store-business-education.md#march-2018)
- Performance improvements in private store
- Private store collection updates

5
windows/application-management/remove-provisioned-apps-during-update.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.author: helohr
author: HeidiLohr
ms.date: 05/10/2018
ms.date: 05/25/2018
---
# How to keep apps removed from Windows 10 from returning during an update
@ -89,8 +89,9 @@ You're now ready to update your computer. After the update, check the list of ap
## Registry keys for provisioned apps
```syntax
1709 Registry Keys
Windows Registry Editor Version 5.00
;1709 Registry Keys
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.BingWeather_8wekyb3d8bbwe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe]

5
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -10,7 +10,7 @@ ms.localizationpriority: high
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 04/30/2018
ms.date: 05/31/2018
---
# Change history for Configure Windows 10
@ -23,6 +23,9 @@ New or changed topic | Description
--- | ---
[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Added note that Wi-Fi Sense is no longer available.
Topics about Windows 10 diagnostic data | Moved to [Windows Privacy](https://docs.microsoft.com/windows/privacy/).
[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added information on Kiosk Browser settings and URL filtering.
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added details of event log entries to check for when customization is not applied as expected.
[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | Added Active Directory domain account to provisioning method.
## RELEASE: Windows 10, version 1803

74
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -9,7 +9,7 @@ author: jdeckerms
ms.localizationpriority: high
ms.author: jdecker
ms.topic: article
ms.date: 04/30/2018
ms.date: 05/31/2018
---
# Guidelines for choosing an app for assigned access (kiosk mode)
@ -45,8 +45,6 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but arent allowed to go to a competitor's website.
>[!NOTE]
>Kiosk Browser app is coming soon to Microsoft Store for Business.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).
@ -54,6 +52,76 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr
2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps)
3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md).
>[!NOTE]
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
#### Kiosk Browser settings
Kiosk Browser settings | Use this setting to
--- | ---
Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.<br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.<br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.
Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser.
Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction.
>[!TIP]
>To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information:
>- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton
>- Data type: Integer
>- Value: 1
#### Rules for URLs in Kiosk Browser settings
Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
URLs can include:
- A valid port value from 1 to 65,535.
- The path to the resource.
- Query parameters.
Additional guidelines for URLs:
- If a period precedes the host, the policy filters exact host matches only.
- You cannot use user:pass fields.
- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence.
- The policy searches wildcards (*) last.
- The optional query is a set of key-value and key-only tokens delimited by '&'.
- Key-value tokens are separated by '='.
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
### Examples of blocked URLs and exceptions
The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
Blocked URL rule | Block URL exception rule | Result
--- | --- | ---
`*` | `contoso.com`<br>`fabrikam.com` | All requests are blocked unless it is to contoso.com, fabrikam.com, or any of their subdomains.
`contoso.com` | `mail.contoso.com`<br>`.contoso.com`<br>`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain.
`youtube.com` | `youtube.com/watch?v=v1`<br>`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2).
The following table gives examples for blocked URLs.
Entry | Result
--- | ---
`contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com
`https://*` | Blocks all HTTPS requests to any domain.
`mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com
<<<<<<< HEAD
`.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com.
=======
`.contoso.com` | Blocks contoso.com but not its subdomains, like contoso.com/docs.
>>>>>>> refs/remotes/origin/master
`.www.contoso.com` | Blocks www.contoso.com but not its subdomains.
`*` | Blocks all requests except for URLs in the Blocked URL Exceptions list.
`*:8080` | Blocks all requests to port 8080.
`contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains.
`192.168.1.2` | Blocks requests to 192.168.1.2.
`youtube.com/watch?v=V1` | Blocks youtube video with id V1.
### Other browsers
>[!NOTE]

10
windows/configuration/setup-kiosk-digital-signage.md
View File

@ -10,7 +10,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: high
ms.date: 04/30/2018
ms.date: 05/25/2018
---
# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education
@ -38,7 +38,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t
>[!WARNING]
>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
>
>Assigned access can be configured via Windows Mangement Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.
@ -48,14 +48,14 @@ Choose this method | For this edition | For this kiosk account type
--- | --- | ---
[Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user
[PowerShell](#powershell) | Pro, Ent, Edu | Local standard user
[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user
[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory
[Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
### Methods for kiosks and digital signs running a Classic Windows app
Choose this method | For this edition | For this kiosk account type
--- | --- | ---
[Provisioning](#wizard) | Ent, Edu | Local standard user
[Provisioning](#wizard) | Ent, Edu | Local standard user, Active Directory
[ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD
@ -200,7 +200,7 @@ Clear-AssignedAccess
>
>OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types
>
>Account type: Local standard user
>Account type: Local standard user, Active Directory
>[!IMPORTANT]
>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).

12
windows/configuration/windows-10-start-layout-options-and-policies.md
View File

@ -10,7 +10,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: high
ms.date: 10/31/2017
ms.date: 05/24/2018
---
# Manage Windows 10 Start and taskbar layout
@ -109,6 +109,16 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a
[Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md).
## Start layout configuration errors
If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events:
- **Event 22** is logged when the xml is malformed, meaning the specified file simply isnt valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format.
- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood or source is not found such as a missing or misspelled .lnk.
## Related topics

1
windows/deployment/TOC.md
View File

@ -213,6 +213,7 @@
## [Update Windows 10](update/index.md)
### [Quick guide to Windows as a service](update/waas-quick-start.md)
#### [Servicing stack updates](update/servicing-stack-updates.md)
### [Overview of Windows as a service](update/waas-overview.md)
### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)

14
windows/deployment/deploy-enterprise-licenses.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
ms.date: 10/18/2017
ms.date: 05/25/2018
author: greg-lindsay
---
@ -20,6 +20,16 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with
>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.<BR>
>Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key.<BR>
## Firmware-embedded activation key
To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt
```
(Get-WmiObject -query select * from SoftwareLicensingService).OA3xOriginalProductKey
```
If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
## Enabling Subscription Activation with an existing EA
If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
@ -230,4 +240,4 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct
A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.

2
windows/deployment/mbr-to-gpt.md
View File

@ -25,7 +25,7 @@ ms.localizationpriority: high
See the following video for a detailed description and demonstration of MBR2GPT.
<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
You can use MBR2GPT to:

39
windows/deployment/update/servicing-stack-updates.md Normal file
View File

@ -0,0 +1,39 @@
---
title: Servicing stack updates (Windows 10)
description: Servicing stack updates improve the code that installs the other updates.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: Jaimeo
ms.localizationpriority: high
ms.author: jaimeo
ms.date: 05/29/2018
---
# Servicing stack updates
**Applies to**
- Windows 10
## What is a servicing stack update?
The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
## Why should servicing stack updates be installed and kept up to date?
Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates.
## When are they released?
Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required.
## Is there any special guidance?
Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
## Installation notes
• Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
• Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
• Servicing stack update releases are specific to the operating system version (build number), much like quality updates.

2
windows/deployment/update/update-compliance-monitor.md
View File

@ -37,7 +37,7 @@ See the following topics in this guide for detailed information about configurin
Click the following link to see a video demonstrating Update Compliance features.
[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube.com/embed/1cmF5c_R8I4)
[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube-nocookie.com/embed/1cmF5c_R8I4)
## Update Compliance architecture

20
windows/deployment/update/waas-quick-start.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
author: Jaimeo
ms.localizationpriority: high
ms.author: jaimeo
ms.date: 02/09/2018
ms.date: 05/29/2018
---
# Quick guide to Windows as a service
@ -19,38 +19,38 @@ ms.date: 02/09/2018
- Windows 10 Mobile
- Windows 10 IoT Mobile
Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts.
Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts.
## Definitions
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month ("Patch Tuesday"), though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing channels** allow organizations to choose when to deploy new features.
- The **Semi-Annual Channel** receives feature updates twice per year.
- The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
## Key Concepts
Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release.
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information.
## Staying up to date
The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.

84
windows/deployment/upgrade/windows-10-upgrade-paths.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
ms.date: 05/18/2018
ms.date: 05/29/2018
---
# Windows 10 upgrade paths
@ -28,6 +28,8 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
>**Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
D = Edition downgrade; personal data is maintained, applications and settings are removed.
@ -114,86 +116,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="8" nowrap="nowrap">Windows 8</td>
</tr>
<tr>
<td>(Core)</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional WMC</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Embedded Industry</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows RT</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows Phone 8</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="10" nowrap="nowrap">Windows 8.1</td>
</tr>

6
windows/deployment/windows-10-enterprise-subscription-activation.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
ms.date: 10/20/2017
ms.date: 05/23/2018
author: greg-lindsay
---
@ -92,7 +92,7 @@ Devices currently running Windows 10 Pro, version 1703 or later can get Windows
**Scenario #1**:  You are using Windows 10 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise).
All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will become activated when a Subscription Activation-enabled user signs in to the device.
All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise).
@ -126,7 +126,7 @@ When you have the required Azure AD subscription, group-based licensing is the p
### Existing Enterprise deployments
If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate Windows 10 Enterprise.
If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.

6
windows/deployment/windows-10-pro-in-s-mode.md
View File

@ -1,7 +1,7 @@
---
title: Windows 10 Pro in S mode
description: Overview of Windows 10 Pro in S mode, switching options, and system requirements
keywords: Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
keywords: S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.prod: w10
@ -43,9 +43,7 @@ Worried about your LOB apps not working in S mode? Using Desktop Bridge will ena
[Explore Desktop Bridge](https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root)
> [!IMPORTANT]
> While its free to switch to Windows 10 Pro, its not reversible. The only way to rollback this kind of switch is through a BMR factory reset..
[Recovery media (bare metal recovery)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) helps restore a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
> While its free to switch to Windows 10 Pro, its not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
### Windows 10 in S mode is safe, secure, and fast.
We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.

2
windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md
View File

@ -21,7 +21,7 @@ ms.date: 05/09/18
In this topic you'll learn how to set-up a Windows Autopilot deployment for a Virtual Machine using Hyper-V. Watch the following video to see an overview of the process:
</br>
<iframe width="560" height="315" src="https://www.youtube.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
## Prerequisites

4
windows/deployment/windows-autopilot/windows-10-autopilot.md
View File

@ -24,7 +24,7 @@ This solution enables an IT department to achieve the above with little to no in
The following video shows the process of setting up Autopilot:
</br>
<iframe width="560" height="315" src="https://www.youtube.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
## Benefits of Windows Autopilot
@ -70,7 +70,7 @@ Multiple additional settings are skipped here, since the device automatically re
MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
</br>
<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/4K4hC5NchbE" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/4K4hC5NchbE" frameborder="0" allowfullscreen></iframe>
#### Device registration and OOBE customization

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -860,7 +860,7 @@ The following fields are available:
- **Programids** The unique program identifier the driver is associated with.
## Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.

6
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

@ -36,7 +36,7 @@ You can learn more about Windows functional and diagnostic data through these ar
# Common data extensions
## Common data extensions
### Common Data Extensions.App
@ -346,7 +346,7 @@ The following fields are available:
- **Programids** The unique program identifier the driver is associated with.
## Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
@ -4738,4 +4738,4 @@ The following fields are available:
- **scheduledRebootTime** Time of the scheduled reboot
- **updateId** ID of the update that is getting installed with this reboot
- **wuDeviceid** Unique device ID used by Windows Update
- **scheduledRebootTimeInUTC** Time of the scheduled reboot in Coordinated Universal Time
- **scheduledRebootTimeInUTC** Time of the scheduled reboot in Coordinated Universal Time

4
windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
View File

@ -13,11 +13,11 @@ ms.author: jaimeo
---
# Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics
# Windows 10 enhanced diagnostic data events and fields used by Windows Analytics
**Applies to**
- Windows 10, version 1709 and later
- Windows 10, version 1709 and newer
Windows Analytics Device Health reports are powered by diagnostic data not included in the Basic level. This includes crash reports and certain OS diagnostic data events. Organizations sending Enhanced or Full level diagnostic data were able to participate in Device Health, but some organizations which required detailed event and field level documentation were unable to move from Basic to Enhanced.

85
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -957,7 +957,7 @@ To turn off **Location for this device**:
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
-or-
@ -990,7 +990,7 @@ To turn off **Location**:
-or-
- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
-or-
@ -1018,7 +1018,7 @@ To turn off **Let apps use my camera**:
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
-or-
@ -1067,7 +1067,7 @@ To turn off **Let apps use my microphone**:
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
To turn off **Choose apps that can use your microphone**:
@ -1105,7 +1105,7 @@ To turn off **Let apps access my notifications**:
- Set the **Select a setting** box to **Force Deny**.
-or-
-or-
- Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where:
@ -1113,9 +1113,9 @@ To turn off **Let apps access my notifications**:
- **1**. Force allow
- **2**. Force deny
-or-
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
### <a href="" id="bkmk-priv-speech"></a>17.6 Speech, inking, & typing
@ -1134,15 +1134,15 @@ To turn off the functionality:
-or-
- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one).
- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one).
-or-
- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings** with a value of 0 (zero).
- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero).
-and-
- Create a REG\_DWORD registry setting named **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore** with a value of 0 (zero).
- Create a REG\_DWORD registry setting named **HarvestContacts** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\InputPersonalization\\TrainedDataStore** with a value of 0 (zero).
If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models:
@ -1203,15 +1203,15 @@ To turn off **Choose apps that can access contacts**:
- Set the **Select a setting** box to **Force Deny**.
-or-
-or-
- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:
- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:
- **0**. User in control
- **1**. Force allow
- **2**. Force deny
- **0**. User in control
- **1**. Force allow
- **2**. Force deny
-or-
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessContacts** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
@ -1237,7 +1237,7 @@ To turn off **Let apps access my calendar**:
- **1**. Force allow
- **2**. Force deny
-or-
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
@ -1269,7 +1269,7 @@ To turn off **Let apps access my call history**:
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
### <a href="" id="bkmk-priv-email"></a>17.11 Email
@ -1295,7 +1295,7 @@ To turn off **Let apps access and send email**:
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
### <a href="" id="bkmk-priv-messaging"></a>17.12 Messaging
@ -1313,13 +1313,13 @@ To turn off **Let apps read or send messages (text or MMS)**:
-or-
- Apply the Privacy/LetAppsAccess<Messaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where:
- Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where:
- **0**. User in control
- **1**. Force allow
- **2**. Force deny
-or-
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
@ -1349,9 +1349,9 @@ To turn off **Let apps make phone calls**:
- **1**. Force allow
- **2**. Force deny
-or-
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
To turn off **Choose apps that can make phone calls**:
@ -1380,9 +1380,9 @@ To turn off **Let apps control radios**:
- **1**. Force allow
- **2**. Force deny
-or-
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
To turn off **Choose apps that can control radios**:
@ -1403,15 +1403,16 @@ To turn off **Let apps automatically share and sync info with wireless devices t
-or-
- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where:
- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where:
- **0**. User in control
- **1**. Force allow
- **2**. Force deny
- **0**. User in control
- **1**. Force allow
- **2**. Force deny
-or-
- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
@ -1423,6 +1424,16 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
-or-
- Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices
), where:
- **0**. User in control
- **1**. Force allow
- **2**. Force deny
### <a href="" id="bkmk-priv-feedback"></a>17.16 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
@ -1442,7 +1453,7 @@ To change how frequently **Windows should ask for my feedback**:
-or-
- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one).
- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one).
-or-
@ -1559,9 +1570,9 @@ To turn off **Let Windows and your apps use your motion data and collect motion
- **1**. Force allow
- **2**. Force deny
-or-
-or-
- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
### <a href="" id="bkmk-priv-tasks"></a>17.19 Tasks
@ -1620,7 +1631,7 @@ For Windows 10:
-or-
- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core:
@ -1628,7 +1639,7 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co
-or-
- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
@ -1652,7 +1663,7 @@ You can control if your settings are synchronized:
-or-
- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
-or-

2
windows/security/identity-protection/access-control/security-identifiers.md
View File

@ -215,7 +215,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.<br/>Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.|
| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.<br/>Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.|
| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.|
| Users | S-1-5-32-545| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.|
| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.|
| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.|
| S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.|

5
windows/security/identity-protection/vpn/vpn-conditional-access.md
View File

@ -23,9 +23,10 @@ The VPN client is now able to integrate with the cloud-based Conditional Access
>Conditional Access is an Azure AD Premium feature.
Conditional Access Platform components used for Device Compliance include the following cloud-based services:
- [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
- [Azure AD Connect Health](https://azure.microsoft.com/documentation/articles/active-directory-Azure ADconnect-health/)
- [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Azure AD Connect Health](https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health)
- [Windows Health Attestation Service](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional)

6
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
View File

@ -87,7 +87,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
## Does BitLocker support virtual hard disks (VHDs)?
BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
- With TPM - Yes it is supported
- Without TPM - Yes it is supported (with password ) protector
BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
## Can I use BitLocker with virtual machines (VMs)?

6
windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.pagetype: security
ms.sitesec: library
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
@ -31,7 +31,7 @@ We strongly suggest that the only unenlightened apps you add to your allowed app
>After revoking WIP, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
>[!Note]
>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/en-us/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
## Unenlightened app behavior
This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.

6
windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
@ -24,7 +24,7 @@ Follow these steps to associate your WIP policy with your organization's existin
**To associate your policies**
1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.

336
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -6,8 +6,9 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.localizationpriority: medium
ms.date: 10/16/2017
ms.date: 05/30/2018
---
# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@ -17,99 +18,77 @@ ms.date: 10/16/2017
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
>[!Important]
>This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md) topic.
## Alternative steps if you use MAM only (without device enrollment)
This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md).
If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**.
Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Add a WIP policy
After youve set up Intune for your organization, you must create a WIP-specific policy.
Follow these steps to add a WIP policy using Intune.
**To add a WIP policy**
1. Open the Microsoft Intune mobile application management console, click **All settings**, and then click **App policy**.
1. Open Microsoft Intune and click **Mobile apps**.
![Microsoft Intune management console: App policy link](images/wip-azure-portal-start.png)
![Open Mobile apps](images/open-mobile-apps.png)
2. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
2. In **Mobile apps**, click **App protection policies**.
![App protection policies](images/app-protection-policies.png)
3. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
- **Name.** Type a name (required) for your new policy.
- **Description.** Type an optional description.
- **Platform.** Choose **Windows 10** as the supported platform for your policy.
- **Platform.** Choose **Windows 10**.
- **Enrollment state.** Choose **With enrollment** as the enrollment state for your policy.
- **Enrollment state.** Choose **With enrollment**.
![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-portal-add-policy.png)
![Add a mobile app policy](images/add-a-mobile-app-policy.png)
>[!Important]
>Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM, you must use these instructions, [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune), instead.
>Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM only (without device enrollment), see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md).
3. Click **Create**.
4. Click **Protected apps** and then click **Add apps**.
![Add protected apps](images/add-protected-apps.png)
You can add these types of apps:
- [Recommended apps](#add-recommended-apps)
- [Store apps](#add-store-apps)
- [Desktop apps](#add-desktop-apps)
The policy is created and appears in the table on the **App Policy** screen.
### Add recommended apps
>[!NOTE]
>Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available.
## Add apps to your Allowed apps list
During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app.
>[!Important]
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<br><br>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
### Add a Recommended app to your Allowed apps list
For this example, were going to add Microsoft Edge, a recommended app, to the **Allowed apps** list.
**To add a recommended app**
1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
To add **Recommended apps**, select each app you want to access your enterprise data, and then click **OK**.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
The **Protected apps** blade updates to show you your selected apps.
![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png)
![Microsoft Intune management console: Recommended apps](images/wip-azure-allowed-apps-with-apps.png)
2. From the **Allowed apps** blade, click **Add apps**.
The **Add apps** blade appears, showing you all **Recommended apps**.
### Add Store apps
![Microsoft Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png)
To add **Store apps**, type the app product name and publisher and click **OK**. For example, to add the Power BI Mobile App from the Store, type the following:
3. Select each app you want to access your enterprise data, and then click **OK**.
The **Allowed apps** blade updates to show you your selected apps.
- **Name**: Microsoft Power BI
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)
![Add Store app](images\add-a-protected-store-app.png)
### Add a Store app to your Allowed apps list
For this example, were going to add Microsoft Power BI, a store app, to the **Allowed apps** list.
To add multiple Store apps, click the elipsis **…**.
**To add a Store app**
1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
If you don't know the Store app publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
2. From the **Allowed apps** blade, click **Add apps**.
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*.
3. On the **Add apps** blade, click **Store apps** from the dropdown list.
The blade changes to show boxes for you to add a publisher and app name.
4. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the Product **name** is `Microsoft.MicrosoftPowerBIForWindows`.
5. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
>[!NOTE]
>To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
![Microsoft Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png)
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the publisher and product name values for Store apps without installing them**
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*.
2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value.
@ -122,24 +101,24 @@ If you don't know the publisher or product name, you can find them for both desk
}
```
4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
>[!Important]
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
**To find the publisher and product name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>**Note**<br>Your PC and phone must be on the same wireless network.
If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
>**Note**<br>Your PC and phone must be on the same wireless network.
3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
1. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
2. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
3. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
4. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
@ -151,83 +130,77 @@ If you don't know the publisher or product name, you can find them for both desk
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
### Add a Desktop app to your Allowed apps list
For this example, were going to add WordPad, a desktop app, to the **Allowed apps** list.
### Add Desktop apps
**To add a Desktop app**
1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
To add **Desktop apps**, complete the following fields, based on what results you want returned.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
2. From the **Allowed apps** blade, click **Add apps**.
3. On the **Add apps** blade, click **Desktop apps** from the dropdown list.
The blade changes to show boxes for you to add the following, based on what results you want returned:
<table>
<tr>
<th>Field</th>
<th>Manages</th>
</tr>
<tr>
<td>All fields marked as “*”</td>
<td>All files signed by any publisher. (Not recommended)</td>
</tr>
<tr>
<td>Publisher only</td>
<td>If you only fill out this field, youll get all files signed by the named publisher.<br><br>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td>Publisher and Name only</td>
<table>
<tr>
<th>Field</th>
<th>Manages</th>
</tr>
<tr>
<td>All fields marked as “*”</td>
<td>All files signed by any publisher. (Not recommended)</td>
</tr>
<tr>
<td>Publisher only</td>
<td>If you only fill out this field, youll get all files signed by the named publisher.<br><br>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td>Publisher and Name only</td>
<td>If you only fill out these fields, youll get all files for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>Publisher, Name, and File only</td>
<td>If you only fill out these fields, youll get any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>Publisher, Name, File, and Min version only</td>
<td>If you only fill out these fields, youll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<br><br>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td>Publisher, Name, File, and Max version only</td>
<td>If you only fill out these fields, youll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>All fields completed</td>
<td>If you fill out all fields, youll get the specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
</tr>
<tr>
<td>Publisher, Name, and File only</td>
<td>If you only fill out these fields, youll get any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>Publisher, Name, File, and Min version only</td>
<td>If you only fill out these fields, youll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<br><br>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td>Publisher, Name, File, and Max version only</td>
<td>If you only fill out these fields, youll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>All fields completed</td>
<td>If you fill out all fields, youll get the specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
4. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
After youve entered the info into the fields, click **OK**.
>[!Note]
>To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
>[!Note]
>To add multiple Desktop apps, click the elipsis **…**. When youre done, click **OK**.
![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
If youre unsure about what to include for the publisher, you can run this PowerShell command:
**To find the Publisher values for Desktop apps**
If youre unsure about what to include for the publisher, you can run this PowerShell command:
```ps1
Get-AppLockerFileInformation -Path "<path_of_the_exe>"
```
Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example:
```ps1
Get-AppLockerFileInformation -Path "<path_of_the_exe>"
```
Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"`.
```ps1
Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"
```
In this example, you'd get the following info:
In this example, you'd get the following info:
``` json
Path Publisher
---- ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box.
```
Path Publisher
---- ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
```
### Import a list of apps to your Allowed apps list
For this example, were going to add an AppLocker XML file to the **Allowed apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
**To create a list of Allowed apps using the AppLocker tool**
### Import a list of apps
For this example, were going to add an AppLocker XML file to the **Protected apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of protected apps using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
@ -238,11 +211,11 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, click **Next**.
4. On the **Before You Begin** page, click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-2.png)
@ -250,19 +223,19 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
![Create Packaged app Rules wizard, showing the Publisher](images/wip-applocker-secpol-wizard-3.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Dynamics 365.
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Dynamics 365.
![Create Packaged app Rules wizard, showing the Select applications page](images/wip-applocker-secpol-wizard-4.png)
8. On the updated **Publisher** page, click **Create**.
8. On the updated **Publisher** page, click **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-secpol-wizard-5.png)
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-default-rule-warning.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png)
@ -300,47 +273,49 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import your list of Allowed apps using Microsoft Intune**
**To import a list of protected apps using Microsoft Intune**
1. From the **Allowed apps** area, click **Import apps**.
1. In **Protected apps**, click **Import apps**.
![Import protected apps](images/import-protected-apps.png)
The blade changes to let you add your import file.
Then import your file.
![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png)
2. Browse to your exported AppLocker policy file, and then click **Open**.
The file imports and the apps are added to your **Allowed app** list.
The file imports and the apps are added to your **Protected apps** list.
### Add exempt apps to your policy
### Exempt apps from a WIP policy
If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list**
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list**
1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears.
1. In **Mobile apps - App protection policies**, click **Exempt apps**.
The **Exempt apps** blade appears, showing you any apps that are already included in the list for this policy.
![Exempt apps](images/exempt-apps.png)
2. From the **Exempt apps** blade, click **Add apps**.
2. In **Exempt apps**, click **Add apps**.
Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-apps-to_your-allowed-apps-list) section of this topic.
Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data.
3. Fill out the rest of the app info, based on the type of app youre adding:
- **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic.
- [Add Recommended apps](#add-recommended-apps)
- **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic.
- [Add Store apps](#add-store-apps)
- **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic.
- [Add Desktop apps](#add-desktop-apps)
- **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps.
- [Import apps](#import-a-list-of-apps)
4. Click **OK**.
4. Click **OK**.
## Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
@ -369,11 +344,9 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
**To change your corporate identity**
1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
1. From the **App policy** blade, click the name of your policy, and then click **Required settings**.
The **Required settings** blade appears.
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area.
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area.
![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
@ -385,16 +358,12 @@ There are no default locations included with WIP, you must add each of your netw
>[!Important]
>Every WIP policy should include policy that defines your enterprise network locations.<br>Classless Inter-Domain Routing (CIDR) notation isnt supported for WIP configurations.
**To define where your allowed apps can find and send enterprise data on you network**
**To define where your protected apps can find and send enterprise data on you network**
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings**.
2. Click **Add network boundary** from the Network perimeter area.
The **Add network boundary** blade appears.
![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
3. Select the type of network boundary to add from the **Boundary type** box.
@ -410,10 +379,15 @@ There are no default locations included with WIP, you must add each of your netw
<tr>
<td>Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<br><br><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
<td>Network domain names</td>
<td>Protected domains</td>
<td>exchange.contoso.com,contoso.com,region.contoso.com</td>
<td>Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple domains, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Network domains</td>
<td>corp.contoso.com,region.contoso.com</td>
<td>Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
@ -458,14 +432,14 @@ There are no default locations included with WIP, you must add each of your netw
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
>[!Important]
>Using a DRA certificate isnt mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic.
>Using a DRA certificate isnt mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic.
**To upload your DRA certificate**
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
@ -492,9 +466,9 @@ After you've decided where your protected apps can access enterprise data on you
- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option.
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
- **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection.
@ -503,7 +477,7 @@ After you've decided where your protected apps can access enterprise data on you
- **Off, or not configured.** Stops using Azure Rights Management encryption with WIP.
## Choose to set up Azure Rights Management with WIP
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
@ -513,7 +487,7 @@ Optionally, if you dont want everyone in your organization to be able to shar
>Curly braces -- {} -- are required around the RMS Template ID.
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
## Related topics
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
@ -524,9 +498,9 @@ Optionally, if you dont want everyone in your organization to be able to shar
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms)
- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/intune/deploy-use/create-windows-information-protection-policy-with-intune)
- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)

12
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 10/16/2017
---
# Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
@ -359,7 +359,7 @@ There are no default locations included with WIP, you must add each of your netw
<tr>
<td>Enterprise Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<p>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<p>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
@ -414,7 +414,7 @@ There are no default locations included with WIP, you must add each of your netw
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
## Choose to set up Azure Rights Management with WIP
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
@ -424,7 +424,7 @@ Optionally, if you dont want everyone in your organization to be able to shar
>Curly braces -- {} -- are required around the RMS Template ID.
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional WIP settings.
@ -475,7 +475,7 @@ After you've decided where your protected apps can access enterprise data on you
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

31
windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
View File

@ -6,8 +6,8 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 10/13/2017
ms.author: justinha
ms.date: 05/30/2018
localizationpriority: medium
---
@ -26,13 +26,18 @@ By using Microsoft Intune with Mobile application management (MAM), organization
- Remove enterprise data from employee's devices
- Report on mobile app inventory and track usage
>[!NOTE]
>This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, you must follow the instructions in the [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md) topic.
## Alternative steps if you already manage devices with MDM
This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, see [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md).
If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy (with device enrollement) will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**.
Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Prerequisites to using MAM with Windows Information Protection (WIP)
Before you can create your WIP policy with MAM, you must first set up your MAM provider. For more info about how to do this, see the [Get ready to configure app protection policies for Windows 10](https://docs.microsoft.com/en-us/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10) topic.
Before you can create your WIP policy with MAM, you need to [set up your MAM provider](https://docs.microsoft.com/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10).
Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device.
Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device.
>[!Important]
>WIP doesn't support multi-identity. Only one managed identity can exist at a time.
@ -62,7 +67,7 @@ After youve set up Intune for your organization, you must create a WIP-specif
![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-add-policy.png)
>[!Important]
>Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, you must use these instructions, [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md), instead.
>Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, see [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md).
4. Click **Create**.
@ -132,7 +137,7 @@ If you don't know the publisher or product name for your Store app, you can find
**To find the publisher and product name values for Store apps without installing them**
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*.
2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
3. In a browser, run the Microsoft Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value.
@ -445,7 +450,7 @@ There are no default locations included with WIP, you must add each of your netw
<tr>
<td>Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<br><br><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
<td>Network domain names</td>
@ -550,7 +555,7 @@ After you've decided where your protected apps can access enterprise data on you
- **MDM discovery URL.** Lets the **Windows Settings** > **Accounts** > **Access work or school** sign-in offer an **Upgrade to MDM** link. Additionally, this lets you switch to another MDM provider, so that Microsoft Intune can manage MAM, while the new MDM provider manages the MDM devices. By default, this is specified to use Microsoft Intune.
#### Choose to set up Azure Rights Management with WIP
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
@ -560,7 +565,7 @@ Optionally, if you dont want everyone in your organization to be able to shar
>Curly braces -- {} -- are required around the RMS Template ID.
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
### Choose whether to use and configure Windows Hello for Business
You can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices.
@ -643,11 +648,11 @@ After youve created your policy, you'll need to deploy it to your employees.
## Related topics
- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/en-us/windows/client-management/mdm/implement-server-side-mobile-application-management)
- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management)
- [Microsoft Intune - Mobile Application Management (MAM) standalone blog post](https://blogs.technet.microsoft.com/cbernier/2016/01/05/microsoft-intune-mobile-application-management-mam-standalone/)
- [MAM-supported apps](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps)
- [MAM-supported apps](https://www.microsoft.com/cloud-platform/microsoft-intune-apps)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)

4
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.localizationpriority: medium
ms.date: 09/11/2017
ms.date: 05/30/2018
---
# List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
@ -93,6 +93,8 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |
|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app |
|Microsoft MAPI Repair Tool |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** fixmapi.exe<br>**App Type:** Desktop app |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

BIN
windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.3 KiB

BIN
windows/security/information-protection/windows-information-protection/images/add-protected-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.9 KiB

BIN
windows/security/information-protection/windows-information-protection/images/app-protection-policies.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/security/information-protection/windows-information-protection/images/exempt-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/security/information-protection/windows-information-protection/images/import-protected-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.4 KiB

BIN
windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 49 KiB

After

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 3.8 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 37 KiB

10
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -7,8 +7,8 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 10/26/2017
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
---
@ -69,7 +69,7 @@ This table provides info about the most common problems you might encounter whil
<tr>
<td>Redirected folders with Client Side Caching are not compatible with WIP.</td>
<td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><strong>Note</strong><br>For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045).</td>
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><strong>Note</strong><br>For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045).</td>
</tr>
<tr>
<td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
@ -79,7 +79,7 @@ This table provides info about the most common problems you might encounter whil
<tr>
<td>ActiveX controls should be used with caution.</td>
<td>Webpages that use ActiveX controls can potentially communicate with other outside processes that arent protected by using WIP.</td>
<td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<br><br>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
<td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<br><br>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
</tr>
<tr>
<td>Resilient File System (ReFS) isn't currently supported with WIP.</td>
@ -105,7 +105,7 @@ This table provides info about the most common problems you might encounter whil
</ul>
</td>
<td>WIP isnt turned on for employees in your organization.</td>
<td>Dont set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
<td>Dont set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
</td>
</tr>
</table>

6
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
@ -29,7 +29,7 @@ This list provides all of the tasks and settings that are required for the opera
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if its incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.<br><br>This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.|
|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.<br><br>This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.|
>[!NOTE]

8
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -7,9 +7,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: coreyp-at-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Protect your enterprise data using Windows Information Protection (WIP)
@ -18,7 +18,7 @@ ms.date: 09/11/2017
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
@ -29,7 +29,7 @@ Youll need this software to run WIP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>System Center Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>System Center Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.|
## What is enterprise data control?
Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people cant share anything and its all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.

6
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
@ -18,7 +18,7 @@ ms.date: 09/11/2017
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).

6
windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Using Outlook on the web with Windows Information Protection (WIP)
@ -17,7 +17,7 @@ ms.date: 09/11/2017
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
Because Outlook on the web can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP):

6
windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
@ -17,7 +17,7 @@ ms.date: 09/11/2017
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly.

5
windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
ms.date: 05/31/2018
---
# Domain member: Maximum machine account password age
@ -32,8 +32,9 @@ For more information, see [Machine Account Password Process](https://blogs.techn
### Best practices
It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites.
2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer starts after being offline more than 30 days, the Netlogon service will notice the password age and initiate a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer will not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days.
### Location

3
windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
View File

@ -39,6 +39,7 @@ Limited periodic scanning is a special type of threat detection and remediation
It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the capabilities of Windows Defender Antivirus to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
## How to enable limited periodic scanning
@ -69,4 +70,4 @@ Sliding the swtich to **On** will show the standard Windows Defender AV options
## Related topics
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

4
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -73,7 +73,7 @@ Active mode | Windows Defender AV is used as the antivirus app on the machine. A
Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
In passive and automatic disabled mode, you can still [manage updates for Windows Defender AV](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
@ -90,4 +90,4 @@ In passive and automatic disabled mode, you can still [manage updates for Window
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)
- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)

9
windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 05/03/2018
ms.date: 05/29/2018
---
@ -90,16 +90,13 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
Service location | Microsoft.com DNS record
:---|:---
Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` ```events.data.microsoft.com```
Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```
US | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```
Europe | ```eu.vortex-win.data.microsoft.com```<br>```eu-v20.events.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br>```winatp-gw-weu.microsoft.com```
UK | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com```<br>```winatp-gw-uks.microsoft.com```<br>```winatp-gw-ukw.microsoft.com```
AU | ```au.vortex-win.data.microsoft.com```<br>```au-v20.events.data.microsoft.com```<br>```winatp-gw-aue.microsoft.com```<br>```winatp-gw-aus.microsoft.com```
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
## Verify client connectivity to Windows Defender ATP service URLs

2
windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik
## Do I have the flexibility to select where to store my data?
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the United Kingdom, Europe, or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
## Is my data isolated from other customer data?
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.

9
windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 05/30/2018
---
# Investigate machines in the Windows Defender ATP Machines list
@ -164,6 +164,13 @@ You can add tags on machines using the following ways:
### Add machine tags by setting a registry key value
Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
>[!NOTE]
> Applicable only on the following machines:
>- Windows 10, version 1709 or later
>- Windows Server, version 1803 or later
>- Windows Server 2016
>- Windows Server 2012 R2
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:

2
windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
View File

@ -66,7 +66,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
You will need to set up your preferences for the Windows Defender ATP portal.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in Europe or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United Kingdom, Europe, or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
> [!WARNING]
> This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.

1
windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
View File

@ -65,6 +65,7 @@ If you encounter an error when trying to get a refresh token when using the thre
5. Add the following URL:
- For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
- For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
- For United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
6. Click **Save**.

7
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
@ -22,6 +22,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Microsoft Office 365
- Microsoft Office 2016
- Microsoft Office 2013
@ -42,7 +43,7 @@ ms.date: 05/17/2018
- Configuration service providers for mobile device management
Available in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Supported in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
@ -191,7 +192,7 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
>[!WARNING]
>[Only use this rule if you are managing your devices with Intune or other MDM solution. If you use this rule with SCCM, it will prevent SCCM compliance rules from working, because this rule blocks the PSExec commands in SCCM.]
>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
### Rule: Block untrusted and unsigned processes that run from USB

3
windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -20,6 +20,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016

3
windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
# Collect diagnostic data for Windows Defender Exploit Guard file submissions
@ -19,6 +19,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

6
windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
@ -51,7 +51,7 @@ All apps (any executable file, including .exe, .scr, .dll files and others) are
This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.

6
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
# Customize Attack surface reduction
@ -19,7 +19,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10 Enterprise edition, version 1709 and later
- Windows Server 2016
**Audience**
@ -35,7 +35,7 @@ ms.date: 05/17/2018
- Configuration service providers for mobile device management
Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.

4
windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
# Customize Exploit protection
@ -19,7 +19,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

6
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
@ -21,7 +21,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
@ -36,7 +36,7 @@ ms.date: 05/17/2018
- Configuration service providers for mobile device management
Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

6
windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
@ -21,7 +21,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
@ -36,7 +36,7 @@ ms.date: 05/17/2018
- Configuration service providers for mobile device management
Available in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).

6
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -20,7 +20,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
@ -37,7 +37,7 @@ ms.date: 04/30/2018
Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -20,7 +20,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -21,7 +21,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

6
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
# Evaluate Network protection
@ -21,7 +21,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10 Enterprise edition, version 1709 or later
- Windows Server 2016
**Audience**
@ -36,7 +36,7 @@ ms.date: 05/17/2018
Available in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -12,7 +12,7 @@ ms.date: 04/16/2018
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/21/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 05/21/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

6
windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
@ -21,7 +21,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 or higher
- Windows Server 2016
**Audience**
@ -36,7 +36,7 @@ ms.date: 05/17/2018
- Configuration service providers for mobile device management
Available in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
Supported in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).

1
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
View File

@ -19,6 +19,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 or higher
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**