diff --git a/[!NOTE] b/[!NOTE] new file mode 100644 index 0000000000..e69de29bb2 diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 4994e63ed6..2ba0d202e0 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -444,13 +444,22 @@ This policy setting specifies whether you can use the Sync your Settings option |URI full path |./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings | |Location |Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync | |Data type | Integer | -|Allowed values | | +|Allowed values | | ## Do not sync browser settings >*Supported versions: Windows 10* This policy setting specifies whether a browser group can use the Sync your Settings options to sync their information to and from their device. Settings include information like History and Favorites. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. If enabled, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting. +**MDM settings in Microsoft Intune** +| | | +|---|---| +|MDM name |Experience/DoNotSynBrowserSettings | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Experience/DoNotSynBrowserSettings | +|Data type |Integer | +|Allowed values | | + ## Keep favorites in sync between Internet Explorer and Microsoft Edge >*Supported versions: Windows 10, version 1703 or later* @@ -463,7 +472,7 @@ This policy setting specifies whether favorites are kept in sync between Interne |Supported devices |Desktop | |URI full path |./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge | |Data type | Integer | -|Allowed values | | +|Allowed values | | ## Prevent access to the about:flags page >*Supported versions: Windows 10, version 1607 or later* diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 9a7f96a9d6..b4fd1b6043 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -10,7 +10,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 05/21/2018 +ms.date: 05/22/2018 --- # Change history for Microsoft HoloLens documentation @@ -24,6 +24,7 @@ New or changed topic | Description [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | New [Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) | New [Microsoft Layout app](hololens-microsoft-layout-app.md) | New +[Set up HoloLens in kiosk mode](hololens-kiosk.md) | Added instructions for setting up a guest account for kiosk mode. ## Windows 10 Holographic for Business, version 1803 diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index e2d13d4a96..d1be189b4b 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -9,14 +9,14 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 05/22/2018 --- # Set up HoloLens in kiosk mode -In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. +In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#guest) When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. @@ -116,6 +116,22 @@ Follow [the instructions for creating a kiosk configuration XML file for desktop - Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens. - Use the [placeholder Start XML](#start-kiosk) for HoloLens. + +#### Add guest access to the kiosk configuration (optional) + +In the [Configs section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out. + +Use the following snippet in your kiosk configuration XML to enable the **Guest** account: + +```xml + + + + + + +``` + ### Add the kiosk configuration XML file to a provisioning package diff --git a/devices/hololens/hololens-microsoft-remote-assist-app.md b/devices/hololens/hololens-microsoft-remote-assist-app.md index c0338f0e8d..cea23cde18 100644 --- a/devices/hololens/hololens-microsoft-remote-assist-app.md +++ b/devices/hololens/hololens-microsoft-remote-assist-app.md @@ -9,7 +9,7 @@ author: alhopper-msft ms.author: alhopper ms.topic: article ms.localizationpriority: medium -ms.date: 05/21/2018 +ms.date: 05/22/2018 --- # Microsoft Remote Assist @@ -25,7 +25,6 @@ Below are the technical requirements to deploy and use Microsoft Remote Assist t |:---------------------------|:----------------------------------|:-----------------------------------------------------------| | HoloLens | Build 10.0.14393.0 or above | See [Manage updates to HoloLens](https://docs.microsoft.com/en-us/HoloLens/hololens-updates) for instructions on using Windows Update for Business, MDM, and Windows Server Update Service (WSUS) to deploy updates to HoloLens. | | Windows 10 PC (optional) | Any Windows 10 build | A Windows 10 PC can collaborate with the HoloLens using Microsoft Teams. | -| Mobile device (optional) | Android or iOS | A mobile device can collaborate with the HoloLens using Microsoft Teams. Inking, annotations, and image insertion are not currently available on mobile. | > [!Note] > HoloLens build 10.0.14393.0 is the minimum that supports Remote Assist. We recommend updating the HoloLens to newer versions when they are available. @@ -42,7 +41,7 @@ Below are the technical requirements to deploy and use Microsoft Remote Assist t 1.5 MB/s is the recommended bandwidth for optimal performance of Microsoft Remote Assist. Though audio/video calls may be possible in environments with reduced bandwidth, you may experience HoloLens feature degradation, limiting the user experience. To test your company’s network bandwidth, follow these steps: - 1. Have a mobile Teams user (iOS or Android) video call a desktop Teams user. + 1. Have a Teams user video call another Teams user. 2. Add another separate video call between a 3rd and 4th user, and another for a 5th and 6th user. 3. Continue adding video callers to stress test your network bandwidth until confident that multiple users can successfully connect on video calls at the same time. diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 1cc40ecf7a..3ec29c73a2 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -9,7 +9,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 05/22/2018 +ms.date: 05/21/2018 --- # Microsoft HoloLens diff --git a/education/index.md b/education/index.md index 4a5f5a36ba..424b52680d 100644 --- a/education/index.md +++ b/education/index.md @@ -9,64 +9,6 @@ ms.author: celested ms.date: 10/30/2017 ---
-
- -

Microsoft Education documentation and resources

@@ -272,7 +102,7 @@ ms.date: 10/30/2017
  • - +
    @@ -282,8 +112,8 @@ ms.date: 10/30/2017
    -

    Microsoft Teams

    -

    Make the most of Microsoft Teams and find out how to deploy, launch pilot teams, and launch Teams to the rest of your organization.

    +

    3. Tools for Teachers

    +

    The latest classroom resources at teachers’ fingertips when you deploy Learning Tools, OneNote Class Notebooks, Teams, and more.

    • @@ -617,7 +447,7 @@ ms.date: 10/30/2017
  • - +
    @@ -627,8 +457,8 @@ ms.date: 10/30/2017
    -

    Microsoft Education Partner Network

    -

    Find out the latest news and announcements for Microsoft Education partners.

    +

    Microsoft Partner Network

    +

    Discover the latest news and resources for Microsoft Education products, solutions, licensing, and readiness.

    @@ -636,7 +466,7 @@ ms.date: 10/30/2017
  • - +
    @@ -646,8 +476,8 @@ ms.date: 10/30/2017
    -

    Authorized Education Partner (AEP) home page

    -

    Access the essentials and find out what it takes to become an AEP.

    +

    Authorized Education Partner (AEP) program

    +

    Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEU).

    diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 2354f8351b..817ad59a3f 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -24,7 +24,7 @@ ms.topic: conceptual [Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. - + Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index 9e17d2476b..73aa07a2c3 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -1,7 +1,7 @@ --- title: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode description: Overview of Windows 10 Pro Education in S mode, switching options, and system requirements -keywords: Windows 10 Pro Education in S mode, S mode, system requirements, Overview, Windows 10 Pro in S mode, Education, EDU +keywords: S mode Switch, switch in S mode, Switch S mode, Windows 10 Pro Education in S mode, S mode, system requirements, Overview, Windows 10 Pro in S mode, Education, EDU ms.mktglfcycl: deploy ms.localizationpriority: high ms.prod: w10 @@ -53,9 +53,7 @@ Tenant-wide Windows 10 Pro in S mode > Pro Education in S mode
    Tenant-wide Windows 10 Pro > Pro Education > [!IMPORTANT] -> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a BMR factory reset.. - -[Recovery media (bare metal recovery)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) helps restore a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. +> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. ### Devices running Windows 10, version 1709 diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md new file mode 100644 index 0000000000..ff7aab122d --- /dev/null +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -0,0 +1,28 @@ +--- +title: Applying hotfixes on MBAM 2.5 SP1 +description: Applying hotfixes on MBAM 2.5 SP1 +author: ppriya-msft +ms.assetid: +ms.pagetype: mdop, security +ms.mktglfcycl: manage +ms.sitesec: library +ms.prod: w10 +ms.date: 5/30/2018 +--- + +# Applying hotfixes on MBAM 2.5 SP1 +This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 + +### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 +[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126) + +#### Steps to update the MBAM Server for existing MBAM environment +1. Remove MBAM server feature(do this by opening the MBAM Server Configuration Tool, then select Remove Features). +2. Remove MDOP MBAM from Control Panel | Programs and Features. +3. Install MBAM 2.5 SP1 RTM server components. +4. Install lastest MBAM 2.5 SP1 hotfix rollup. +5. Configure MBAM features using MBAM Server Configurator. + +#### Steps to install the new MBAM 2.5 SP1 server hotfix +refer to the document for new server installation. +https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/deploying-the-mbam-25-server-infrastructure diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md index ddeb99133d..c8ba024eef 100644 --- a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md +++ b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md @@ -7,20 +7,25 @@ ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 06/16/2016 +ms.date: 05/23/2018 --- - # How to Move the MBAM 2.5 Databases - -Use these procedures to move the following databases from one computer to another, that is, to move the databases from Server A to Server B: +Use these procedures to move the following databases from one computer to another; from Server A to Server B, for example: - Compliance and Audit Database - Recovery Database -If you are moving multiple features, move them in the following order: +>[!NOTE] +>It is important that the databases be restored to Machine B PRIOR to running the MBAM Configuration Wizard to update/configure them. + +If the databases are NOT present, the Configuration Wizard creates NEW, empty, databases. When your existing databases are then restored, this process will break the MBAM configuration. + +Restore the databases FIRST, then run the MBAM Configuration Wizard, choose the database option, and the Configuration Wizard will “connect” to the databases you restored; upgrading them if needed as part of the process. + +**If you are moving multiple features, move them in the following order:** 1. Recovery Database @@ -32,13 +37,10 @@ If you are moving multiple features, move them in the following order: 5. Self-Service Portal -**Note**   -To run the example Windows PowerShell scripts provided in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](http://technet.microsoft.com/library/ee176949.aspx) for instructions. - -  - -## Moving the Recovery Database +>[!Note] +>To run the example Windows PowerShell scripts provided in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](http://technet.microsoft.com/library/ee176949.aspx) for instructions. +## Move the Recovery Database The high-level steps for moving the Recovery Database are: @@ -46,473 +48,537 @@ The high-level steps for moving the Recovery Database are: 2. Back up the Recovery Database on Server A -3. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B +3. Move the Recovery Database from Server A to Server B -4. Move the Recovery Database from Server A to Server B +4. Restore the Recovery Database on Server B -5. Restore the Recovery Database on Server B +5. Configure access to the Database on Server B and update connection data -6. Configure access to the Database on Server B and update connection data +6. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B 7. Resume the instance of the Administration and Monitoring Website -**How to move the Recovery Database** +### How to move the Recovery Database -1. **Stop all instances of the MBAM Administration and Monitoring Website** +**Stop all instances of the MBAM Administration and Monitoring Website.** On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website. - - On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website. +To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following: - To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following: +```syntax +PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring" - ``` syntax - PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring" - ``` +``` - **Note**   - To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell. +>[!NOTE] +>To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell. -   +### Back up the Recovery Database on Server A -2. **Install MBAM Server software and run the MBAM Server Configuration wizard on Server B** +1. Use the **Back Up** task in SQL Server Management Studio to back up the Recovery Database on Server A. By default, the database name is **MBAM Recovery Database**. - 1. Install the MBAM 2.5 Server software on Server B. For instructions, see [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md). +2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script, and change the MBAM Recovery Database to use the full recovery mode: - 2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Recovery Database** feature. + ``` + USE master; + + GO + + ALTER DATABASE "MBAM Recovery and Hardware" + + SET RECOVERY FULL; + + GO + + -- Create MBAM Recovery Database Data and MBAM Recovery logical backup devices. + + USE master + + GO + + EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device', + + 'Z:\MBAM Recovery Database Data.bak'; + + GO + + -- Back up the full MBAM Recovery Database. + + BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device]; + + GO + + BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate] + + TO FILE = 'Z:\SQLServerInstanceCertificateFile' + + WITH PRIVATE KEY + + ( + + FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', + + ENCRYPTION BY PASSWORD = '$PASSWORD$' + + ); + + GO + ``` - Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Recovery Database. +3. Use the following value to replace the values in the code example with values that match your environment: - For instructions on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md). + **$PASSWORD$** - password that you use to encrypt the Private Key file. -3. **Back up the Recovery Database on Server A** +4. In Windows PowerShell, run the script that is stored in the file and similar to the following: - 1. Use the **Back Up** task in SQL Server Management Studio to back up the Recovery Database on Server A. By default, the database name is **MBAM Recovery Database**. + ```syntax + PS C:\> Invoke-Sqlcmd -InputFile + 'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ + ``` +5. Use the following value to replace the values in the code example with values that match your environment: - To automate this procedure, create a SQL file (.sql) that contains the following SQL script, and change the MBAM Recovery Database to use the full recovery mode: + **$SERVERNAME$\$SQLINSTANCENAME$** - server name and instance from which the Recovery Database will be backed up. - ``` syntax - USE master; - GO - ALTER DATABASE "MBAM Recovery and Hardware" - SET RECOVERY FULL; - GO - -- Create MBAM Recovery Database Data and MBAM Recovery logical backup devices. - USE master - GO - EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device', - 'Z:\MBAM Recovery Database Data.bak'; - GO - -- Back up the full MBAM Recovery Database. - BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device]; - GO - BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate] - TO FILE = 'Z:\SQLServerInstanceCertificateFile' - WITH PRIVATE KEY - ( - FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', - ENCRYPTION BY PASSWORD = '$PASSWORD$' - ); - GO - ``` +### Move the Recovery Database from Server A to Server B - Use the following value to replace the values in the code example with values that match your environment. +Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B. - **$PASSWORD$** - password that you will use to encrypt the Private Key file. +To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: - 2. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following: +```syntax +PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak” +\\$SERVERNAME$\$DESTINATIONSHARE$ - ``` syntax - PS C:\> Invoke-Sqlcmd -InputFile 'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ - ``` +PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile” +\\$SERVERNAME$\$DESTINATIONSHARE$ - Use the following value to replace the values in the code example with values that match your environment: +PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey” +\\$SERVERNAME$\$DESTINATIONSHARE$ - **$SERVERNAME$\\$SQLINSTANCENAME$** - server name and instance from which the Recovery Database will be backed up. +``` +Use the information in the following table to replace the values in the code example with values that match your environment. -4. **Move the Recovery Database from Server A to Server B** +| **Parameter** | **Description** | +|----------------------|---------------------------------------------------------------| +| $SERVERNAME$ | Name of the server to which the files will be copied. | +| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. | +|---|---| - - Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B. +### Restore the Recovery Database on Server B - To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: +1. Restore the Recovery Database on Server B by using the **Restore Database** task in SQL Server Management Studio. - ``` syntax - PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak” \\$SERVERNAME$\$DESTINATIONSHARE$ - PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile” \\$SERVERNAME$\$DESTINATIONSHARE$ - PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey” \\$SERVERNAME$\$DESTINATIONSHARE$ - ``` +2. When the previous task finishes, select **From Device**, and then select the database backup file. - Use the information in the following table to replace the values in the code example with values that match your environment. +3. Use the **Add** command to select the **MBAM Recovery Database Data.bak** file, and click **OK** to complete the restoration process. - - - - - - - - - - - - - - - - - - - - - -
    ParameterDescription

    $SERVERNAME$

    Name of the server to which the files will be copied.

    $DESTINATIONSHARE$

    Name of the share and path to which the files will be copied.

    +4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script: -   + ```syntax + -- Restore MBAM Recovery Database. -5. **Restore the Recovery Database on Server B** + USE master - 1. Restore the Recovery Database on Server B by using the **Restore Database** task in SQL Server Management Studio. + GO - 2. When the previous task finishes, select **From Device**, and then select the database backup file. + -- Drop certificate created by MBAM Setup. - 3. Use the **Add** command to select the **MBAM Recovery Database Data.bak** file, and click **OK** to complete the restoration process. + DROP CERTIFICATE [MBAM Recovery Encryption Certificate] - To automate this procedure, create a SQL file (.sql) that contains the following SQL script: + GO - ``` syntax - -- Restore MBAM Recovery Database. - USE master - GO - -- Drop certificate created by MBAM Setup. - DROP CERTIFICATE [MBAM Recovery Encryption Certificate] - GO - --Add certificate - CREATE CERTIFICATE [MBAM Recovery Encryption Certificate] - FROM FILE = 'Z: \SQLServerInstanceCertificateFile' - WITH PRIVATE KEY - ( - FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', - DECRYPTION BY PASSWORD = '$PASSWORD$' - ); - GO - -- Restore the MBAM Recovery Database data and log files. - RESTORE DATABASE [MBAM Recovery and Hardware] - FROM DISK = 'Z:\MBAM Recovery Database Data.bak' - WITH REPLACE - ``` + --Add certificate - Use the following value to replace the values in the code example with values that match your environment. + CREATE CERTIFICATE [MBAM Recovery Encryption Certificate] - **$PASSWORD$** - password that you used to encrypt the Private Key file. + FROM FILE = 'Z:\SQLServerInstanceCertificateFile' - 4. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following: + WITH PRIVATE KEY - ``` syntax - PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ - ``` + ( - Use the following value to replace the values in the code example with values that match your environment. + FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', - **$SERVERNAME$\\$SQLINSTANCENAME$** - Server name and instance to which the Recovery Database will be restored. + DECRYPTION BY PASSWORD = '$PASSWORD$' -6. **Configure access to the Database on Server B and update connection data** + ); - 1. Verify that the Microsoft SQL Server user login that enables Recovery Database access on the restored database is mapped to the access account that you provided during the configuration process. + GO - If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user. + -- Restore the MBAM Recovery Database data and log files. - 2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites. + RESTORE DATABASE [MBAM Recovery and Hardware] - 3. Edit the following registry key: **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString** + FROM DISK = 'Z:\MBAM Recovery Database Data.bak' - 4. Update the **Data Source** value with the name of the server and instance (for example, $SERVERNAME$\\$SQLINSTANCENAME) to which the Recovery Database was moved. + WITH REPLACE + ``` - 5. Update the **Initial Catalog** value with the recovered database name. +5. Use the following value to replace the values in the code example with values that match your environment. - To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following: + **$PASSWORD$** - password that you used to encrypt the Private Key file. - ``` syntax - PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f - PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;” - PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;” - ``` +6. In Windows PowerShell, run the script that is stored in the file and similar to the following: - **Note**   - This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server. + ```syntax + PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ + ``` +7. Use the following value to replace the values in the code example with values that match your environment. -   + **$SERVERNAME$\$SQLINSTANCENAME$** - Server name and instance to which the Recovery Database will be restored. - Use the following table to replace the values in the code example with values that match your environment. +### Configure access to the Database on Server B and update connection data - - - - - - - - - - - - - - - - - - - - - -
    ParameterDescription

    $SERVERNAME$\$SQLINSTANCENAME$

    Server name and instance of SQL Server where the Recovery Database is located.

    $DATABASE$

    Name of the Recovery database.

    +1. Verify that the Microsoft SQL Server user login that enables Recovery Database access on the restored database is mapped to the access account that you provided during the configuration process. -   + >[!NOTE] + >If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user. -7. **Resume the instance of the Administration and Monitoring Website** +2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites. - 1. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website. +3. Edit the following registry key: - 2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: + **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString** - ``` syntax - PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring" - ``` +4. Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved. - **Note**   - To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell. +5. Update the **Initial Catalog** value with the recovered database name. -   +6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following: -## Moving the Compliance and Audit Database + ```syntax + PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v + RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial + Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f + PS C:\> Set-WebConfigurationProperty + 'connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath + "IIS:\sites\Microsoft Bitlocker Administration and + Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data + Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and + Hardware;Integrated Security=SSPI;” + + PS C:\> Set-WebConfigurationProperty + 'connectionStrings/add[\@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' + -PSPath "IIS:\sites\Microsoft Bitlocker Administration and + Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value + "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery + and Hardware;Integrated Security=SSPI;” + ``` + + >[!Note] + >This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server. + + +7. Use the following table to replace the values in the code example with values that match your environment. + + ```html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ParameterDescription

    $SERVERNAME$\$SQLINSTANCENAME$

    Server name and instance of SQL Server where the Recovery Database is located.

    $DATABASE$

    Name of the Recovery database.

    + + ``` + +### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B + +1. Install the MBAM 2.5 Server software on Server B. For details, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software). + +2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Recovery Database** feature. For details on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases). + + >[!TIP] + >Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Recovery Database. + + +### Resume the instance of the Administration and Monitoring Website + +On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website. + +To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: + +```syntax +PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring" +``` + +>[!NOTE] +>To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell. + +## Move the Compliance and Audit Database The high-level steps for moving the Compliance and Audit Database are: 1. Stop all instances of the MBAM Administration and Monitoring Website -2. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B +2. Back up the Compliance and Audit Database on Server A -3. Back up the Compliance and Audit Database on Server A +3. Move the Compliance and Audit Database from Server A to Server B -4. Move the Compliance and Audit Database from Server A to Server B +4. Restore the Compliance and Audit Database on Server B -5. Restore the Compliance and Audit Database on Server B +5. Configure access to the Database on Server B and update connection data -6. Configure access to the Database on Server B and update connection data +6. Install MBAM Server software and run the MBAM Server Configuration wizard on + Server B 7. Resume the instance of the Administration and Monitoring Website -**How to move the Compliance and Audit Database** +### How to move the Compliance and Audit Database -1. **Stop all instances of the MBAM Administration and Monitoring Website** +**Stop all instances of the MBAM Administration and Monitoring Website.** On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website. - - On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website. +To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following: - To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following: +```syntax +PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring" - ``` syntax - PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring" - ``` +``` - **Note**   - To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell. +>[!NOTE] +>To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell. -   +### Back up the Compliance and Audit Database on Server A -2. **Install MBAM Server software and run the MBAM Server Configuration wizard on Server B** +1. Use the **Back Up** task in SQL Server Management Studio to back up the Compliance and Audit Database on Server A. By default, the database name is **MBAM Compliance Status Database**. - 1. Install the MBAM 2.5 Server software on Server B. For instructions, see [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md). +2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script: - 2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Compliance and Audit Database** feature. + ```syntax - Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Compliance and Audit Database. + USE master; - For instructions on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md). + GO -3. **Back up the Compliance and Audit Database on Server A** + ALTER DATABASE "MBAM Compliance Status" - 1. Use the **Back Up** task in SQL Server Management Studio to back up the Compliance and Audit Database on Server A. By default, the database name is **MBAM Compliance Status Database**. + SET RECOVERY FULL; - To automate this procedure, create a SQL file (.sql) that contains the following SQL script: + GO - ``` syntax - USE master; - GO - ALTER DATABASE "MBAM Compliance Status" - SET RECOVERY FULL; - GO - -- Create MBAM Compliance Status Data logical backup devices. - USE master - GO - EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device', - 'Z: \MBAM Compliance Status Database Data.bak'; - GO - -- Back up the full MBAM Compliance Recovery database. - BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device]; - GO - ``` + -- Create MBAM Compliance Status Data logical backup devices. - 2. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following: + USE master - ``` syntax - PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ - ``` + GO - Using the following value, replace the values in the code example with values that match your environment: + EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device', - **$SERVERNAME$\\$SQLINSTANCENAME$** - server name and instance from which the Compliance and Audit Database will be backed up. + 'Z: \MBAM Compliance Status Database Data.bak'; -4. **Move the Compliance and Audit Database from Server A to Server B** + GO - - Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B. + -- Back up the full MBAM Compliance Recovery database. - To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: + BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device]; - ``` syntax - PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak" \\$SERVERNAME$\$DESTINATIONSHARE$ - ``` + GO - Using the following table, replace the values in the code example with values that match your environment. + ``` - - - - - - - - - - - - - - - - - - - - - -
    ParameterDescription

    $SERVERNAME$

    Name of the server to which the files will be copied.

    $DESTINATIONSHARE$

    Name of the share and path to which the files will be copied.

    +3. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following: -   + ```syntax + PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ -5. **Restore the Compliance and Audit Database on Server B** + ``` - 1. Restore the Compliance and Audit Database on Server B by using the **Restore Database** task in SQL Server Management Studio. +4. Using the following value, replace the values in the code example with values that match your environment: - 2. When the previous task finishes, select **From Device**, and then select the database backup file. + **$SERVERNAME$\$SQLINSTANCENAME$** - server name and instance from which the Compliance and Audit Database will be backed up. - 3. Use the **Add** command to select the **MBAM Compliance Status Database Data.bak** file, and click **OK** to complete the restoration process. +### Move the Compliance and Audit Database from Server A to Server B** - To automate this procedure, create a SQL file (.sql) that contains the following SQL script: +1. Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B. - ``` syntax - -- Create MBAM Compliance Status Database Data logical backup devices. - Use master - GO - -- Restore the MBAM Compliance Status database data files. - RESTORE DATABASE [MBAM Compliance Status] - FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak' - WITH REPLACE - ``` +2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: - 4. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following: + ```syntax + PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak" + \\$SERVERNAME$\$DESTINATIONSHARE$ - ``` syntax - PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ - ``` + ``` - Using the following value, replace the values in the code example with values that match your environment. +3. Using the following table, replace the values in the code example with values that match your environment. - **$SERVERNAME$\\$SQLINSTANCENAME$** - Server name and instance to which the Compliance and Audit Database will be restored. + | **Parameter** | **Description** | + |----------------------|---------------------------------------------------------------| + | $SERVERNAME$ | Name of the server to which the files will be copied. | + | $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. | + |---|---| -6. **Configure access to the Database on Server B and update connection data** +### Restore the Compliance and Audit Database on Server B - 1. Verify that the Microsoft SQL Server user login that enables Compliance and Audit Database access on the restored database is mapped to the access account that you provided during the configuration process. +1. Restore the Compliance and Audit Database on Server B by using the **Restore Database** task in SQL Server Management Studio. - If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user. +2. When the previous task finishes, select **From Device**, and then select the database backup file. - 2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website. +3. Use the **Add** command to select the **MBAM Compliance Status Database Data.bak** file and click **OK** to complete the restoration process. - 3. Edit the following registry key: **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString** +4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script: - 4. Update the **Data Source** value with the name of the server and instance (for example, $SERVERNAME$\\$SQLINSTANCENAME) to which the Recovery Database was moved. + ```syntax + -- Create MBAM Compliance Status Database Data logical backup devices. - 5. Update the **Initial Catalog** value with the recovered database name. + Use master - To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following: + GO - ``` syntax - PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f - ``` + -- Restore the MBAM Compliance Status database data files. - **Note**   - This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server. + RESTORE DATABASE [MBAM Compliance Status] -   + FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak' - Using the following table, replace the values in the code example with values that match your environment. + WITH REPLACE - - - - - - - - - - - - - - - - - - - - - -
    ParameterDescription

    $SERVERNAME$\$SQLINSTANCENAME$

    Server name and instance of SQL Server where the Recovery Database is located.

    $DATABASE$

    Name of the recovered database.

    + ``` -   +5. In Windows PowerShell, run the script that is stored in the file and similar to the following: -7. **Resume the instance of the Administration and Monitoring Website** + ```syntax + PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ - 1. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website. + ``` - 2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: +6. Using the following value, replace the values in the code example with values that match your environment. - ``` syntax - PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring" - ``` + **$SERVERNAME$\$SQLINSTANCENAME$** - Server name and instance to which the Compliance and Audit Database will be restored. - **Note**   - To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell. +### Configure access to the Database on Server B and update connection data -   +1. Verify that the Microsoft SQL Server user login that enables Compliance and Audit Database access on the restored database is mapped to the access account that you provided during the configuration process. + >[!NOTE] + >If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user. +2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website. -## Related topics +3. Edit the following registry key: + **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString** -[How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md) +4. Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved. -[Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md) +5. Update the **Initial Catalog** value with the recovered database name. -[Moving MBAM 2.5 Features to Another Server](moving-mbam-25-features-to-another-server.md) +6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following: -  + ```syntax + PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v + ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial + Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f -  -## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). -- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). + ``` + >[!NOTE] + >This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server. +7. Using the following table, replace the values in the code example with values that match your environment. + ```html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ParameterDescription

    $SERVERNAME$\$SQLINSTANCENAME$

    Server name and instance of SQL Server where the Recovery Database is located.

    $DATABASE$

    Name of the recovered database.

    + + ``` + +### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B + +1. Install the MBAM 2.5 Server software on Server B. For details, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software). + +2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Compliance and Audit Database** feature. For details on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases). + + >[!TIP] + >Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Compliance and Audit Database. + + +### Resume the instance of the Administration and Monitoring Website + +On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website. + +To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: + +```syntax +PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring" + +``` + +>[!NOTE] +>To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell. diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md index 2a9e37642f..84fc7c8df0 100644 --- a/mdop/mbam-v25/index.md +++ b/mdop/mbam-v25/index.md @@ -58,6 +58,10 @@ To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlin Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. +- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) + + Guide of how to apply MBAM 2.5 SP1 Server hotfixes + ## Got a suggestion for MBAM? - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). diff --git a/store-for-business/images/edu-icon.png b/store-for-business/images/edu-icon.png new file mode 100644 index 0000000000..49009f7085 Binary files /dev/null and b/store-for-business/images/edu-icon.png differ diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index 1ffbe49b5b..6cc5e6ec35 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -98,9 +98,9 @@ We've recently made performance improvements for changes in the private store. T | Action | Estimated time | | ------------------------------------------------------ | -------------- | -| Add a product to the private store
    - Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory.
    - It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab
    - 36 hours: searchable in private store
    - 36 hours: available on private store tab, if the product has just been added to inventory | +| Add a product to the private store
    - Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory.
    - It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab
    - 36 hours: searchable in private store
    - 36 hours: searchable in private store tab | | Remove a product from private store | - 15 minutes: private store tab
    - 36 hours: searchable in private store | -| Accept a new LOB app into your inventory (under **Products & services)**) | 36 hours | +| Accept a new LOB app into your inventory (under **Products & services)**) | - 15 minutes: available on private store tab
    - 36 hours: searchable in private store | | Create a new collection | 15 minutes| | Edit or remove a collection | 15 minutes | | Create private store tab | 4-6 hours | diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 59e3fc2354..d7484344ae 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 4/26/2018 +ms.date: 5/31/2018 --- # Microsoft Store for Business and Education release history @@ -17,6 +17,11 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## April 2018 +- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses. +- **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. +- **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. + ## March 2018 - **Performance improvements in private store** - We've made it significantly faster for you to udpate the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) - **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 22f2d481f3..fc29d300b3 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 4/26/2018 +ms.date: 5/31/2018 --- # What's new in Microsoft Store for Business and Education @@ -17,27 +17,36 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**April 2018** +**May 2018** | | | |--------------------------------------|---------------------------------| -| ![License assign icon](images/license-assign-icon.png) |**Assign apps to larger groups**

    We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | -| ![Private store icon](images/private-store-icon.png) |**Change collection order in private store**

    Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections.

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | -| ![Office logo icon](images/office-logo.png) |**Office 365 subscription management**

    We know that sometimes customers need to cancel subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period.

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | - +| ![performance icon](images/edu-icon.png) |**Immersive Reader app in Microsoft Store for Education**

    Microsoft Immersive Reader is now available for education organizations using Microsoft Store for Education. This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. Check out and download [Immersive Reader](https://educationstore.microsoft.com/en-us/store/details/immersive-reader/9PJZQZ821DQ2).

    **Applies to**:
    Microsoft Store for Education | + + ## Previous releases and updates +[April 2018](release-history-microsoft-store-business-education.md#april-2018) +- Assign apps to larger groups +- Change collection order in private store +- Office 365 subscription management + [March 2018](release-history-microsoft-store-business-education.md#march-2018) - Performance improvements in private store - Private store collection updates diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 23057f6df2..fc63f4cba3 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.author: helohr author: HeidiLohr -ms.date: 05/10/2018 +ms.date: 05/25/2018 --- # How to keep apps removed from Windows 10 from returning during an update @@ -89,8 +89,9 @@ You're now ready to update your computer. After the update, check the list of ap ## Registry keys for provisioned apps ```syntax -1709 Registry Keys Windows Registry Editor Version 5.00 +;1709 Registry Keys + [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.BingWeather_8wekyb3d8bbwe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe] diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 3b3edbc102..95e3da2dff 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,7 +10,7 @@ ms.localizationpriority: high author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 05/31/2018 --- # Change history for Configure Windows 10 @@ -23,6 +23,9 @@ New or changed topic | Description --- | --- [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Added note that Wi-Fi Sense is no longer available. Topics about Windows 10 diagnostic data | Moved to [Windows Privacy](https://docs.microsoft.com/windows/privacy/). +[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added information on Kiosk Browser settings and URL filtering. +[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added details of event log entries to check for when customization is not applied as expected. +[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | Added Active Directory domain account to provisioning method. ## RELEASE: Windows 10, version 1803 diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 8e57f63ebd..91b729e5c8 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -9,7 +9,7 @@ author: jdeckerms ms.localizationpriority: high ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 05/31/2018 --- # Guidelines for choosing an app for assigned access (kiosk mode) @@ -45,8 +45,6 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. ->[!NOTE] ->Kiosk Browser app is coming soon to Microsoft Store for Business. **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education). @@ -54,6 +52,76 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr 2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps) 3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md). +>[!NOTE] +>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE). + +#### Kiosk Browser settings + +Kiosk Browser settings | Use this setting to +--- | --- +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

    For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

    If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. +Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. +Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. +Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. +Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. +Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. + +>[!TIP] +>To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information: +>- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton +>- Data type: Integer +>- Value: 1 + + +#### Rules for URLs in Kiosk Browser settings + +Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home). + +URLs can include: +- A valid port value from 1 to 65,535. +- The path to the resource. +- Query parameters. + +Additional guidelines for URLs: + +- If a period precedes the host, the policy filters exact host matches only. +- You cannot use user:pass fields. +- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence. +- The policy searches wildcards (*) last. +- The optional query is a set of key-value and key-only tokens delimited by '&'. +- Key-value tokens are separated by '='. +- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching. + +### Examples of blocked URLs and exceptions + +The following table describes the results for different combinations of blocked URLs and blocked URL exceptions. + +Blocked URL rule | Block URL exception rule | Result +--- | --- | --- +`*` | `contoso.com`
    `fabrikam.com` | All requests are blocked unless it is to contoso.com, fabrikam.com, or any of their subdomains. +`contoso.com` | `mail.contoso.com`
    `.contoso.com`
    `.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. +`youtube.com` | `youtube.com/watch?v=v1`
    `youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). + +The following table gives examples for blocked URLs. + +Entry | Result +--- | --- +`contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com +`https://*` | Blocks all HTTPS requests to any domain. +`mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com +<<<<<<< HEAD +`.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. +======= +`.contoso.com` | Blocks contoso.com but not its subdomains, like contoso.com/docs. +>>>>>>> refs/remotes/origin/master +`.www.contoso.com` | Blocks www.contoso.com but not its subdomains. +`*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. +`*:8080` | Blocks all requests to port 8080. +`contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. +`192.168.1.2` | Blocks requests to 192.168.1.2. +`youtube.com/watch?v=V1` | Blocks youtube video with id V1. + ### Other browsers >[!NOTE] diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md index a20aa7ba15..a2b8efc53b 100644 --- a/windows/configuration/setup-kiosk-digital-signage.md +++ b/windows/configuration/setup-kiosk-digital-signage.md @@ -10,7 +10,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: high -ms.date: 04/30/2018 +ms.date: 05/25/2018 --- # Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education @@ -38,7 +38,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t >[!WARNING] >For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. > ->Assigned access can be configured via Windows Mangement Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. +>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. @@ -48,14 +48,14 @@ Choose this method | For this edition | For this kiosk account type --- | --- | --- [Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user [PowerShell](#powershell) | Pro, Ent, Edu | Local standard user -[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user +[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory [Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD ### Methods for kiosks and digital signs running a Classic Windows app Choose this method | For this edition | For this kiosk account type --- | --- | --- -[Provisioning](#wizard) | Ent, Edu | Local standard user +[Provisioning](#wizard) | Ent, Edu | Local standard user, Active Directory [ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD @@ -200,7 +200,7 @@ Clear-AssignedAccess > >OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types > ->Account type: Local standard user +>Account type: Local standard user, Active Directory >[!IMPORTANT] >When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 4ae9863908..58bb51fd67 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -10,7 +10,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: high -ms.date: 10/31/2017 +ms.date: 05/24/2018 --- # Manage Windows 10 Start and taskbar layout @@ -109,6 +109,16 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a [Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md). +## Start layout configuration errors + +If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events: + +- **Event 22** is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format. +- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood or source is not found such as a missing or misspelled .lnk. + + + + ## Related topics diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index e194452c11..d27c1b2542 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -213,6 +213,7 @@ ## [Update Windows 10](update/index.md) ### [Quick guide to Windows as a service](update/waas-quick-start.md) +#### [Servicing stack updates](update/servicing-stack-updates.md) ### [Overview of Windows as a service](update/waas-overview.md) ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 1f0b464194..dd0540a540 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt -ms.date: 10/18/2017 +ms.date: 05/25/2018 author: greg-lindsay --- @@ -20,6 +20,16 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with >Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
    >Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key.
    +## Firmware-embedded activation key + +To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt + +``` +(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey +``` + +If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. + ## Enabling Subscription Activation with an existing EA If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: @@ -230,4 +240,4 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct A popup window will display the Windows 10 version number and detailed OS build information. - If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. \ No newline at end of file + If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 8e67035c39..d7833b9afb 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -25,7 +25,7 @@ ms.localizationpriority: high See the following video for a detailed description and demonstration of MBR2GPT. - + You can use MBR2GPT to: diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md new file mode 100644 index 0000000000..196ca53038 --- /dev/null +++ b/windows/deployment/update/servicing-stack-updates.md @@ -0,0 +1,39 @@ +--- +title: Servicing stack updates (Windows 10) +description: Servicing stack updates improve the code that installs the other updates. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: Jaimeo +ms.localizationpriority: high +ms.author: jaimeo +ms.date: 05/29/2018 +--- + +# Servicing stack updates + + +**Applies to** + +- Windows 10 + +## What is a servicing stack update? +The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. + +## Why should servicing stack updates be installed and kept up to date? + +Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. + +## When are they released? + +Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required. + +## Is there any special guidance? + +Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. + +## Installation notes + +• Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. +• Installing servicing stack update does not require restarting the device, so installation should not be disruptive. +• Servicing stack update releases are specific to the operating system version (build number), much like quality updates. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index a7ed74d098..b5fe1d1337 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -37,7 +37,7 @@ See the following topics in this guide for detailed information about configurin Click the following link to see a video demonstrating Update Compliance features. -[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube.com/embed/1cmF5c_R8I4) +[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube-nocookie.com/embed/1cmF5c_R8I4) ## Update Compliance architecture diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 8ea214bbb5..1f5292084f 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -7,7 +7,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: high ms.author: jaimeo -ms.date: 02/09/2018 +ms.date: 05/29/2018 --- # Quick guide to Windows as a service @@ -19,38 +19,38 @@ ms.date: 02/09/2018 - Windows 10 Mobile - Windows 10 IoT Mobile -Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. +Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. ## Definitions Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean. -- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. -- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. +- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. +- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month ("Patch Tuesday"), though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md). - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. - **Servicing channels** allow organizations to choose when to deploy new features. - The **Semi-Annual Channel** receives feature updates twice per year. - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. -- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. +- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. See [Overview of Windows as a service](waas-overview.md) for more information. ## Key Concepts -Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers. +Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers. Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release. -Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. +Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information. ## Staying up to date -The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. +The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. -Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. +Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. -This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles. +This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles. Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index e6f428797e..9b8d7a8ea6 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.localizationpriority: high ms.pagetype: mobile author: greg-lindsay -ms.date: 05/18/2018 +ms.date: 05/29/2018 --- # Windows 10 upgrade paths @@ -28,6 +28,8 @@ This topic provides a summary of available upgrade paths to Windows 10. You can >**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. +>**Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355). + ✔ = Full upgrade is supported including personal data, settings, and applications.
    D = Edition downgrade; personal data is maintained, applications and settings are removed. @@ -114,86 +116,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - - Windows 8 - - - (Core) - ✔ - ✔ - ✔ - ✔ - - - - - - - Professional - D - ✔ - ✔ - ✔ - ✔ - - - - - - Professional WMC - D - ✔ - ✔ - ✔ - ✔ - - - - - - Enterprise - - - - ✔ - ✔ - - - - - - Embedded Industry - - - - - ✔ - - - - - - Windows RT - - - - - - - - - - - Windows Phone 8 - - - - - - - - - Windows 8.1 diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index 55b9610b67..4041db03d8 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt -ms.date: 10/20/2017 +ms.date: 05/23/2018 author: greg-lindsay --- @@ -92,7 +92,7 @@ Devices currently running Windows 10 Pro, version 1703 or later can get Windows **Scenario #1**:  You are using Windows 10 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). -All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will become activated when a Subscription Activation-enabled user signs in to the device. +All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. **Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). @@ -126,7 +126,7 @@ When you have the required Azure AD subscription, group-based licensing is the p ### Existing Enterprise deployments -If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate Windows 10 Enterprise. +If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index 65d8ce2bec..c28bb0c1bd 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -1,7 +1,7 @@ --- title: Windows 10 Pro in S mode description: Overview of Windows 10 Pro in S mode, switching options, and system requirements -keywords: Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode +keywords: S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode ms.mktglfcycl: deploy ms.localizationpriority: high ms.prod: w10 @@ -43,9 +43,7 @@ Worried about your LOB apps not working in S mode? Using Desktop Bridge will ena [Explore Desktop Bridge](https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root) > [!IMPORTANT] -> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a BMR factory reset.. - -[Recovery media (bare metal recovery)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) helps restore a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. +> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. ### Windows 10 in S mode is safe, secure, and fast. We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store. diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md b/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md index 3314bb3171..e181abe7ac 100644 --- a/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md +++ b/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md @@ -21,7 +21,7 @@ ms.date: 05/09/18 In this topic you'll learn how to set-up a Windows Autopilot deployment for a Virtual Machine using Hyper-V. Watch the following video to see an overview of the process:
    - + ## Prerequisites diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md index 2ba3acaf9e..2346937196 100644 --- a/windows/deployment/windows-autopilot/windows-10-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-10-autopilot.md @@ -24,7 +24,7 @@ This solution enables an IT department to achieve the above with little to no in The following video shows the process of setting up Autopilot:
    - + ## Benefits of Windows Autopilot @@ -70,7 +70,7 @@ Multiple additional settings are skipped here, since the device automatically re MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
    - + #### Device registration and OOBE customization diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 6cf9614a7c..b46ecc7203 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -860,7 +860,7 @@ The following fields are available: - **Programids** The unique program identifier the driver is associated with. -## Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 06874ee41a..32579a1856 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -36,7 +36,7 @@ You can learn more about Windows functional and diagnostic data through these ar -# Common data extensions +## Common data extensions ### Common Data Extensions.App @@ -346,7 +346,7 @@ The following fields are available: - **Programids** The unique program identifier the driver is associated with. -## Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. @@ -4738,4 +4738,4 @@ The following fields are available: - **scheduledRebootTime** Time of the scheduled reboot - **updateId** ID of the update that is getting installed with this reboot - **wuDeviceid** Unique device ID used by Windows Update -- **scheduledRebootTimeInUTC** Time of the scheduled reboot in Coordinated Universal Time \ No newline at end of file +- **scheduledRebootTimeInUTC** Time of the scheduled reboot in Coordinated Universal Time diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 34d534863c..9d31869696 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -13,11 +13,11 @@ ms.author: jaimeo --- -# Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics +# Windows 10 enhanced diagnostic data events and fields used by Windows Analytics **Applies to** -- Windows 10, version 1709 and later +- Windows 10, version 1709 and newer Windows Analytics Device Health reports are powered by diagnostic data not included in the Basic level. This includes crash reports and certain OS diagnostic data events. Organizations sending Enhanced or Full level diagnostic data were able to participate in Device Health, but some organizations which required detailed event and field level documentation were unable to move from Basic to Enhanced. diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d80ca22032..8c98fdf633 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -957,7 +957,7 @@ To turn off **Location for this device**: -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). -or- @@ -990,7 +990,7 @@ To turn off **Location**: -or- -- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). -or- @@ -1018,7 +1018,7 @@ To turn off **Let apps use my camera**: -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). -or- @@ -1067,7 +1067,7 @@ To turn off **Let apps use my microphone**: -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) +- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) To turn off **Choose apps that can use your microphone**: @@ -1105,7 +1105,7 @@ To turn off **Let apps access my notifications**: - Set the **Select a setting** box to **Force Deny**. - -or- + -or- - Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where: @@ -1113,9 +1113,9 @@ To turn off **Let apps access my notifications**: - **1**. Force allow - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) +- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) ###     17.6 Speech, inking, & typing @@ -1134,15 +1134,15 @@ To turn off the functionality: -or- -- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one). -or- -- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero). -and- -- Create a REG\_DWORD registry setting named **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **HarvestContacts** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\InputPersonalization\\TrainedDataStore** with a value of 0 (zero). If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models: @@ -1203,15 +1203,15 @@ To turn off **Choose apps that can access contacts**: - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where: +- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where: + + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - - **0**. User in control - - **1**. Force allow - - **2**. Force deny - - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessContacts** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). @@ -1237,7 +1237,7 @@ To turn off **Let apps access my calendar**: - **1**. Force allow - **2**. Force deny - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). @@ -1269,7 +1269,7 @@ To turn off **Let apps access my call history**: -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.11 Email @@ -1295,7 +1295,7 @@ To turn off **Let apps access and send email**: -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.12 Messaging @@ -1313,13 +1313,13 @@ To turn off **Let apps read or send messages (text or MMS)**: -or- -- Apply the Privacy/LetAppsAccess17.16 Feedback & diagnostics In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. @@ -1442,7 +1453,7 @@ To change how frequently **Windows should ask for my feedback**: -or- -- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one). -or- @@ -1559,9 +1570,9 @@ To turn off **Let Windows and your apps use your motion data and collect motion - **1**. Force allow - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.19 Tasks @@ -1620,7 +1631,7 @@ For Windows 10: -or- -- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: @@ -1628,7 +1639,7 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co -or- -- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. @@ -1652,7 +1663,7 @@ You can control if your settings are synchronized: -or- -- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one). -or- diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index 9a584e36e0..19f600c354 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -215,7 +215,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID | S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
    Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.| | S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
    Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.| | S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.| -| Users | S-1-5-32-545| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| +| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| | S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.| | S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. | | S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.| diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 7d22c3efb9..792ac66a13 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -23,9 +23,10 @@ The VPN client is now able to integrate with the cloud-based Conditional Access >Conditional Access is an Azure AD Premium feature. Conditional Access Platform components used for Device Compliance include the following cloud-based services: -- [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/) -- [Azure AD Connect Health](https://azure.microsoft.com/documentation/articles/active-directory-Azure ADconnect-health/) +- [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn) + +- [Azure AD Connect Health](https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health) - [Windows Health Attestation Service](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional) diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md index 874b4e95dd..ba0111e029 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md @@ -87,7 +87,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical ## Does BitLocker support virtual hard disks (VHDs)? -BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. +BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run. +- With TPM - Yes it is supported +- Without TPM - Yes it is supported (with password ) protector + +BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. ## Can I use BitLocker with virtual machines (VMs)? diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index 9069e4634e..1c8b475572 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.pagetype: security ms.sitesec: library -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) @@ -31,7 +31,7 @@ We strongly suggest that the only unenlightened apps you add to your allowed app >After revoking WIP, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted. >[!Note] ->For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/en-us/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center. +>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center. ## Unenlightened app behavior This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames. diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index 32d3fa955b..c554266f44 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune @@ -24,7 +24,7 @@ Follow these steps to associate your WIP policy with your organization's existin **To associate your policies** -1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration). +1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration). 2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 48b97409e8..a9c46de01c 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -6,8 +6,9 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft +ms.author: justinha ms.localizationpriority: medium -ms.date: 10/16/2017 +ms.date: 05/30/2018 --- # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune @@ -17,99 +18,77 @@ ms.date: 10/16/2017 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ->[!Important] ->This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md) topic. +## Alternative steps if you use MAM only (without device enrollment) + +This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md). + +If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. + +Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. ## Add a WIP policy -After you’ve set up Intune for your organization, you must create a WIP-specific policy. +Follow these steps to add a WIP policy using Intune. **To add a WIP policy** -1. Open the Microsoft Intune mobile application management console, click **All settings**, and then click **App policy**. +1. Open Microsoft Intune and click **Mobile apps**. - ![Microsoft Intune management console: App policy link](images/wip-azure-portal-start.png) + ![Open Mobile apps](images/open-mobile-apps.png) -2. In the **App policy** screen, click **Add a policy**, and then fill out the fields: +2. In **Mobile apps**, click **App protection policies**. + + ![App protection policies](images/app-protection-policies.png) + +3. In the **App policy** screen, click **Add a policy**, and then fill out the fields: - **Name.** Type a name (required) for your new policy. - **Description.** Type an optional description. - - **Platform.** Choose **Windows 10** as the supported platform for your policy. + - **Platform.** Choose **Windows 10**. - - **Enrollment state.** Choose **With enrollment** as the enrollment state for your policy. + - **Enrollment state.** Choose **With enrollment**. - ![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-portal-add-policy.png) + ![Add a mobile app policy](images/add-a-mobile-app-policy.png) >[!Important] - >Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM, you must use these instructions, [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune), instead. + >Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM only (without device enrollment), see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md). -3. Click **Create**. +4. Click **Protected apps** and then click **Add apps**. + + ![Add protected apps](images/add-protected-apps.png) + + You can add these types of apps: + + - [Recommended apps](#add-recommended-apps) + - [Store apps](#add-store-apps) + - [Desktop apps](#add-desktop-apps) - The policy is created and appears in the table on the **App Policy** screen. +### Add recommended apps - >[!NOTE] - >Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available. - -## Add apps to your Allowed apps list -During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. - -The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app. - ->[!Important] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

    Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. - -### Add a Recommended app to your Allowed apps list -For this example, we’re going to add Microsoft Edge, a recommended app, to the **Allowed apps** list. - -**To add a recommended app** -1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. +To add **Recommended apps**, select each app you want to access your enterprise data, and then click **OK**. - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. +The **Protected apps** blade updates to show you your selected apps. - ![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png) +![Microsoft Intune management console: Recommended apps](images/wip-azure-allowed-apps-with-apps.png) -2. From the **Allowed apps** blade, click **Add apps**. - - The **Add apps** blade appears, showing you all **Recommended apps**. +### Add Store apps - ![Microsoft Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png) +To add **Store apps**, type the app product name and publisher and click **OK**. For example, to add the Power BI Mobile App from the Store, type the following: -3. Select each app you want to access your enterprise data, and then click **OK**. - - The **Allowed apps** blade updates to show you your selected apps. +- **Name**: Microsoft Power BI +- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` +- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows` - ![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png) +![Add Store app](images\add-a-protected-store-app.png) -### Add a Store app to your Allowed apps list -For this example, we’re going to add Microsoft Power BI, a store app, to the **Allowed apps** list. +To add multiple Store apps, click the elipsis **…**. -**To add a Store app** -1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. - - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. +If you don't know the Store app publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. -2. From the **Allowed apps** blade, click **Add apps**. +1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*. -3. On the **Add apps** blade, click **Store apps** from the dropdown list. - - The blade changes to show boxes for you to add a publisher and app name. - -4. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the Product **name** is `Microsoft.MicrosoftPowerBIForWindows`. - -5. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list. - - >[!NOTE] - >To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**. - - ![Microsoft Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png) - -If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. - -**To find the publisher and product name values for Store apps without installing them** -1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*. - -2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. +2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value. @@ -122,24 +101,24 @@ If you don't know the publisher or product name, you can find them for both desk } ``` -4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune. +4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune. >[!Important] >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

    For example:
    {
    "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
    }     -**To find the publisher and product name values for apps installed on Windows 10 mobile phones** -1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >**Note**
    Your PC and phone must be on the same wireless network. +If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. -2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. +>**Note**
    Your PC and phone must be on the same wireless network. -3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. +1. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. -4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. +2. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. -5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. +3. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. + +4. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. 6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. @@ -151,83 +130,77 @@ If you don't know the publisher or product name, you can find them for both desk >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

    For example:
    {
    "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
    }     -### Add a Desktop app to your Allowed apps list -For this example, we’re going to add WordPad, a desktop app, to the **Allowed apps** list. +### Add Desktop apps -**To add a Desktop app** -1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. +To add **Desktop apps**, complete the following fields, based on what results you want returned. - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. - -2. From the **Allowed apps** blade, click **Add apps**. - -3. On the **Add apps** blade, click **Desktop apps** from the dropdown list. - - The blade changes to show boxes for you to add the following, based on what results you want returned: - - - - - - - - - - - - - - - - +
    FieldManages
    All fields marked as “*”All files signed by any publisher. (Not recommended)
    Publisher onlyIf you only fill out this field, you’ll get all files signed by the named publisher.

    This might be useful if your company is the publisher and signer of internal line-of-business apps.
    Publisher and Name only
    + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - -
    FieldManages
    All fields marked as “*”All files signed by any publisher. (Not recommended)
    Publisher onlyIf you only fill out this field, you’ll get all files signed by the named publisher.

    This might be useful if your company is the publisher and signer of internal line-of-business apps.
    Publisher and Name only If you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.
    Publisher, Name, and File onlyIf you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.
    Publisher, Name, File, and Min version onlyIf you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.

    This option is recommended for enlightened apps that weren't previously enlightened.
    Publisher, Name, File, and Max version onlyIf you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.
    All fields completedIf you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.
    + + + Publisher, Name, and File only + If you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher. + + + Publisher, Name, File, and Min version only + If you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.

    This option is recommended for enlightened apps that weren't previously enlightened. + + + Publisher, Name, File, and Max version only + If you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher. + + + All fields completed + If you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher. + + -4. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list. +After you’ve entered the info into the fields, click **OK**. - >[!Note] - >To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**. +>[!Note] +>To add multiple Desktop apps, click the elipsis **…**. When you’re done, click **OK**. - ![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) +![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) + +If you’re unsure about what to include for the publisher, you can run this PowerShell command: - **To find the Publisher values for Desktop apps** - If you’re unsure about what to include for the publisher, you can run this PowerShell command: +```ps1 +Get-AppLockerFileInformation -Path "" +``` +Where `""` goes to the location of the app on the device. For example: - ```ps1 - Get-AppLockerFileInformation -Path "" - ``` - Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"`. +```ps1 +Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe" +``` - In this example, you'd get the following info: +In this example, you'd get the following info: - ``` json - Path Publisher - ---- --------- - %PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US - ``` - Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box. +``` +Path Publisher +---- --------- +%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US +``` -### Import a list of apps to your Allowed apps list -For this example, we’re going to add an AppLocker XML file to the **Allowed apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. +Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name. -**To create a list of Allowed apps using the AppLocker tool** +### Import a list of apps +For this example, we’re going to add an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. + +**To create a list of protected apps using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). 2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. @@ -238,11 +211,11 @@ For this example, we’re going to add an AppLocker XML file to the **Allowed ap The **Create Packaged app Rules** wizard appears. -4. On the **Before You Begin** page, click **Next**. +4. On the **Before You Begin** page, click **Next**. ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png) -5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. +5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-2.png) @@ -250,19 +223,19 @@ For this example, we’re going to add an AppLocker XML file to the **Allowed ap ![Create Packaged app Rules wizard, showing the Publisher](images/wip-applocker-secpol-wizard-3.png) -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365. +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365. ![Create Packaged app Rules wizard, showing the Select applications page](images/wip-applocker-secpol-wizard-4.png) -8. On the updated **Publisher** page, click **Create**. +8. On the updated **Publisher** page, click **Create**. ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-secpol-wizard-5.png) -9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. +9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-default-rule-warning.png) -9. Review the Local Security Policy snap-in to make sure your rule is correct. +9. Review the Local Security Policy snap-in to make sure your rule is correct. ![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png) @@ -300,47 +273,49 @@ For this example, we’re going to add an AppLocker XML file to the **Allowed ap 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. -**To import your list of Allowed apps using Microsoft Intune** +**To import a list of protected apps using Microsoft Intune** -1. From the **Allowed apps** area, click **Import apps**. +1. In **Protected apps**, click **Import apps**. + + ![Import protected apps](images/import-protected-apps.png) - The blade changes to let you add your import file. + Then import your file. ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png) 2. Browse to your exported AppLocker policy file, and then click **Open**. - The file imports and the apps are added to your **Allowed app** list. + The file imports and the apps are added to your **Protected apps** list. -### Add exempt apps to your policy +### Exempt apps from a WIP policy If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. -**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list** +**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list** -1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears. +1. In **Mobile apps - App protection policies**, click **Exempt apps**. - The **Exempt apps** blade appears, showing you any apps that are already included in the list for this policy. + ![Exempt apps](images/exempt-apps.png) -2. From the **Exempt apps** blade, click **Add apps**. +2. In **Exempt apps**, click **Add apps**. - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-apps-to_your-allowed-apps-list) section of this topic. + Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. 3. Fill out the rest of the app info, based on the type of app you’re adding: - - **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic. + - [Add Recommended apps](#add-recommended-apps) - - **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic. + - [Add Store apps](#add-store-apps) - - **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic. + - [Add Desktop apps](#add-desktop-apps) - - **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps. + - [Import apps](#import-a-list-of-apps) -4. Click **OK**. +4. Click **OK**. ## Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). @@ -369,11 +344,9 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor **To change your corporate identity** -1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. +1. From the **App policy** blade, click the name of your policy, and then click **Required settings**. - The **Required settings** blade appears. - -2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area. +2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area. ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) @@ -385,16 +358,12 @@ There are no default locations included with WIP, you must add each of your netw >[!Important] >Every WIP policy should include policy that defines your enterprise network locations.
    Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. -**To define where your allowed apps can find and send enterprise data on you network** +**To define where your protected apps can find and send enterprise data on you network** -1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. - - The **Advanced settings** blade appears. +1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings**. 2. Click **Add network boundary** from the Network perimeter area. - The **Add network boundary** blade appears. - ![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) 3. Select the type of network boundary to add from the **Boundary type** box. @@ -410,10 +379,15 @@ There are no default locations included with WIP, you must add each of your netw Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. - Network domain names + Protected domains + exchange.contoso.com,contoso.com,region.contoso.com + Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

    If you have multiple domains, you must separate them using the "," delimiter. + + + Network domains corp.contoso.com,region.contoso.com Starting with Windows 10, version 1703, this field is optional.

    Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

    If you have multiple resources, you must separate them using the "," delimiter. @@ -458,14 +432,14 @@ There are no default locations included with WIP, you must add each of your netw After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. >[!Important] ->Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic. +>Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic. **To upload your DRA certificate** 1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. The **Advanced settings** blade appears. -2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. +2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) @@ -492,9 +466,9 @@ After you've decided where your protected apps can access enterprise data on you - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. + - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. + - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection. @@ -503,7 +477,7 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. ## Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. @@ -513,7 +487,7 @@ Optionally, if you don’t want everyone in your organization to be able to shar >Curly braces -- {} -- are required around the RMS Template ID. >[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. ## Related topics - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) @@ -524,9 +498,9 @@ Optionally, if you don’t want everyone in your organization to be able to shar - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) -- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) +- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms) -- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune) +- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/intune/deploy-use/create-windows-information-protection-policy-with-intune) - [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md index 68e5de567f..12a7d8e8a4 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 10/16/2017 --- # Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune @@ -359,7 +359,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) @@ -414,7 +414,7 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ## Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. @@ -424,7 +424,7 @@ Optionally, if you don’t want everyone in your organization to be able to shar >Curly braces -- {} -- are required around the RMS Template ID. >[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. ## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. @@ -475,7 +475,7 @@ After you've decided where your protected apps can access enterprise data on you - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) -- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) +- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms) >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md index 9014f9ca05..2d44748948 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md @@ -6,8 +6,8 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross -ms.date: 10/13/2017 +ms.author: justinha +ms.date: 05/30/2018 localizationpriority: medium --- @@ -26,13 +26,18 @@ By using Microsoft Intune with Mobile application management (MAM), organization - Remove enterprise data from employee's devices - Report on mobile app inventory and track usage ->[!NOTE] ->This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, you must follow the instructions in the [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md) topic. +## Alternative steps if you already manage devices with MDM + +This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, see [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md). + +If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy (with device enrollement) will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. + +Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. ## Prerequisites to using MAM with Windows Information Protection (WIP) -Before you can create your WIP policy with MAM, you must first set up your MAM provider. For more info about how to do this, see the [Get ready to configure app protection policies for Windows 10](https://docs.microsoft.com/en-us/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10) topic. +Before you can create your WIP policy with MAM, you need to [set up your MAM provider](https://docs.microsoft.com/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10). -Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device. +Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device. >[!Important] >WIP doesn't support multi-identity. Only one managed identity can exist at a time. @@ -62,7 +67,7 @@ After you’ve set up Intune for your organization, you must create a WIP-specif ![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-add-policy.png) >[!Important] - >Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, you must use these instructions, [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md), instead. + >Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, see [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md). 4. Click **Create**. @@ -132,7 +137,7 @@ If you don't know the publisher or product name for your Store app, you can find **To find the publisher and product name values for Store apps without installing them** 1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*. -2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. +2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. 3. In a browser, run the Microsoft Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value. @@ -445,7 +450,7 @@ There are no default locations included with WIP, you must add each of your netw Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Network domain names @@ -550,7 +555,7 @@ After you've decided where your protected apps can access enterprise data on you - **MDM discovery URL.** Lets the **Windows Settings** > **Accounts** > **Access work or school** sign-in offer an **Upgrade to MDM** link. Additionally, this lets you switch to another MDM provider, so that Microsoft Intune can manage MAM, while the new MDM provider manages the MDM devices. By default, this is specified to use Microsoft Intune. #### Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. @@ -560,7 +565,7 @@ Optionally, if you don’t want everyone in your organization to be able to shar >Curly braces -- {} -- are required around the RMS Template ID. >[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. ### Choose whether to use and configure Windows Hello for Business You can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices. @@ -643,11 +648,11 @@ After you’ve created your policy, you'll need to deploy it to your employees. ## Related topics -- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/en-us/windows/client-management/mdm/implement-server-side-mobile-application-management) +- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management) - [Microsoft Intune - Mobile Application Management (MAM) standalone blog post](https://blogs.technet.microsoft.com/cbernier/2016/01/05/microsoft-intune-mobile-application-management-mam-standalone/) -- [MAM-supported apps](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps) +- [MAM-supported apps](https://www.microsoft.com/cloud-platform/microsoft-intune-apps) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 10a6ed181f..0bd2b3e912 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: eross-msft ms.localizationpriority: medium -ms.date: 09/11/2017 +ms.date: 05/30/2018 --- # List of enlightened Microsoft apps for use with Windows Information Protection (WIP) @@ -93,6 +93,8 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li |Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Binary Name:** notepad.exe
    **App Type:** Desktop app | |Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Binary Name:** mspaint.exe
    **App Type:** Desktop app | |Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Binary Name:** mstsc.exe
    **App Type:** Desktop app | +|Microsoft MAPI Repair Tool |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Binary Name:** fixmapi.exe
    **App Type:** Desktop app | + >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png b/windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png new file mode 100644 index 0000000000..31f979f9f1 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png b/windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png new file mode 100644 index 0000000000..8522b463a7 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/add-protected-apps.png b/windows/security/information-protection/windows-information-protection/images/add-protected-apps.png new file mode 100644 index 0000000000..c702a0acff Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/add-protected-apps.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png b/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png new file mode 100644 index 0000000000..3ffbcce88c Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/exempt-apps.png b/windows/security/information-protection/windows-information-protection/images/exempt-apps.png new file mode 100644 index 0000000000..59b0ebd268 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/exempt-apps.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/import-protected-apps.png b/windows/security/information-protection/windows-information-protection/images/import-protected-apps.png new file mode 100644 index 0000000000..eefe2c57d4 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/import-protected-apps.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png new file mode 100644 index 0000000000..ccc701332b Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png index ff743d4e05..9fbe37d56d 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png index 05398cb29d..5c0dd50bb0 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png index f9d257645a..01489c8059 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png index 7332236129..c467cd1e24 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png index d2aa8feb83..bdd625c9c6 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png differ diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 1f82d1ef3c..58d83ff733 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -7,8 +7,8 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross -ms.date: 10/26/2017 +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium --- @@ -69,7 +69,7 @@ This table provides info about the most common problems you might encounter whil Redirected folders with Client Side Caching are not compatible with WIP. Apps might encounter access errors while attempting to read a cached, offline file. - Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

    Note
    For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045). + Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

    Note
    For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045). You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. @@ -79,7 +79,7 @@ This table provides info about the most common problems you might encounter whil ActiveX controls should be used with caution. Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. - We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.

    For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). + We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.

    For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). Resilient File System (ReFS) isn't currently supported with WIP. @@ -105,7 +105,7 @@ This table provides info about the most common problems you might encounter whil WIP isn’t turned on for employees in your organization. - Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). + Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index 43ee4efa13..accb65ae90 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Mandatory tasks and settings required to turn on Windows Information Protection (WIP) @@ -29,7 +29,7 @@ This list provides all of the tasks and settings that are required for the opera |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

    Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.

    Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| -|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.

    This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.| +|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.

    This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.| >[!NOTE] diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 4227a5f80b..b6041c8b1f 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -7,9 +7,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: coreyp-at-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Protect your enterprise data using Windows Information Protection (WIP) @@ -18,7 +18,7 @@ ms.date: 09/11/2017 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. @@ -29,7 +29,7 @@ You’ll need this software to run WIP in your enterprise: |Operating system | Management solution | |-----------------|---------------------| -|Windows 10, version 1607 or later | Microsoft Intune

    -OR-

    System Center Configuration Manager

    -OR-

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| +|Windows 10, version 1607 or later | Microsoft Intune

    -OR-

    System Center Configuration Manager

    -OR-

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.| ## What is enterprise data control? Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure. diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index 41d141a9d4..d9b56f7ad3 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) @@ -18,7 +18,7 @@ ms.date: 09/11/2017 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md index 15ca7a4e9e..0d85fb8053 100644 --- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Using Outlook on the web with Windows Information Protection (WIP) @@ -17,7 +17,7 @@ ms.date: 09/11/2017 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). Because Outlook on the web can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP): diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index 82577755ce..b971c3a054 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +ms.author: justinha +ms.date: 05/30/2018 ms.localizationpriority: medium -ms.date: 09/11/2017 --- # Determine the Enterprise Context of an app running in Windows Information Protection (WIP) @@ -17,7 +17,7 @@ ms.date: 09/11/2017 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly. diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index d7cba5795f..c9cb9862fb 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 05/31/2018 --- # Domain member: Maximum machine account password age @@ -32,8 +32,9 @@ For more information, see [Machine Account Password Process](https://blogs.techn ### Best practices -It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. +1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites. +2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer starts after being offline more than 30 days, the Netlogon service will notice the password age and initiate a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer will not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days. ### Location diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md index 18f934df2d..d0d4cfd9db 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md @@ -39,6 +39,7 @@ Limited periodic scanning is a special type of threat detection and remediation It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products. +**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the capabilities of Windows Defender Antivirus to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. ## How to enable limited periodic scanning @@ -69,4 +70,4 @@ Sliding the swtich to **On** will show the standard Windows Defender AV options ## Related topics - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index fb71bda388..6d409e7449 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -73,7 +73,7 @@ Active mode | Windows Defender AV is used as the antivirus app on the machine. A Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. -Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app. +Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app. In passive and automatic disabled mode, you can still [manage updates for Windows Defender AV](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. @@ -90,4 +90,4 @@ In passive and automatic disabled mode, you can still [manage updates for Window ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) \ No newline at end of file +- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 8de9ab0c90..f66994565d 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 05/03/2018 +ms.date: 05/29/2018 --- @@ -90,16 +90,13 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec Service location | Microsoft.com DNS record :---|:--- -Common URLs for all locations | ```*.blob.core.windows.net```
    ```crl.microsoft.com```
    ```ctldl.windowsupdate.com``` ```events.data.microsoft.com``` +Common URLs for all locations | ```*.blob.core.windows.net```
    ```crl.microsoft.com```
    ```ctldl.windowsupdate.com```
    ```events.data.microsoft.com``` US | ```us.vortex-win.data.microsoft.com```
    ```us-v20.events.data.microsoft.com```
    ```winatp-gw-cus.microsoft.com```
    ```winatp-gw-eus.microsoft.com``` Europe | ```eu.vortex-win.data.microsoft.com```
    ```eu-v20.events.data.microsoft.com```
    ```winatp-gw-neu.microsoft.com```
    ```winatp-gw-weu.microsoft.com``` UK | ```uk.vortex-win.data.microsoft.com```
    ```uk-v20.events.data.microsoft.com```
    ```winatp-gw-uks.microsoft.com```
    ```winatp-gw-ukw.microsoft.com``` -AU | ```au.vortex-win.data.microsoft.com```
    ```au-v20.events.data.microsoft.com```
    ```winatp-gw-aue.microsoft.com```
    ```winatp-gw-aus.microsoft.com``` - - - If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. +If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. ## Verify client connectivity to Windows Defender ATP service URLs diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index e04a79d353..7a7abff824 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik ## Do I have the flexibility to select where to store my data? -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the United Kingdom, Europe, or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 7f17822158..e94b8c1f80 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 04/24/2018 +ms.date: 05/30/2018 --- # Investigate machines in the Windows Defender ATP Machines list @@ -164,6 +164,13 @@ You can add tags on machines using the following ways: ### Add machine tags by setting a registry key value Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list. +>[!NOTE] +> Applicable only on the following machines: +>- Windows 10, version 1709 or later +>- Windows Server, version 1803 or later +>- Windows Server 2016 +>- Windows Server 2012 R2 + Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. Use the following registry key entry to add a tag on a machine: diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index 71573b1352..e64acc561c 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -66,7 +66,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows. You will need to set up your preferences for the Windows Defender ATP portal. -3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in Europe or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. +3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United Kingdom, Europe, or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. > [!WARNING] > This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process. diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index 4d77042ae0..ba867a62e4 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -65,6 +65,7 @@ If you encounter an error when trying to get a refresh token when using the thre 5. Add the following URL: - For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`. - For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` + - For United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback` 6. Click **Save**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 00c9b0bbaa..5fcdb543ec 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 05/30/2018 --- @@ -22,6 +22,7 @@ ms.date: 05/17/2018 **Applies to:** - Windows 10, version 1709 and later +- Windows Server 2016 - Microsoft Office 365 - Microsoft Office 2016 - Microsoft Office 2013 @@ -42,7 +43,7 @@ ms.date: 05/17/2018 - Configuration service providers for mobile device management -Available in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Supported in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). @@ -191,7 +192,7 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. >[!WARNING] ->[Only use this rule if you are managing your devices with Intune or other MDM solution. If you use this rule with SCCM, it will prevent SCCM compliance rules from working, because this rule blocks the PSExec commands in SCCM.] +>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] ### Rule: Block untrusted and unsigned processes that run from USB diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 753f9fd8a3..f0f6e4ea2b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -20,6 +20,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later +- Windows Server 2016 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md index 19a6ecae33..21cec1e41c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- # Collect diagnostic data for Windows Defender Exploit Guard file submissions @@ -19,6 +19,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 2ce348a33d..4ad70db2f1 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** @@ -51,7 +51,7 @@ All apps (any executable file, including .exe, .scr, .dll files and others) are This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. -A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. +A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 7f34a4b5d1..f8f6992650 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 05/30/2018 --- # Customize Attack surface reduction @@ -19,7 +19,7 @@ ms.date: 05/17/2018 **Applies to:** - Windows 10 Enterprise edition, version 1709 and later - +- Windows Server 2016 **Audience** @@ -35,7 +35,7 @@ ms.date: 05/17/2018 - Configuration service providers for mobile device management -Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 031a513662..700eb382ef 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 05/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 05/17/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 34dc3e27f0..e444865096 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- # Customize Exploit protection @@ -19,7 +19,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 0fb9cf5f6b..a945bdc331 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 05/30/2018 --- @@ -21,7 +21,7 @@ ms.date: 05/17/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** @@ -36,7 +36,7 @@ ms.date: 05/17/2018 - Configuration service providers for mobile device management -Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 3f1013add6..723db05106 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index aa0862bcbc..4fff608788 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index b2abb2149e..c4326ff783 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 05/30/2018 --- @@ -21,7 +21,7 @@ ms.date: 05/17/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** @@ -36,7 +36,7 @@ ms.date: 05/17/2018 - Configuration service providers for mobile device management -Available in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index d601c3b522..63e4996970 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -20,7 +20,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** @@ -37,7 +37,7 @@ ms.date: 04/30/2018 -Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). +Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index cdb72f5af8..c9085137fe 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -20,7 +20,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 4f08ee946e..9e2f73cee4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -21,7 +21,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index da2a8e6e8e..3cd65ac50a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 05/30/2018 --- # Evaluate Network protection @@ -21,7 +21,7 @@ ms.date: 05/17/2018 **Applies to:** - Windows 10 Enterprise edition, version 1709 or later - +- Windows Server 2016 **Audience** @@ -36,7 +36,7 @@ ms.date: 05/17/2018 -Available in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md index 2b34248e48..da6ac7fe66 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index a059876e54..24ff90fa5e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -12,7 +12,7 @@ ms.date: 04/16/2018 localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 7ba0dd60c9..b191cca98e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/21/2018 +ms.date: 05/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 05/21/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index c928c75ee1..f4ebee4b64 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 05/30/2018 --- @@ -21,7 +21,7 @@ ms.date: 05/17/2018 **Applies to:** - Windows 10, version 1709 or higher - +- Windows Server 2016 **Audience** @@ -36,7 +36,7 @@ ms.date: 05/17/2018 - Configuration service providers for mobile device management -Available in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +Supported in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 02be571b69..412c817281 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -19,6 +19,7 @@ ms.date: 05/17/2018 **Applies to:** - Windows 10, version 1709 or higher +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index 250b4353fb..d055320c88 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 996a0d79d9..a6bd278ab2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 04/30/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience**