- Discovery 2 3 3 – Save Time Managing Your Windows 7
- Discovery 2 3 3 – Save Time Managing Your Windows 10
Connecting to your mobile operator is as simple as putting the SIM into the compatible Windows 10 computer. 1 Or with your eSIM PC, use the Mobile Plans app 2 for easy setup. Choose how to connect Get online via WiFi or LTE. 3 For LTE, just add the LTE-enabled computer to your existing phone plan through your. Content protection How to manage auto-save for Office apps on Windows 10 You can configure auto-save on Office apps to prevent losing your work when the unexpected happens. Password Manager Pro is a secure enterprise password management software solution which serves as a centralized password vault to manage shared sensitive information, including privileged accounts, shared accounts, firecall accounts, documents and digital identities of.
Notes:
- If you're running Windows 10 in S mode, some of the features of the Windows Security interface will be a little different. Windows 10 in S mode is streamlined for tighter security, so the Virus & threat protection area has fewer options than those described here. This is because the built-in security of Windows 10 in S mode automatically prevents viruses and other threats from running on your device. Additionally, devices running Windows 10 in S mode receive security updates automatically.
- In previous versions of Windows 10, Windows Security is called Windows Defender Security Center.
![Deskovery Deskovery](https://1.bp.blogspot.com/-kjwghB700G4/XhqopawYc1I/AAAAAAAAcB4/5Wb_OahQFD0tnyW1CGrVpNTg1PQtJw0awCLcBGAsYHQ/w1200-h630-p-k-no-nu/Untitled179.png)
Virus & threat protection in Windows Security helps you scan for threats on your device. You can also run different types of scans, see the results of your previous virus and threat scans, and get the latest protection offered by Microsoft Defender Antivirus.
The Current threats area lets you:
- See any threats currently on your device.
- See the last time a scan was run on your device, how long it took, and how many files were scanned.
- Start a new scan.
- See threats that have been quarantined before they can affect you.
- See anything identified as a threat that you have allowed to run on your device.
Note: If you are using third-party antivirus software, you’ll be able to use its virus and threat protection options here.
Run the scans you want
![Windows Windows](https://1.bp.blogspot.com/-neF4jMwPYc0/XlhtnWTgXMI/AAAAAAAAeCM/EfIq5azdbTMiBOla-usHrdiANErTpP5uACLcBGAsYHQ/s1600/Untitled982.png)
Even though Windows Security is turned on and scans your device automatically, you can perform an additional scan whenever you want.
- Quick scan. Concerned that you may have done something to introduce a suspicious file or virus to your device? Select Quick scan (called Scan now in previous versions of Windows 10) to immediately check your device for any recent threats. This option is useful when you don’t want to spend the time running a full scan on all your files and folders. If Windows Security recommends that you run one of the other types of scans, you'll be notified when the Quick scan is done.
- Scan options.Select this link (called Run a new advanced scan in previous versions of Windows 10) to choose from one of the following advanced scan options:
- Full scan. Scans every file or program that’s currently running on your device to make sure there’s nothing dangerous in progress.
- Custom scan. Scans only files and folders that you select.
- Microsoft Defender Offline scan. Uses the latest definitions to scan your device for the latest threats. Run it when you are concerned that your device has been exposed to malware or a virus, or if you want to scan your device without being connected to the Internet. This will restart your device, so be sure to save files you may have open.
Manage your Virus & threat protection settings
Use Virus & threat protection settings when you want to customize your level of protection, send sample files to Microsoft, exclude trusted files and folders from repeated scanning, or temporarily turn off your protection.
Manage your real-time protection
Want to stop running real-time protection for a short while? You can use the Real-time protection setting to turn it off temporarily; however, real-time protection will turn on automatically after a short while to resume protecting your device. While real-time protection is off, files you open or download won’t be scanned for threats.
Note: If the device you’re using is part of an organization, your system administrator may prevent you from turning off real-time protection.
Get access to cloud-delivered protection
Provide your device with access to the latest threat definitions and threat behavior detection in the cloud.
Send us files with automatic sample submission
If you’re connected to the cloud with cloud-delivered protection, you can send suspicious sample files to Microsoft to check them for potential threats. Microsoft will notify you if you need to send additional files—and alert you if a requested file contains personal information.
Tamper Protection defends your security settings
Microsoft Defender Antivirus settings can occasionally get changed by malicious, or careless, apps or processes; or sometimes by unaware people. With Tamper Protection turned on, important settings like real-time protection, can't be easily or accidentally turned off.
Learn more about Tamper Protection.
Protect files from unauthorized access
Use the Controlled folder access setting to manage which folders apps can make changes to. You can also add additional apps you trust to make changes in those folders.
When you turn on Controlled folder access, a lot of the folders you use most often will be protected by default. This means that content in any of these folders cannot be accessed or changed by any unknown or untrusted apps. Once you add additional folders, they become automatically protected as well.
To add protected folders:
- Go to Start > Settings > Update & Security >Windows Security , and then select Virus & threat protection.
- Under Virus & threat protection settings, select Manage settings.
- Under Controlled folder access, select Manage Controlled folder access.
- Under Controlled folder access, select Protected folders.
- Select Add a protected folder and follow the instructions to add folders.
If you see an App is blocked message when you try to use a familiar app, you can simply unblock the app. Here's how:
- Write down or take note of the path of the blocked app.
- Select the message, and then select Add an allowed app.
- Browse for the program to which you want to allow access.
Note: If you try to save a file to a folder and the folder is blocked, that means the app you’re using is blocked from saving to that location. If that happens, save the file to another location on your device. Then use the previous steps to unblock the app, and you’ll be able to save the files to your desired location.
Exclude items from virus scans
There may be times when you’ll want to exclude specific files, folders, file types, or processes from being scanned, such as if these are trusted items and you are certain you don’t need to take time to scan them.
Curate your notifications
Windows Security will send notifications about the health and safety of your device. You can turn these notifications on, or off, on the notifications page. In Virus & threat protection, under Virus & threat protection settings, select Manage settings, scroll down to Notifications and select Change notification settings.
Protect your device with the latest updates
Security intelligence (sometimes referred to as 'definitions') are files that contain information about the latest threats that could infect your device. Windows Security uses security intelligence every time a scan is run.
Discovery 2 3 3 – Save Time Managing Your Windows 7
Microsoft automatically downloads the latest intelligence to your device as part of Windows Update, but you can also manually check for it. On the Virus & threat protection page, under Virus & threat protection updates, select Check for updates to scan for the latest security intelligence.
-->This article helps IT administrators simplify Windows enrollment for their users. Once you've set up Intune, users enroll Windows devices by signing in with their work or school account.
As an Intune admin, you can simplify enrollment in the following ways:
- Enable automatic enrollment (Azure AD Premium required).
- CNAME registration.
- Enable bulk enrollment (Azure AD Premium and Windows Configuration Designer required).
Two factors determine how you can simplify Windows device enrollment:
- Do you use Azure Active Directory Premium?
Azure AD Premium is included with Enterprise Mobility + Security and other licensing plans. - What versions of Windows clients will users enroll?
Windows 10 devices can automatically enroll by adding a work or school account. Earlier versions must enroll using the Company Portal app.
Azure AD Premium | Other AD | |
---|---|---|
Windows 10 | Automatic enrollment | User enrollment |
Earlier Windows versions | User enrollment | User enrollment |
Organizations that can use automatic enrollment can also configure bulk enroll devices by using the Windows Configuration Designer app.
Device enrollment prerequisites
Before an administrator can enroll devices to Intune for management, licenses should have already been assigned to the administrator's account. Read about assigning licenses for device enrollment
Multi-user support
Intune supports multiple users on devices that both:
- run the Windows 10 Creator's update
- are Azure Active Directory domain-joined.
When standard users sign in with their Azure AD credentials, they receive apps and policies assigned to their user name. Only the device's Primary user can use the Company Portal for self-service scenarios like installing apps and performing device actions (Remove, Reset). For shared Windows 10 devices that do not have a primary user assigned, the Company Portal can still be used to install Available apps.
Discovery 2 3 3 – Save Time Managing Your Windows 10
Enable Windows 10 automatic enrollment
Automatic enrollment lets users enroll their Windows 10 devices in Intune. To enroll, users add their work account to their personally owned devices or join corporate-owned devices to Azure Active Directory. In the background, the device registers and joins Azure Active Directory. Once registered, the device is managed with Intune.
Prerequisites
- Azure Active Directory Premium subscription (trial subscription)
- Microsoft Intune subscription
Configure automatic MDM enrollment
- Sign in to the Azure portal, and select Azure Active Directory.
- Select Mobility (MDM and MAM).
- Select Microsoft Intune.
- Configure MDM User scope. Specify which users' devices should be managed by Microsoft Intune. These Windows 10 devices can automatically enroll for management with Microsoft Intune.
- None - MDM automatic enrollment disabled
- Some - Select the Groups that can automatically enroll their Windows 10 devices
- All - All users can automatically enroll their Windows 10 devicesImportantFor Windows BYOD devices, the MAM user scope takes precedence if both the MAM user scope and the MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will not be MDM enrolled, and Windows Information Protection (WIP) Policies will be applied if you have configured them.If your intent is to enable automatic enrollment for Windows BYOD devices to an MDM: configure the MDM user scope to All (or Some, and specify a group) and configure the MAM user scope to None (or Some, and specify a group – ensuring that users are not members of a group targeted by both MDM and MAM user scopes).For corporate devices, the MDM user scope takes precedence if both MDM and MAM user scopes are enabled. The device will get automatically enrolled in the configured MDM.
Note Translation 10 2 1 bolum.MDM user scope must be set to an Azure AD group that contains user objects. - Use the default values for the following URLs:
- MDM Terms of use URL
- MDM Discovery URL
- MDM Compliance URL
- Select Save.
By default, two-factor authentication is not enabled for the service. However, two-factor authentication is recommended when registering a device. To enable two-factor authentication, configure a two-factor authentication provider in Azure AD and configure your user accounts for multi-factor authentication. See Getting started with the Azure Multi-Factor Authentication Server.
Simplify Windows enrollment without Azure AD Premium
To simplify enrollment, create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.
Step 1: Create CNAME (optional)
Create CNAME DNS resource records for your company's domain. For example, if your company's website is contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com.
Create CNAME DNS resource records for your company's domain. For example, if your company's website is contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com.
Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. If no enrollment CNAME record is found, users are prompted to manually enter the MDM server name, enrollment.manage.microsoft.com.
Type | Host name | Points to | TTL |
---|---|---|---|
CNAME | EnterpriseEnrollment.company_domain.com | EnterpriseEnrollment-s.manage.microsoft.com | 1 hour |
CNAME | EnterpriseRegistration.company_domain.com | EnterpriseRegistration.windows.net | 1 hour |
If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com. For example, users at Contoso use the following formats as their email/UPN:
The Contoso DNS admin should create the following CNAMEs:
Type | Host name | Points to | TTL |
---|---|---|---|
CNAME | EnterpriseEnrollment.contoso.com | EnterpriseEnrollment-s.manage.microsoft.com | 1 hour |
CNAME | EnterpriseEnrollment.us.contoso.com | EnterpriseEnrollment-s.manage.microsoft.com | 1 hour |
CNAME | EnterpriseEnrollment.eu.contoso.com | EnterpriseEnrollment-s.manage.microsoft.com | 1 hour |
EnterpriseEnrollment-s.manage.microsoft.com
– Supports a redirect to the Intune service with domain recognition from the email's domain nameChanges to DNS records might take up to 72 hours to propagate. You can't verify the DNS change in Intune until the DNS record propagates.
Additional endpoints are used but no longer supported
EnterpriseEnrollment-s.manage.microsoft.com is the preferred FQDN for enrollment. There are two other endpoints that have been used by customers in the past and still work, but they are no longer supported. EnterpriseEnrollment.manage.microsoft.com (without the -s) and manage.microsoft.com both work as the target for the auto-discovery server, but the user will have to touch OK on a confirmation message. If you point to EnterpriseEnrollment-s.manage.microsoft.com, the user won't have to do the additional confirmation step, so this is the recommended configuration
Alternate Methods of Redirection Are Not Supported
Using a method other than the CNAME configuration is not supported. For example, using a proxy server to redirect enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc to either enterpriseenrollment-s.manage.microsoft.com/EnrollmentServer/Discovery.svc or manage.microsoft.com/EnrollmentServer/Discovery.svc is not supported.
Step 2: Verify CNAME (optional)
- In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > CNAME Validation.
- In the Domain box, enter the company website and then choose Test.
Tell users how to enroll Windows devices
Tell your users how to enroll their Windows devices and what to expect after they're brought into management.
Note
End users must access the Company Portal website through Microsoft Edge to view Windows apps that you've assigned for specific versions of Windows. Other browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer do not support this type of filtering.
For end-user enrollment instructions, see Enroll Windows 10 device and Enroll Windows 8.1 or Windows RT 8.1 device. You can also tell users to review What can my IT admin see on my device.
Important
If you do not have Auto-MDM enrollment enabled, but you have Windows 10 devices that have been joined to Azure AD, two records will be visible in the Intune console after enrollment. You can stop this by making sure that users with Azure AD joined devices go to Accounts > Access work or school and Connect using the same account.
For more information about end-user tasks, see Resources about the end-user experience with Microsoft Intune.
Registration and Enrollment CNAMEs
Azure Active Directory has a different CNAME that it uses for device registration for iOS/iPadOS, Android, and Windows devices. Intune conditional access requires devices to be registered, also called 'workplace joined'. If you plan to use conditional access, you should also configure the EnterpriseRegistration CNAME for each company name you have.
Type | Host name | Points to | TTL |
---|---|---|---|
CNAME | EnterpriseRegistration. company_domain.com | EnterpriseRegistration.windows.net | 1 hour |
For more information about device registration, seeManage device identities using the Azure portal
Windows 10 auto enrollment and device registration
This section applies to US government cloud customers.
Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. If no enrollment CNAME record is found, users are prompted to manually enter the MDM server name, enrollment.manage.microsoft.us.
Type | Host name | Points to | TTL |
---|---|---|---|
CNAME | EnterpriseEnrollment.company_domain.com | EnterpriseEnrollment-s.manage.microsoft.us | 1 hour |
CNAME | EnterpriseRegistration.company_domain.com | EnterpriseRegistration.windows.net | 1 hour |
Next steps
- Considerations when managing Windows devices using Intune on Azure.