diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e6a9c13cf5..958763bfbc 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19463,7 +19463,7 @@ { "source_path": "windows/security/threat-protection/intelligence/rootkits-malware.md", "redirect_url": "/microsoft-365/security/intelligence/rootkits-malware", - "redirect_document_id": false + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/safety-scanner-download.md", @@ -20114,7 +20114,7 @@ "source_path": "windows/deployment/update/update-compliance-v2-enable.md", "redirect_url": "/windows/deployment/update/wufb-reports-enable", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-help.md", "redirect_url": "/windows/deployment/update/wufb-reports-help", @@ -20124,22 +20124,22 @@ "source_path": "windows/deployment/update/update-compliance-v2-overview.md", "redirect_url": "/windows/deployment/update/wufb-reports-overview", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-prerequisites.md", "redirect_url": "/windows/deployment/update/wufb-reports-prerequisites", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclient.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclient", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus", @@ -20149,17 +20149,17 @@ "source_path": "windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucdevicealert", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucupdatealert", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema", @@ -20194,7 +20194,7 @@ "source_path": "windows/deployment/planning/features-lifecycle.md", "redirect_url": "/windows/whats-new/feature-lifecycle", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/planning/windows-10-deprecated-features.md", "redirect_url": "/windows/whats-new/deprecated-features", @@ -20205,7 +20205,7 @@ "redirect_url": "/windows/whats-new/removed-features", "redirect_document_id": false }, - { + { "source_path": "windows/deployment/usmt/usmt-common-issues.md", "redirect_url": "/troubleshoot/windows-client/deployment/usmt-common-issues", "redirect_document_id": false @@ -20514,6 +20514,86 @@ "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md", "redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies", "redirect_document_id": true + }, + { + "source_path": "windows/client-management/mdm/policy-ddf-file.md", + "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard", + "redirect_document_id": true + }, + { + "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/get-support-for-security-baselines.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/mbsa-removal-and-guidance.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-scripts.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/whats-new/windows-10-insider-preview.md", + "redirect_url": "/windows/whats-new", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md", + "redirect_url": "/windows/security", + "redirect_document_id": false } ] } diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index d36533a87e..361003c659 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -28,6 +28,9 @@ ], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier3" + ], "breadcrumb_path": "/microsoft-edge/breadcrumbs/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "microsoft-edge", diff --git a/browsers/edge/microsoft-edge-faq.yml b/browsers/edge/microsoft-edge-faq.yml index 41ba94ebb6..25f20730ab 100644 --- a/browsers/edge/microsoft-edge-faq.yml +++ b/browsers/edge/microsoft-edge-faq.yml @@ -2,6 +2,7 @@ metadata: title: Microsoft Edge - Frequently Asked Questions (FAQ) for IT Pros ms.reviewer: + ms.date: 12/14/2020 audience: itpro manager: dansimp description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. diff --git a/browsers/enterprise-mode/enterprise-mode.md b/browsers/enterprise-mode/enterprise-mode.md index 30d32a8d1a..2c433182a9 100644 --- a/browsers/enterprise-mode/enterprise-mode.md +++ b/browsers/enterprise-mode/enterprise-mode.md @@ -11,7 +11,7 @@ ms.reviewer: manager: dansimp title: Enterprise Mode for Microsoft Edge ms.sitesec: library -ms.date: '' +ms.date: 07/17/2018 --- # Enterprise Mode for Microsoft Edge @@ -55,5 +55,3 @@ You can build and manage your Enterprise Mode Site List is by using any generic ### Add multiple sites to the site list - - diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md index 4573423115..2cfad8e8db 100644 --- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md @@ -1,3 +1,6 @@ +--- +ms.date: 07/17/2018 +--- Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. diff --git a/browsers/enterprise-mode/what-is-enterprise-mode-include.md b/browsers/enterprise-mode/what-is-enterprise-mode-include.md index 34359d6f1b..b10897a3d3 100644 --- a/browsers/enterprise-mode/what-is-enterprise-mode-include.md +++ b/browsers/enterprise-mode/what-is-enterprise-mode-include.md @@ -1,4 +1,7 @@ +--- +ms.date: 07/17/2018 +--- ## What is Enterprise Mode? Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. \ No newline at end of file +Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index f52e815de7..626d8e7d35 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -24,6 +24,9 @@ ], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier3" + ], "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.topic": "article", diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md index b795f7aab3..75027dfd9d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/index.md +++ b/browsers/internet-explorer/ie11-deploy-guide/index.md @@ -9,6 +9,7 @@ title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Expl ms.sitesec: library ms.localizationpriority: medium manager: dansimp +ms.date: 02/24/2016 --- @@ -62,4 +63,4 @@ IE11 offers differing experiences in Windows 8.1: ## Related topics - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml) - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) -- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) \ No newline at end of file +- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md index f72747f486..08899cb2db 100644 --- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md @@ -6,6 +6,7 @@ author: dansimp ms.prod: ie11 ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8 ms.reviewer: +ms.date: 03/15/2016 audience: itpro manager: dansimp ms.author: dansimp @@ -60,8 +61,3 @@ You can also click **Select All** to add, or **Clear All** to remove, all of the     - - - - - diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index 5b662eeca6..d4dde73e8c 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -9,6 +9,7 @@ title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide ms.sitesec: library ms.localizationpriority: medium manager: dansimp +ms.date: 03/15/2016 --- @@ -49,4 +50,4 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 - [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml) - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) \ No newline at end of file +- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md index 912ce707bd..2ba0956295 100644 --- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md +++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md @@ -1,16 +1,12 @@ --- author: aczechowski ms.author: aaroncz -ms.date: 12/16/2022 +ms.date: 02/14/2023 ms.reviewer: cathask manager: aaroncz ms.prod: ie11 ms.topic: include --- -> [!WARNING] -> **Update:** The retired, out-of-support Internet Explorer 11 desktop application is scheduled to be permanently disabled through a Microsoft Edge update on certain versions of Windows 10 on February 14, 2023. -> -> We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization does not experience business disruption. -> -> For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq). +> [!CAUTION] +> **Update:** The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq). diff --git a/education/docfx.json b/education/docfx.json index fa2265b104..993809eee6 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -29,7 +29,10 @@ "globalMetadata": { "recommendations": true, "ms.topic": "article", - "ms.collection": "education", + "ms.collection": [ + "education", + "tier2" + ], "ms.prod": "windows-client", "ms.technology": "itpro-edu", "author": "paolomatarazzo", diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index f3861da706..e41ec1ade3 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -1,3 +1,6 @@ +--- +ms.date: 10/24/2020 +--- diff --git a/education/index.yml b/education/index.yml index ef45124188..29efffa3ae 100644 --- a/education/index.yml +++ b/education/index.yml @@ -45,7 +45,7 @@ productDirectory: text: Azure information protection deployment acceleration guide - url: /defender-cloud-apps/get-started text: Microsoft Defender for Cloud Apps - - url: /microsoft-365/compliance/create-test-tune-dlp-policy + - url: /microsoft-365/compliance/information-protection#prevent-data-loss text: Data loss prevention - url: /microsoft-365/compliance/ text: Microsoft Purview compliance diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 0901d32b40..c6fc526cd0 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -7,6 +7,7 @@ appliesto: - ✅ Windows 10 ms.collection: - highpri + - tier2 - education --- diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index 1826ecd768..fea632b61a 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -7,6 +7,9 @@ author: scottbreenmsft ms.author: scbree ms.reviewer: paoloma manager: jeffbu +ms.collection: + - tier3 + - education appliesto: - ✅ Windows 10 and later --- diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index f377a4582c..a134019d38 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -7,6 +7,7 @@ appliesto: - ✅ Windows 10 ms.collection: - highpri + - tier2 - education --- @@ -147,7 +148,7 @@ Existing Azure AD domain joined devices will be changed to Windows 10 Pro Educat ### For new devices that are not Azure AD joined Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition. -#### Step 1: Join users’ devices to Azure AD +#### Step 1: Join users' devices to Azure AD Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, version 1703. diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md index 5198c4f4d6..60ad9dce9e 100644 --- a/education/windows/configure-aad-google-trust.md +++ b/education/windows/configure-aad-google-trust.md @@ -1,7 +1,7 @@ --- title: Configure federation between Google Workspace and Azure AD description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD. -ms.date: 01/17/2023 +ms.date: 02/10/2023 ms.topic: how-to --- @@ -42,7 +42,7 @@ To test federation, the following prerequisites must be met: 1. On the *Service provider details* page - Select the option **Signed response** - Verify that the Name ID format is set to **PERSISTENT** - - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping. For more information, see (article to write).\ + - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\ If using Google auto-provisioning, select **Basic Information > Primary email** - Select **Continue** 1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 023393a04f..56094c8023 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Configure Stickers for Windows 11 SE diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 09ceb1908c..0ea3ad5e3d 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -5,6 +5,10 @@ ms.date: 01/12/2023 ms.topic: how-to appliesto: - ✅ Windows 11 SE +ms.collection: + - highpri + - tier1 + - education --- diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 903d8182e3..53ac374a11 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Get Minecraft: Education Edition diff --git a/education/windows/images/suspcs/2023-02-16_13-02-37.png b/education/windows/images/suspcs/2023-02-16_13-02-37.png new file mode 100644 index 0000000000..dc396099bf Binary files /dev/null and b/education/windows/images/suspcs/2023-02-16_13-02-37.png differ diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index fca31b0f6b..150285950b 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # For IT administrators - get Minecraft: Education Edition @@ -34,7 +35,7 @@ If you turn off this setting after students have been using Minecraft: Education Users in a Microsoft verified academic institution account will have access to the free trial limited logins for Minecraft: Education Edition. This grants faculty accounts 25 free logins and student accounts 10 free logins. To purchase direct licenses, see [Minecraft: Education Edition - direct purchase](#individual-copies). -If you’ve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). +If you've been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). ### Minecraft: Education Edition - direct purchase @@ -48,7 +49,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions 5. Select the quantity of licenses you would like to purchase and select **Place Order**. -6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users). +6. After you've purchased licenses, you'll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users). If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses). @@ -57,7 +58,7 @@ If you need additional licenses for **Minecraft: Education Edition**, see [Buy o Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: - Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory. -- You’ll receive an email with a link to Microsoft Store for Education. +- You'll receive an email with a link to Microsoft Store for Education. - Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft) ## Minecraft: Education Edition payment options diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index df19ac8729..f11f1f684a 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # For teachers - get Minecraft: Education Edition diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index 06e17f21da..eaeda25979 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Test Windows 10 in S mode on existing Windows 10 education devices diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 8a63a27c99..0ee49c8f45 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier1 --- # Windows 11 SE Overview @@ -93,6 +94,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Class Policy` | 114.0.0 | Win32 | `Class Policy` | | `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` | | `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` | +| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` | +| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` | | `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` | | `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` | | `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` | @@ -104,7 +107,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` | | `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` | | `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` | -| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` | +| `Google Chrome` | 109.0.5414.75 | Win32 | `Google` | +| `GuideConnect` | 1.23 | Win32 | `Dolphin Computer Access` | | `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` | | `Immunet` | 7.5.8.21178 | Win32 | `Immunet` | | `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` | @@ -137,10 +141,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` | | `Safe Exam Browser` | 3.4.1.505 | Win32 | `Safe Exam Browser` | | `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` | -| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` | +| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` | | `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` | | `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` | -|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` +|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` | | `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` | | `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` | | `WordQ` | 5.4.23 | Win32 | `Mathetmots` | diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index 774fca45dd..36e841ae91 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -5,6 +5,9 @@ ms.topic: article ms.date: 09/12/2022 appliesto: - ✅ Windows 11 SE +ms.collection: + - education + - tier1 --- # Windows 11 SE for Education settings list diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 9388758a6c..4be7b72365 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -32,6 +32,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json", "ms.author": "trudyha", "audience": "ITPro", diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md index 5555b333e4..99a065dd84 100644 --- a/store-for-business/includes/store-for-business-content-updates.md +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -1,3 +1,6 @@ +--- +ms.date: 10/31/2020 +--- diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 4cd7b0588c..1c1b014b8d 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -35,6 +35,9 @@ "globalMetadata": { "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", + "ms.collection": [ + "tier2" + ], "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-apps", "ms.topic": "article", diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 1e692a53a0..6cfbbac63c 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -43,314 +43,314 @@ The following information lists the system apps on some Windows Enterprise OS ve - File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89 --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515 --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - InputApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | | | ✔️ | --- - Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.AccountsControl | Package name: Microsoft.AccountsControl --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Hello setup UI | Package name: Microsoft.BioEnrollment --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.CredDialogHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.ECApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.LockApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft Edge | Package name: Microsoft.MicrosoftEdge --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.MicrosoftEdgeDevToolsClient --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.PPIProjection --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | | | ✔️ | --- - Microsoft.Win32WebViewHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.Apprep.ChxApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.AssignedAccessLockApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.CapturePicker --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.CloudExperienceHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.ContentDeliveryManager --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Cortana | Package name: Microsoft.Windows.Cortana --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | | | ✔️ | --- - Microsoft.Windows.OOBENetworkCaptivePort --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.OOBENetworkConnectionFlow --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.ParentalControls --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - People Hub | Package name: Microsoft.Windows.PeopleExperienceHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.PinningConfirmationDialog --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.SecHealthUI --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.SecureAssessmentBrowser --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Start | Package name: Microsoft.Windows.ShellExperienceHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.XboxGameCallableUI --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Windows.CBSPreview --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Settings | Package name: Windows.immersivecontrolpanel --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Print 3D | Package name: Windows.Print3D --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ✔️ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ✔️ | ✔️ | | | ✔️ | --- - Print UI | Package name: Windows.PrintDialog --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index d5697e455b..095188a9ba 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -8,7 +8,9 @@ manager: aaroncz ms.localizationpriority: medium ms.date: 03/28/2022 ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index f2c906993c..5cd9b9cbb6 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,14 +1,16 @@ --- title: Azure Active Directory integration with MDM description: Azure Active Directory is the world's largest enterprise cloud identity management service. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -46,7 +48,7 @@ Azure AD Join also enables company owned devices to be automatically enrolled in > [!IMPORTANT] > Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license. - + ### BYOD scenario Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted. @@ -70,7 +72,7 @@ Once a user has an Azure AD account added to Windows and enrolled in MDM, the en > [!NOTE] > Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. - + ### MDM endpoints involved in Azure AD–integrated enrollment Azure AD MDM enrollment is a two-step process: @@ -187,7 +189,7 @@ The following image show how MDM applications show up in the Azure app gallery. ### Add cloud-based MDM to the app gallery > [!NOTE] -> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application +> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application The following table shows the required information to create an entry in the Azure AD app gallery. @@ -200,7 +202,7 @@ The following table shows the required information to create an entry in the Azu |**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215| - + ### Add on-premises MDM to the app gallery There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant. @@ -232,7 +234,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is |--- |--- |--- |--- |--- | |FRX|OOBE|Dark theme + blue background color|Filename: Ui-dark.css|Filename: oobe-dekstop.css| |MOSET|Settings/Post OOBE|Light theme|Filename: Ui-light.css|Filename: settings-desktop.css| - + ## Terms of Use protocol semantics The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue. @@ -332,7 +334,7 @@ The following table shows the error codes. |Azure AD token validation failed|302|unauthorized_client|unauthorized_client| |internal service error|302|server_error|internal service error| - + ## Enrollment protocol with Azure AD With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md index b77a1761a8..5b7f08ac50 100644 --- a/windows/client-management/change-history-for-mdm-documentation.md +++ b/windows/client-management/change-history-for-mdm-documentation.md @@ -185,7 +185,7 @@ As of November 2020 This page will no longer be updated. This article lists new |[RemoteWipe CSP](mdm/remotewipe-csp.md)|Added new settings in Windows 10, version 1809.| |[TenantLockdown CSP](mdm/tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.| |[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.| -|[Policy DDF file](mdm/policy-ddf-file.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.| +|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.| |[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:
  • Browser/AllowFullScreenMode
  • Browser/AllowPrelaunch
  • Browser/AllowPrinting
  • Browser/AllowSavingHistory
  • Browser/AllowSideloadingOfExtensions
  • Browser/AllowTabPreloading
  • Browser/AllowWebContentOnNewTabPage
  • Browser/ConfigureFavoritesBar
  • Browser/ConfigureHomeButton
  • Browser/ConfigureKioskMode
  • Browser/ConfigureKioskResetAfterIdleTimeout
  • Browser/ConfigureOpenMicrosoftEdgeWith
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
  • Browser/PreventCertErrorOverrides
  • Browser/SetHomeButtonURL
  • Browser/SetNewTabPageURL
  • Browser/UnlockHomeButton
  • Experience/DoNotSyncBrowserSettings
  • Experience/PreventUsersFromTurningOnBrowserSyncing
  • Kerberos/UPNNameHints
  • Privacy/AllowCrossDeviceClipboard
  • Privacy
  • DisablePrivacyExperience
  • Privacy/UploadUserActivities
  • System/AllowDeviceNameInDiagnosticData
  • System/ConfigureMicrosoft365UploadEndpoint
  • System/DisableDeviceDelete
  • System/DisableDiagnosticDataViewer
  • Storage/RemovableDiskDenyWriteAccess
  • Update/UpdateNotificationLevel

    Start/DisableContextMenus - added in Windows 10, version 1803.

    RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.| ## July 2018 @@ -217,7 +217,7 @@ As of November 2020 This page will no longer be updated. This article lists new |New or updated article|Description| |--- |--- | -|[Policy DDF file](mdm/policy-ddf-file.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.
  • [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
  • [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)| +|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.
  • [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
  • [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)| ## April 2018 @@ -281,7 +281,7 @@ As of November 2020 This page will no longer be updated. This article lists new | New or updated article | Description | | --- | --- | -| [Policy DDF file](mdm/policy-ddf-file.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. | +| [Policy DDF file](mdm/configuration-service-provider-ddf.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. | | [Policy CSP](mdm/policy-configuration-service-provider.md) | Updated the following policies:

    - Defender/ControlledFolderAccessAllowedApplications - string separator is `|`
    - Defender/ControlledFolderAccessProtectedFolders - string separator is `|` | | [eUICCs CSP](mdm/euiccs-csp.md) | Added new CSP in Windows 10, version 1709. | | [AssignedAccess CSP](mdm/assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. | @@ -313,5 +313,5 @@ As of November 2020 This page will no longer be updated. This article lists new |[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:
  • Installation/CurrentStatus| |[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.| |[Firewall CSP](mdm/firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:
  • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
  • Changed some data types from integer to bool.
  • Updated the list of supported operations for some settings.
  • Added default values.| -|[Policy DDF file](mdm/policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
  • Browser/AllowMicrosoftCompatibilityList
  • Update/DisableDualScan
  • Update/FillEmptyContentUrls| +|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
  • Browser/AllowMicrosoftCompatibilityList
  • Update/DisableDualScan
  • Update/FillEmptyContentUrls| |[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:
  • Browser/ProvisionFavorites
  • Browser/LockdownFavorites
  • ExploitGuard/ExploitProtectionSettings
  • Games/AllowAdvancedGamingServices
  • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
  • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
  • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
  • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
  • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
  • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
  • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
  • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
  • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
  • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
  • Privacy/EnableActivityFeed
  • Privacy/PublishUserActivities
  • Update/DisableDualScan
  • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork

    Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

    Changed the names of the following policies:
  • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
  • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
  • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess

    Added links to the extra [ADMX-backed BitLocker policies](mdm/policy-csp-bitlocker.md).

    There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:
  • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
  • Start/HideAppList| diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 18fb8a5311..88a544e7d9 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -6,10 +6,12 @@ author: vinaypamnani-msft ms.localizationpriority: medium ms.author: vinpa ms.date: 01/18/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- @@ -29,23 +31,23 @@ From its release, Windows 10 has supported remote connections to PCs joined to A ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported. -- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. -- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. +- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. +- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC. - On the PC you want to connect to: 1. Open system properties for the remote PC. - + 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. ![Allow remote connections to this computer.](images/allow-rdp.png) 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: - + - Adding users manually - + You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet: ```powershell net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" @@ -62,7 +64,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. - Adding users using policy - + Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). > [!TIP] diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index 4964a3969d..4c730c626d 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -1,7 +1,7 @@ --- title: Mobile device management MDM for device updates description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 11/15/2017 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile device management (MDM) for device updates diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/diagnose-mdm-failures-in-windows-10.md index 67b61ceb3c..1f8a9dd881 100644 --- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/diagnose-mdm-failures-in-windows-10.md @@ -1,7 +1,7 @@ --- title: Diagnose MDM failures in Windows 10 description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/25/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Diagnose MDM failures in Windows 10 diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 8c038b6c43..ae506a8cb0 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-manage", diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 80e253c59f..8bffb182d7 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -7,9 +7,11 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 04/30/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Enroll a Windows 10 device automatically using Group Policy @@ -188,19 +190,19 @@ Requirements: - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) - + - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - + - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) - + - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - + 2. Install the package on the Domain Controller. 3. Navigate, depending on the version to the folder: @@ -214,13 +216,13 @@ Requirements: - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - + - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** - + - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)** - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index ff469792d0..d782edc5b3 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -11,6 +11,7 @@ metadata: ms.technology: itpro-manage ms.collection: - highpri + - tier1 author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 7cf55e0587..0771fcc433 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -5,10 +5,12 @@ ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa ms.date: 09/14/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- @@ -51,7 +53,7 @@ First, you create a default user profile with the customizations that you want, 1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. > [!NOTE] - > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. + > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index f5d5c1dc39..7023a7b517 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,17 +1,19 @@ --- title: MDM enrollment of Windows 10-based devices description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. -MS-HAID: +MS-HAID: - 'p\_phdevicemgmt.enrollment\_ui' - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -35,7 +37,7 @@ Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Educatio > [!NOTE] > Mobile devices can't be connected to an Active Directory domain. -### Out-of-box-experience +### Out-of-box-experience Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain: @@ -90,7 +92,7 @@ There are a few instances where your device can't be connected to an Active Dire | You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | | Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - + ### Connect your device to an Azure AD domain (join Azure AD) @@ -167,9 +169,9 @@ There are a few instances where your device can't be connected to an Azure AD do | Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | | Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - -## Connect personally owned devices + +## Connect personally owned devices Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school. @@ -247,7 +249,7 @@ To create a local account and connect the device: ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) After you complete the flow, your device will be connected to your organization’s MDM. - + ### Help with connecting personally owned devices There are a few instances where your device may not be able to connect to work. @@ -260,7 +262,7 @@ There are a few instances where your device may not be able to connect to work. | You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | | We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | - + ## Connect your Windows 10-based device to work using a deep link @@ -283,13 +285,13 @@ The deep link used for connecting your device to work will always use the follow | ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | > [!NOTE] -> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. +> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. ### Connect to MDM using a deep link > [!NOTE] > Deep links only work with Internet Explorer or Microsoft Edge browsers. Examples of URI's that may be used to connect to MDM using a deep link: -> +> > - **ms-device-enrollment:?mode=mdm** > - **ms-device-enrollment:?mode=mdm&username=`someone@example.com`&servername=`https://example.server.com`** @@ -342,7 +344,7 @@ Starting in Windows 10, version 1709, selecting the **Info** button will show a ![work or school info.](images/unifiedenrollment-rs1-35-b.png) > [!NOTE] -> Starting in Windows 10, version 1709, the **Manage** button is no longer available. +> Starting in Windows 10, version 1709, the **Manage** button is no longer available. ### Disconnect @@ -363,7 +365,7 @@ Starting in Windows 10, version 1709, you can get the advanced diagnostic report ![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) - + diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 8c630a325a..fd9f4c2321 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -9,7 +9,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile Device Management overview diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index 4a903492c4..c8fad72461 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -1,7 +1,7 @@ --- title: Configuration service provider DDF files description: Learn more about the OMA DM device description framework (DDF) for various configuration service providers -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,14 +9,578 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 09/18/2020 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Configuration service provider DDF files -This topic shows the OMA DM device description framework (DDF) for various configuration service providers. DDF files are used only with OMA DM provisioning XML. +This article lists the OMA DM device description framework (DDF) files for various configuration service providers. DDF files are used only with OMA DM provisioning XML. -You can download the DDF files for various CSPs from the links below: +As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download: + +- [DDF v2 Files, December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip) + +## DDF v2 schema + +DDF v2 XML schema definition is listed below along with the schema definition for the referenced `MSFT` namespace. + +- Schema definition for DDF v2: + + ```xml + + + + + + Starting point for DDF + + + + + + + + + + + + + Main Recurring XML tag describing nodes of the CSP + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` + +- Schema definition for the `MSFT` namespace: + + ```xml + + + + + This node contains an XML blob that can be used as an argument to the DiagnosticsLogCSP to pull diagnostics for a feature. + + + + + This node marks that a feature is deprecated. If included, OsBuildDeprecated gives the OS Build version that the node is no longer recommended to be set. + + + + + + + + This node contains information on how to dynamically name the node such that the name is valid. + + + + + + This indicates that the server should generate a unique identifier for the node. + + + + + This indicates that the client will generate the name of the node based on the device state (such as inventorying apps). + + + + + This indicates that the server should name the node, and the value listed gives a regex to define what is allowed. + + + + + + + + + The type of the conflict resolution. + + + + + No policy merge. + + + + + The lowest value is the most secure policy value. + + + + + The highest value is the most secure policy value. + + + + + The last written value is current value + + + + + The lowest value is the most secure policy value unless the value is zero. + + + + + The highest value is the most secure policy value unless the value is zero. + + + + + + + + These tags indicate what are required on the device for the node to be applicable to configured. These tags can be inherited by children nodes. + + + + + + This tag describes the first build that a feature is released to. If the feature was backported, multiple OS versions will be listed, such that the OS build version without a minor number is the first "major release." + + + + + This tag describes the lowest CSP Version that the node was released to. + + + + + This tag describes the list of Edition IDs that the features is allowed on. 0x88* refers to Windows Holographic for Business. + + + + + This tag indicates that the node requires the device to be Azure Active Directory Joined to be applicable. + + + + + + + + These tags describe what values are allowed to be set for this particular node. + + + + + + + + + + This attribute describes what kind of Allowed Values tag this is. + + + + + + This attribute indicates that the Value tag contains an XSD for the node. + + + + + This attribute indicates that the Value tag contains a RegEx for the node. + + + + + This attribute indicates that the node can be described by an external ADMX file. + + + + + This attribute indicates that the node can be described by a JSON schema. + + + + + This attribute indicates that the allowed values are an enumeration. + + + + + This attribute indicates that the allowed values can be combined into a bitwise flag. + + + + + This attribute indicates that the allowed values are a numerical range. + + + + + This attribute indicates that the allowed values are a string in the SDDL format. + + + + + This attribute indicates there is no data-driven way to define the allowed values of the node. This potentially means that all string values are valid values. + + + + + + + + + + + + This tag indicates that the node input can contain multiple, delimited values. + + + + + This attribute details the delimeter used for the list of values. + + + + + + + + + + + This tag indicates an allowed value. + + + + + This tag gives further description to an allowed value, such as for an enumeration. + + + + + + + + + + + + + + This tag gives details for one particular enumeration of the allowed values. + + + + + + + + + + This tag indicates the relevent details for the corresponding ADMX policy for this node. + + + + + This attribute gives the area path of the ADMX policy. + + + + + This attribute gives the name of the ADMX policy. + + + + + This attribute gives the filename for the ADMX policy. + + + + + + + This tag details the replace behavior of the node. + + + + + + When performing a replace operation on this node, the value is appending to the existing node data. + + + + + When performing a replace operation on this node, the existing node data is removed before new data is added. + + + + + + + + This tag describes the reboot behavior of the node. + + + + + + No reboot is required for this node. + + + + + This node will automatically perform a reboot to take effect. + + + + + This node needs a reboot initiated from an external source to take effect. + + + + + + + + This tag details the information necessary to map this node to an existing group policy. + + + + + This attribute details the English name of the GP. + + + + + This attribute details the area path of the GP. + + + + + This attribute details a particular element of a GP that the CSP node maps to. + + + + + + + This tag lists out common error HRESULTS reported by the CSP and English text to associate with them. + + + + + + + + + + + + + + + + + + + This tag indicates that this node and all children nodes should be enclosed by an Atomic tag when being sent to the client. + + + + + These tags detail potential dependencies that the current CSP node has on other nodes in the same CSP. + + + + + + + + + + This tag describes a dependency that the current CSP node has on another nodes in the same CSP. + + + + + + The URI that the current CSP node has a dependency on. + + + + + + + This tag details the kind of dependency. + + + + + + The current node depends on the dependency holding a certain value. + + + + + The current node depends on the dependency not holding a certain value. + + + + + + + + + + This tag details one specific dependency. A node might have multiple different dependencies. + + + + + + + + + This attribute gives a friendly ID to the dependency, to differentiate it from other dependencies. + + + + + + + This tag details the values that the dependency must be set to for the dependency to be satisfied. + + + + + + + + + This tag details a change to the current node's allowed values if the dependency is satisfied. + + + + + + + + ``` + +## Older DDF files + +You can download the older DDF files for various CSPs from the links below: - [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip) @@ -26,4 +590,15 @@ You can download the DDF files for various CSPs from the links below: - [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -You can download DDF file for Policy CSP from [Policy DDF file](policy-ddf-file.md). +You can download the older Policy area DDF files by clicking the following links: + +- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml) +- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) +- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) +- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) +- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) +- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) +- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) +- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) +- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) +- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) diff --git a/windows/client-management/mdm/configuration-service-provider-support.md b/windows/client-management/mdm/configuration-service-provider-support.md index 4afed5993c..80f903585c 100644 --- a/windows/client-management/mdm/configuration-service-provider-support.md +++ b/windows/client-management/mdm/configuration-service-provider-support.md @@ -1,7 +1,7 @@ --- title: Configuration service provider support description: Learn more about configuration service provider (CSP) supported scenarios. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 09/18/2020 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Configuration service provider support diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 241e6803a9..9bb47acd36 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -7,9 +7,11 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # DynamicManagement CSP diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index d8bd8ed982..094b2b87da 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -11,6 +11,7 @@ metadata: ms.prod: windows-client ms.collection: - highpri + - tier1 ms.custom: intro-hub-or-landing author: vinaypamnani-msft ms.author: vinpa @@ -47,7 +48,7 @@ landingContent: - text: Policy CSP url: policy-configuration-service-provider.md - text: Policy DDF file - url: policy-ddf-file.md + url: configuration-service-provider-ddf.md - text: Policy CSP - Start url: policy-csp-start.md - text: Policy CSP - Update diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index e6748d67f8..2b636d3e4f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/30/2023 +ms.date: 02/03/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -814,6 +814,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md) - [SetEDURestart](policy-csp-update.md) - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md) +- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md) - [SetDisableUXWUAccess](policy-csp-update.md) - [SetDisablePauseUXAccess](policy-csp-update.md) - [UpdateNotificationLevel](policy-csp-update.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index f0fcb85ef2..8a53921483 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 02/10/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -4538,7 +4538,7 @@ The first several links will also be pinned to the Start menu. A total of four l -This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, {searchTerms}). +This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, `https://www.example.com/results.aspx?q={searchTerms}`). You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 33a6b979ad..2636c0f68e 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 02/10/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -343,7 +343,7 @@ Volume: Low. -This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. +This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event. @@ -836,7 +836,7 @@ Volume: Low. -This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (. +This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](). @@ -1083,7 +1083,7 @@ Volume: Low. This policy setting allows you to audit events generated by changes to distribution groups such as the following Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when a distribution group changes +- If you do not configure this policy setting, no audit event is generated when a distribution group changes. > [!NOTE] > Events in this subcategory are logged only on domain controllers. @@ -1120,7 +1120,7 @@ Volume: Low. | Name | Value | |:--|:--| -| Name | Audit Distributio Group Management | +| Name | Audit Distribution Group Management | | Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | @@ -1332,7 +1332,7 @@ Volume: Low. -This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see . If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. +This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to Use Data Protection](/dotnet/standard/security/how-to-use-data-protection). If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. - If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. @@ -1825,7 +1825,7 @@ Volume: High on domain controllers. None on client computers. -This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged +This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. > [!NOTE] > Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. @@ -2135,7 +2135,7 @@ Volume: Medium or Low on computers running Active Directory Certificate Services -This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures +This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. > [!NOTE] > There are no system access control lists (SACLs) for shared folders. @@ -2201,7 +2201,7 @@ Volume: High on a file server or domain controller because of SYSVOL network acc This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. -- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures +- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. > [!NOTE] > There are no system access control lists (SACLs) for shared folders. @@ -2267,7 +2267,7 @@ Volume: High on a file server or domain controller because of SYSVOL network acc This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see . If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL +- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. > [!NOTE] > You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. @@ -2455,7 +2455,7 @@ Volume: High. This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when a handle is manipulated +- If you do not configure this policy setting, no audit event is generated when a handle is manipulated. > [!NOTE] > Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. @@ -2519,7 +2519,7 @@ Volume: Depends on how SACLs are configured. -This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events +This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. > [!NOTE] > The Audit Audit the access of global system objects policy setting controls the default SACL of kernel objects. @@ -2645,7 +2645,7 @@ Volume: Low. This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL +- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. > [!NOTE] > You can set a SACL on a registry object using the Permissions dialog box. @@ -2771,10 +2771,10 @@ This policy setting allows you to audit user attempts to access file system obje This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER - A user account. SAM_DOMAIN - A domain. SAM_SERVER - A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made +- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. > [!NOTE] -> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (. +> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698). @@ -2836,7 +2836,7 @@ Volume: High on domain controllers. For more information about reducing the numb This policy setting allows you to audit events generated by changes to the authentication policy such as the following Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed +- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. > [!NOTE] > The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. @@ -3147,7 +3147,7 @@ Volume: Low. -This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list +This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list. > [!NOTE] > System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 4c5e5997cb..8f7766c3a5 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1484,7 +1484,7 @@ Supported versions: Microsoft Edge on Windows 10, version 1809 Default setting: Disabled or not configured Related policies: - Allows development of Windows Store apps and installing them from an integrated development environment (IDE) -- Allow all trusted apps to install +- Allow all trusted apps to install @@ -3248,7 +3248,7 @@ Related Documents: - [Find a package family name (PFN) for per-app VPN](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn) - [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business) -- [Assign apps to groups with Microsoft Intune](/mem/intune/apps-deploy) +- [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy) - [Manage apps from the Microsoft Store for Business and Education with Configuration Manager](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index f955123b29..b6865f7b07 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -58,7 +58,7 @@ This ensures that: - The current Policy Manager policies are refreshed from what MDM has set - Any values set by scripts/user outside of GP that conflict with MDM are removed -The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the policies with equivalent GP: +The [Policy DDF](configuration-service-provider-ddf.md) contains the following tags to identify the policies with equivalent GP: - \ - \ diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index eb25db2dad..298d67d708 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 02/10/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1164,7 +1164,7 @@ This setting applies to scheduled scans, but it has no effect on scans initiated -This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site +This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see [Specify the cloud protection level](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus). > [!NOTE] > This feature requires the Join Microsoft MAPS setting enabled in order to function. @@ -1232,7 +1232,7 @@ This policy setting determines how aggressive Windows Defender Antivirus will be -This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds +This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. > [!NOTE] > This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. @@ -1980,7 +1980,7 @@ Allows an administrator to specify a list of directory paths to ignore during a -Allows an administrator to specify a list of files opened by processes to ignore during a scan +Allows an administrator to specify a list of files opened by processes to ignore during a scan. > [!IMPORTANT] > The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C\Example. exe|C\Example1.exe. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 459b035faf..075a1bd389 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -19,7 +19,7 @@ ms.topic: reference > [!NOTE] -> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). +> To find data formats (and other policy-related details), see [Policy DDF file](./configuration-service-provider-ddf.md). diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 77a826c617..1da17f0f74 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -150,7 +150,7 @@ Descriptions of the properties: **Policy timeline**: -The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example. +The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example. The following table describes how this policy setting behaves in different Windows 10 versions: diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 040028b422..e9921d6795 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/18/2023 +ms.date: 02/03/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,6 +16,9 @@ ms.topic: reference # Policy CSP - Update +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + @@ -23,6 +26,7 @@ ms.topic: reference Update CSP policies are listed below based on the group policy area: - [Windows Insider Preview](#windows-insider-preview) + - [AllowTemporaryEnterpriseFeatureControl](#allowtemporaryenterprisefeaturecontrol) - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates) - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates) - [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update) @@ -103,6 +107,75 @@ Update CSP policies are listed below based on the group policy area: ## Windows Insider Preview + +### AllowTemporaryEnterpriseFeatureControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowTemporaryEnterpriseFeatureControl +``` + + + + +Features introduced via servicing (outside of the annual feature update) are off by default for devices that have their Windows updates managed*. + +- If this policy is configured to "Enabled", then all features available in the latest monthly quality update installed will be on. + +- If this policy is set to "Not Configured" or "Disabled" then features that are shipped via a monthly quality update (servicing) will remain off until the feature update that includes these features is installed. + +*Windows update managed devices are those that have their Windows updates managed via policy; whether via the cloud using Windows Update for Business or on-premises with Windows Server Update Services (WSUS). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowTemporaryEnterpriseFeatureControl | +| Friendly Name | Enable features introduced via servicing that are off by default | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | AllowTemporaryEnterpriseFeatureControl | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + ### ConfigureDeadlineNoAutoRebootForFeatureUpdates @@ -2589,7 +2662,7 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2 -Enables the IT admin to schedule the day of the update installation. The data type is a integer. +Enables the IT admin to schedule the day of the update installation. The data type is an integer. @@ -2660,7 +2733,7 @@ Enables the IT admin to schedule the day of the update installation. The data ty -Enables the IT admin to schedule the update installation on the every week. Value type is integer. +Enables the IT admin to schedule the update installation every week. Value type is integer. @@ -2985,7 +3058,7 @@ Enables the IT admin to schedule the update installation on the third week of th - the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. + the IT admin to schedule the time of the update installation. The data type is an integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. @@ -3044,7 +3117,7 @@ Enables the IT admin to schedule the update installation on the third week of th -This setting allows to remove access to "Pause updates" feature. +This setting allows removing access to "Pause updates" feature. Once enabled user access to pause updates is removed. diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md deleted file mode 100644 index 07c6ded973..0000000000 --- a/windows/client-management/mdm/policy-ddf-file.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Policy DDF file -description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/28/2020 ---- - -# Policy DDF file - -This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -You can view various Policy DDF files by clicking the following links: - -- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml) -- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) -- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) -- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) -- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) -- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) -- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) -- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) -- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) -- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) - -You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-ddf.md). diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 919e4cac79..d35962adb6 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -34,7 +34,7 @@ items: href: policy-configuration-service-provider.md items: - name: Policy CSP DDF file - href: policy-ddf-file.md + href: configuration-service-provider-ddf.md - name: Policy CSP support scenarios items: - name: ADMX policies in Policy CSP diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index 6b3389617f..b6cc17127d 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -7,7 +7,7 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- @@ -31,7 +31,7 @@ The UEFI Configuration Service Provider (CSP) interfaces to UEFI's Device Firmwa > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809). > [!NOTE] -> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface. +> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Feature/) to comply with this interface. The following shows the UEFI CSP in tree format. ``` diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 917d96da7b..fc74d86711 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -40,6 +40,7 @@ WindowsAdvancedThreatProtection ----Configuration --------SampleSharing --------TelemetryReportingFrequency +--------AadDdeviceId ----Offboarding ----DeviceTagging --------Group @@ -48,34 +49,34 @@ WindowsAdvancedThreatProtection The following list describes the characteristics and parameters. -**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** +**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** The root node for the Windows Defender Advanced Threat Protection configuration service provider. Supported operation is Get. -**Onboarding** +**Onboarding** Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. The data type is a string. Supported operations are Get and Replace. -**HealthState** +**HealthState** Node that represents the Windows Defender Advanced Threat Protection health state. -**HealthState/LastConnected** +**HealthState/LastConnected** Contains the timestamp of the last successful connection. Supported operation is Get. -**HealthState/SenseIsRunning** +**HealthState/SenseIsRunning** Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. The default value is false. Supported operation is Get. -**HealthState/OnboardingState** +**HealthState/OnboardingState** Represents the onboarding state. Supported operation is Get. @@ -85,15 +86,15 @@ The following list shows the supported values: - 0 (default) – Not onboarded - 1 – Onboarded -**HealthState/OrgId** +**HealthState/OrgId** String that represents the OrgID. Supported operation is Get. -**Configuration** +**Configuration** Represents Windows Defender Advanced Threat Protection configuration. -**Configuration/SampleSharing** +**Configuration/SampleSharing** Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. The following list shows the supported values: @@ -103,7 +104,7 @@ The following list shows the supported values: Supported operations are Get and Replace. -**Configuration/TelemetryReportingFrequency** +**Configuration/TelemetryReportingFrequency** Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. The following list shows the supported values: @@ -113,26 +114,31 @@ The following list shows the supported values: Supported operations are Get and Replace. -**Offboarding** +**Configuration/AadDeviceId** +Returns or sets the Intune's reported known AadDeviceId for the machine + +Supported operations are Get and Replace. + +**Offboarding** Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. The data type is a string. Supported operations are Get and Replace. -**DeviceTagging** +**DeviceTagging** Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. Supported operation is Get. -**DeviceTagging/Group** +**DeviceTagging/Group** Added in Windows 10, version 1709. Device group identifiers. The data type is a string. Supported operations are Get and Replace. -**DeviceTagging/Criticality** +**DeviceTagging/Criticality** Added in Windows 10, version 1709. Asset criticality value. Supported values: - 0 - Normal @@ -217,6 +223,16 @@ Supported operations are Get and Replace. + + 7 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/AadDeviceId + + + + 11 diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 93b93d3872..361556d8dd 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 08/11/2017 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile device enrollment diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 475721a37f..adb471edb7 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -9,7 +9,9 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.reviewer: pmadrigal -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.date: 08/26/2022 --- diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index a90fd2bb19..cbdc9361aa 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -1,10 +1,7 @@ --- -title: Configure Windows 10 taskbar (Windows 10) +title: Configure Windows 10 taskbar description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: [taskbar layout, pin apps] ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library author: lizgt2000 ms.author: lizlong ms.topic: article @@ -12,9 +9,12 @@ ms.localizationpriority: medium ms.date: 01/18/2018 ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- + # Configure Windows 10 taskbar Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index c40796bd2a..78ad0b03f2 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -2,6 +2,7 @@ title: Send feedback about Cortana at work back to Microsoft description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index ad09a7c543..399384fb32 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -2,6 +2,7 @@ title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. ms.prod: windows-client +ms.collection: tier3 ms.mktglfcycl: manage ms.sitesec: library author: aczechowski diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 39e709ad20..cd9bc813a9 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -4,6 +4,7 @@ ms.reviewer: manager: dougeby description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 90543d9202..0071761fd5 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -2,6 +2,7 @@ title: Configure Cortana with Group Policy and MDM settings (Windows) description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 71800954eb..0cf1df4390 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -2,6 +2,7 @@ title: Sign into Azure AD, enable the wake word, and try a voice query description: A test scenario walking you through signing in and managing the notebook. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index d31430c312..4ba46b4d36 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -2,6 +2,7 @@ title: Perform a quick search with Cortana at work (Windows) description: This scenario is a test scenario about how to perform a quick search with Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 48b5bfd328..b2202a902d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -2,6 +2,7 @@ title: Set a reminder for a location with Cortana at work (Windows) description: A test scenario about how to set a location-based reminder using Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 0ce5972f23..fcad450ae3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -2,6 +2,7 @@ title: Use Cortana at work to find your upcoming meetings (Windows) description: A test scenario on how to use Cortana at work to find your upcoming meetings. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 0111aba809..94c1edabe4 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -2,6 +2,7 @@ title: Use Cortana to send email to a co-worker (Windows) description: A test scenario about how to use Cortana at work to send email to a co-worker. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index a6c2d4c3bb..54a1064afb 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -2,6 +2,7 @@ title: Review a reminder suggested by Cortana (Windows) description: A test scenario on how to use Cortana with the Suggested reminders feature. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index e8caaf8cf3..a69e0078ff 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -2,6 +2,7 @@ title: Help protect data with Cortana and WIP (Windows) description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP). ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 19dce90d45..63c801e46b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -2,6 +2,7 @@ title: Cortana at work testing scenarios description: Suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 26f401808e..ec1abf4d96 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -2,6 +2,7 @@ title: Set up and test custom voice commands in Cortana for your organization (Windows) description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 9f38750042..b089b30590 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -4,6 +4,7 @@ ms.reviewer: manager: dougeby description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md index c3456c0ae6..76496df719 100644 --- a/windows/configuration/cortana-at-work/test-scenario-1.md +++ b/windows/configuration/cortana-at-work/test-scenario-1.md @@ -2,6 +2,7 @@ title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md index 2a7d33cdbf..c6a2efd05f 100644 --- a/windows/configuration/cortana-at-work/test-scenario-2.md +++ b/windows/configuration/cortana-at-work/test-scenario-2.md @@ -2,6 +2,7 @@ title: Test scenario 2 - Perform a quick search with Cortana at work description: A test scenario about how to perform a quick search with Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md index 1724baee87..468c4060cc 100644 --- a/windows/configuration/cortana-at-work/test-scenario-3.md +++ b/windows/configuration/cortana-at-work/test-scenario-3.md @@ -2,6 +2,7 @@ title: Test scenario 3 - Set a reminder for a specific location using Cortana at work description: A test scenario about how to set up, review, and edit a reminder based on a location. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md index 8cad2a9dab..d1e98c4409 100644 --- a/windows/configuration/cortana-at-work/test-scenario-4.md +++ b/windows/configuration/cortana-at-work/test-scenario-4.md @@ -2,6 +2,7 @@ title: Use Cortana to find your upcoming meetings at work (Windows) description: A test scenario about how to use Cortana at work to find your upcoming meetings. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md index d3b93dd8a0..fcb33530cc 100644 --- a/windows/configuration/cortana-at-work/test-scenario-5.md +++ b/windows/configuration/cortana-at-work/test-scenario-5.md @@ -2,6 +2,7 @@ title: Use Cortana to send an email to co-worker (Windows) description: A test scenario on how to use Cortana at work to send email to a co-worker. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index fbd5290713..1090b25b3f 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -2,6 +2,7 @@ title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email description: A test scenario about how to use Cortana with the Suggested reminders feature. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md index 701b2f4f58..5f71bbdcec 100644 --- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md +++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md @@ -2,6 +2,7 @@ title: Testing scenarios using Cortana in your business or organization description: A list of suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 77f7406fb8..edd95b2265 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -1,5 +1,5 @@ --- -title: Customize and export Start layout (Windows 10) +title: Customize and export Start layout description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. ms.reviewer: manager: aaroncz @@ -9,20 +9,21 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 09/18/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure --- # Customize and export Start layout - **Applies to** -- Windows 10 +- Windows 10 >**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. +The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout. @@ -31,7 +32,7 @@ When a full Start layout is applied, the users cannot pin, unpin, or uninstall a When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. >[!NOTE] ->Partial Start layout is only supported on Windows 10, version 1511 and later. +>Partial Start layout is only supported on Windows 10, version 1511 and later. @@ -49,7 +50,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a **To prepare a test computer** -1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. +1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. 2. Create a new user account that you will use to customize the Start layout. @@ -63,7 +64,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start. - - **Unpin apps** that you don’t want to display. To unpin an app, right-click the app, and then click **Unpin from Start**. + - **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then click **Unpin from Start**. - **Drag tiles** on Start to reorder or group apps. @@ -89,7 +90,7 @@ When you have the Start layout that you want your users to see, use the [Export- 2. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command: - `Export-StartLayout –path .xml` + `Export-StartLayout -path .xml` On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example: diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index f043da3ecb..0fa0a01630 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -7,7 +7,9 @@ ms.author: lizlong ms.reviewer: ericpapa ms.prod: windows-client ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 01/10/2023 ms.topic: article diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index a630b2ac0b..dfcaee8191 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -1,5 +1,5 @@ --- -title: Configure and customize Windows 11 taskbar | Microsoft Docs +title: Configure and customize Windows 11 taskbar description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Intune. See what happens to the taskbar when the Windows OS client is installed or upgraded. manager: aaroncz ms.author: lizlong @@ -7,7 +7,9 @@ ms.reviewer: chataylo ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index baffd2a688..40b7d5daac 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) +title: Customize Windows 10 Start and taskbar with group policy description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.reviewer: manager: aaroncz @@ -8,7 +8,9 @@ author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 315f3afa7f..90a28bb7e6 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-configure", diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 6ff2246977..ee9ad89242 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -8,7 +8,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.prod: windows-client -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- @@ -41,7 +43,7 @@ foreach ($app in $installedapps) $aumidList ``` -You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters. +You can add the `-user ` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters. ## To find the AUMID by using File Explorer @@ -63,7 +65,7 @@ At a command prompt, type the following command: `reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"` -## Example +### Example to get AUMIDs of the installed apps for the specified user The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user. @@ -105,14 +107,14 @@ The following Windows PowerShell commands demonstrate how you can call the listA # Get a list of AUMIDs for the current account: listAumids -# Get a list of AUMIDs for an account named “CustomerAccount”: +# Get a list of AUMIDs for an account named "CustomerAccount": listAumids("CustomerAccount") # Get a list of AUMIDs for all accounts on the device: listAumids("allusers") ``` -## Example +### Example to get the AUMID of any application in the Start menu The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu. @@ -148,4 +150,3 @@ Get-AppAUMID -AppName Word # List all apps and their AUMID in the Start menu Get-AppAUMID ``` - diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 48abdda3c1..f1159c1544 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,17 +1,16 @@ --- -title: Guidelines for choosing an app for assigned access (Windows 10/11) +title: Guidelines for choosing an app for assigned access description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -keywords: [kiosk, lockdown, assigned access] ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article ms.reviewer: sybruckm manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- @@ -50,7 +49,7 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) -In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website. >[!NOTE] >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. @@ -155,7 +154,7 @@ You can create your own web browser Windows app by using the WebView class. Lear ## Secure your information -Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. +Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. ## App configuration diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index fe0ebfbafc..2891f614c0 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Configure Windows client # < 60 chars -summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars +summary: Find out how to apply custom configurations to Windows client devices. Windows provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -10,6 +10,7 @@ metadata: ms.prod: windows-client ms.collection: - highpri + - tier1 author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 3724425208..d48592fdfc 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -1,6 +1,6 @@ --- -title: Set up a single-app kiosk on Windows 10/11 -description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education). +title: Set up a single-app kiosk on Windows +description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions. ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong @@ -8,7 +8,9 @@ ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 5e74a0ca9d..800e7781f6 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,9 @@ manager: aaroncz ms.reviewer: sybruckm ms.localizationpriority: medium ms.topic: how-to -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -247,7 +249,7 @@ A few things to note here: - The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration. - Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout. - There are no apps pinned on the taskbar in the multi-app mode, and it's not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration. -- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). +- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start: @@ -284,7 +286,7 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato ##### Taskbar -Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. +Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. The following example exposes the taskbar to the end user: @@ -607,7 +609,7 @@ Lock the Taskbar | Enabled Prevent users from adding or removing toolbars | Enabled Prevent users from resizing the taskbar | Enabled Remove frequent programs list from the Start Menu | Enabled -Remove ‘Map Network Drive’ and ‘Disconnect Network Drive’ | Enabled +Remove 'Map Network Drive' and 'Disconnect Network Drive' | Enabled Remove the Security and Maintenance icon | Enabled Turn off all balloon notifications | Enabled Turn off feature advertisement balloon notifications | Enabled @@ -615,7 +617,7 @@ Turn off toast notifications | Enabled Remove Task Manager | Enabled Remove Change Password option in Security Options UI | Enabled Remove Sign Out option in Security Options UI | Enabled -Remove All Programs list from the Start Menu | Enabled – Remove and disable setting +Remove All Programs list from the Start Menu | Enabled - Remove and disable setting Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index c77e2f658e..8796ceac18 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,14 +1,16 @@ --- -title: Install Windows Configuration Designer (Windows 10/11) +title: Install Windows Configuration Designer description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium -ms.reviewer: gkomatsu +ms.reviewer: kevinsheehan manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 4f0004d334..a6fac6c279 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -1,14 +1,16 @@ --- -title: Provisioning packages overview on Windows 10/11 +title: Provisioning packages overview description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. -ms.reviewer: gkomatsu +ms.reviewer: kevinsheehan manager: aaroncz ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index beda72c25c..41f4968fe9 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/shared-devices-concepts.md b/windows/configuration/shared-devices-concepts.md index 19e203f23c..cabee079ab 100644 --- a/windows/configuration/shared-devices-concepts.md +++ b/windows/configuration/shared-devices-concepts.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/shared-pc-technical.md b/windows/configuration/shared-pc-technical.md index a84ff0f030..b0d626cff0 100644 --- a/windows/configuration/shared-pc-technical.md +++ b/windows/configuration/shared-pc-technical.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 3ebc98f62f..9d33ff603e 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -1,5 +1,5 @@ --- -title: Configure access to Microsoft Store (Windows 10) +title: Configure access to Microsoft Store description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: conceptual ms.localizationpriority: medium ms.date: 11/29/2022 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md index b72c7c7f8d..852b3e4500 100644 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Administering UE-V with Windows PowerShell and WMI description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index ba28b638f1..b4bfc496ca 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -3,6 +3,7 @@ title: Administering UE-V description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index e33519a625..a26af56567 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -3,6 +3,7 @@ title: Application Template Schema Reference for UE-V description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 627c8b1414..d6cb847dc1 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -3,6 +3,7 @@ title: Changing the Frequency of UE-V Scheduled Tasks description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 9367276244..5942fc45be 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -3,6 +3,7 @@ title: Configuring UE-V with Group Policy Objects description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index 2f4dadd57a..60273009e8 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -3,6 +3,7 @@ title: Configuring UE-V with Microsoft Configuration Manager description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Configuration Manager. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index f58d68f203..479a729676 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -3,6 +3,7 @@ title: Deploy required UE-V features description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 901c9451d1..1d05d369d0 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -3,6 +3,7 @@ title: Use UE-V with custom applications description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 8eb556d6e4..f1604d6359 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -3,6 +3,7 @@ title: User Experience Virtualization for Windows 10, version 1607 description: Overview of User Experience Virtualization for Windows 10, version 1607 author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 05/02/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 825c7597c7..36ce63717c 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -3,6 +3,7 @@ title: Get Started with UE-V description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 03/08/2018 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 9f62707fab..22bf076b54 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -3,6 +3,7 @@ title: Manage Administrative Backup and Restore in UE-V description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md index 6f44c3f7ea..1e594846ab 100644 --- a/windows/configuration/ue-v/uev-manage-configurations.md +++ b/windows/configuration/ue-v/uev-manage-configurations.md @@ -3,6 +3,7 @@ title: Manage Configurations for UE-V description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md index 1ec2b72325..04dae12024 100644 --- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Managing UE-V Settings Location Templates Using Windows PowerShell and WM description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index f6f4e14585..4d07a6a09a 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Manage UE-V Service and Packages with Windows PowerShell and WMI description: Managing the UE-V service and packages with Windows PowerShell and WMI author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md index 39539183ca..9c3cebd1a1 100644 --- a/windows/configuration/ue-v/uev-migrating-settings-packages.md +++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md @@ -3,6 +3,7 @@ title: Migrating UE-V settings packages description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index 39acddadd3..5e13281dc1 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -3,6 +3,7 @@ title: Prepare a UE-V Deployment description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index b68e1eb3fe..47dfe6e7e7 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -3,6 +3,7 @@ title: User Experience Virtualization (UE-V) Release Notes description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that isn't included in the UE-V documentation. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md index 4029c2a043..a91444675f 100644 --- a/windows/configuration/ue-v/uev-security-considerations.md +++ b/windows/configuration/ue-v/uev-security-considerations.md @@ -3,6 +3,7 @@ title: Security Considerations for UE-V description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md index ddd0e4181c..7d1eeeccb0 100644 --- a/windows/configuration/ue-v/uev-sync-methods.md +++ b/windows/configuration/ue-v/uev-sync-methods.md @@ -3,6 +3,7 @@ title: Sync Methods for UE-V description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md index 6ffa1e76ff..b9571cdf2a 100644 --- a/windows/configuration/ue-v/uev-sync-trigger-events.md +++ b/windows/configuration/ue-v/uev-sync-trigger-events.md @@ -3,6 +3,7 @@ title: Sync Trigger Events for UE-V description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index 20bedf9737..7851418fe8 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -3,6 +3,7 @@ title: Synchronizing Microsoft Office with UE-V description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md index 1050b221b6..9d161c1889 100644 --- a/windows/configuration/ue-v/uev-technical-reference.md +++ b/windows/configuration/ue-v/uev-technical-reference.md @@ -3,6 +3,7 @@ title: Technical Reference for UE-V description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md index d5be7f7710..d2a350b63d 100644 --- a/windows/configuration/ue-v/uev-troubleshooting.md +++ b/windows/configuration/ue-v/uev-troubleshooting.md @@ -3,6 +3,7 @@ title: Troubleshooting UE-V description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md index 5f5127f7ea..78cfb2f9c0 100644 --- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md +++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md @@ -3,6 +3,7 @@ title: Upgrade to UE-V for Windows 10 description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index 951c1b4ff0..5d02d042ce 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -3,6 +3,7 @@ title: Using UE-V with Application Virtualization applications description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md index facd3330f3..157f473f1f 100644 --- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md +++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md @@ -3,6 +3,7 @@ title: What's New in UE-V for Windows 10, version 1607 description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index 0eaaa0f658..827c6ad3ff 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -3,6 +3,7 @@ title: Working with Custom UE-V Templates and the UE-V Template Generator description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index eec297b628..a3d8dd29c1 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -1,5 +1,5 @@ --- -title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs +title: Customize and manage the Windows 10 Start and taskbar layout description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 08/05/2021 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- @@ -25,7 +27,7 @@ ms.technology: itpro-configure > > **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). -Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. +Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. >[!NOTE] >Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. @@ -215,7 +217,7 @@ On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events: -- **Event 22**: The XML is malformed. The specified file isn’t valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. +- **Event 22**: The XML is malformed. The specified file isn't valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. - **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`. ## Next steps diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md index e019375c50..528e7fcbba 100644 --- a/windows/configuration/windows-accessibility-for-ITPros.md +++ b/windows/configuration/windows-accessibility-for-ITPros.md @@ -9,7 +9,8 @@ ms.reviewer: manager: aaroncz ms.localizationpriority: medium ms.date: 09/20/2022 -ms.topic: reference +ms.topic: conceptual +ms.collection: tier1 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index b9bfa40f0f..33bd24bcc8 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Spotlight on the lock screen (Windows 10) +title: Configure Windows Spotlight on the lock screen description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 04/30/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- @@ -23,7 +25,7 @@ ms.technology: itpro-configure Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. +For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. >[!NOTE] @@ -99,4 +101,4 @@ The recommendation for custom lock screen images that include text (such as a le [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) -  + diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 4ac1a97b0f..084263aadb 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -65,6 +65,8 @@ href: /windows/whats-new/feature-lifecycle?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Deprecated features href: /windows/whats-new/deprecated-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json + - name: Resources for deprecated features + href: /windows/whats-new/deprecated-features-resources?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Removed features href: /windows/whats-new/removed-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Prepare @@ -164,19 +166,30 @@ href: update/waas-configure-wufb.md - name: Use Windows Update for Business and WSUS href: update/wufb-wsus.md - - name: Windows Update for Business deployment service - href: update/deployment-service-overview.md - items: - - name: Troubleshoot the Windows Update for Business deployment service - href: update/deployment-service-troubleshoot.md - name: Enforcing compliance deadlines for updates href: update/wufb-compliancedeadlines.md - name: Integrate Windows Update for Business with management solutions href: update/waas-integrate-wufb.md - name: 'Walkthrough: use Group Policy to configure Windows Update for Business' href: update/waas-wufb-group-policy.md - - name: 'Walkthrough: use Intune to configure Windows Update for Business' + - name: 'Walkupdatesthrough: use Intune to configure Windows Update for Business' href: update/deploy-updates-intune.md + - name: Windows Update for Business deployment service + items: + - name: Windows Update for Business deployment service overview + href: update/deployment-service-overview.md + - name: Prerequisites for Windows Update for Business deployment service + href: update/deployment-service-prerequisites.md + - name: Deploy updates with the deployment service + items: + - name: Deploy feature updates using Graph Explorer + href: update/deployment-service-feature-updates.md + - name: Deploy expedited updates using Graph Explorer + href: update/deployment-service-expedited-updates.md + - name: Deploy driver and firmware updates using Graph Explorer + href: update/deployment-service-drivers.md + - name: Troubleshoot Windows Update for Business deployment service + href: update/deployment-service-troubleshoot.md - name: Monitor items: - name: Windows Update for Business reports diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 6c21a68819..0336d89ddb 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -25,6 +25,8 @@ href: delivery-optimization-workflow.md - name: Using a proxy with Delivery Optimization href: delivery-optimization-proxy.md + - name: Testing Delivery Optimization + href: delivery-optimization-test.md - name: Microsoft Connected Cache items: - name: Microsoft Connected Cache overview @@ -55,7 +57,7 @@ items: - name: Frequently Asked Questions href: mcc-isp-faq.yml - - name: Enhancing VM performance + - name: Enhancing cache performance href: mcc-isp-vm-performance.md - name: Support and troubleshooting href: mcc-isp-support.md diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index 6d8accfe59..5083d8f0da 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -20,14 +20,13 @@ ms.date: 12/31/2017 ## Download request workflow -This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, as well as content verification. - +This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to verify the content and to determine all available locations to pull content from. 1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB). -2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to leverage peer-to-peer. +2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to use peer-to-peer. 3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file. 4. If a peer provides an invalid piece, that piece is discarded. When a peer sends multiple bad pieces, it's banned and will no longer be used as a source by the Delivery Optimization client performing the download. -5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to "simple mode” (pulling content only from an HTTP source) and peer-to-peer won't be allowed. +5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to "simple mode”. Simple mode will only pull content from the HTTP source and peer-to-peer won't be allowed. 6. Once downloading is complete, Delivery Optimization uses all retrieved pieces of the content to put the file together. At that point, the Delivery Optimization caller (for example, Windows Update) checks the entire file to verify the signature prior to installing it. ## Delivery Optimization service endpoint and data information @@ -35,8 +34,8 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r |Endpoint hostname | Port|Name|Description|Data sent from the computer to the endpoint |--------------------------------------------|--------|---------------|-----------------------|------------------------| | geover-prod.do.dsp.mp.microsoft.com
    geo-prod.do.dsp.mp.microsoft.com
    geo.prod.do.dsp.mp.microsoft.com
    geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox)
    **doClientVersion**: The version of the DoSvc client
    **groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) | -| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from
    **doClientVersion**: The version of the DoSvc client
    **Profile**: The device type (for example, PC or Xbox)
    **eId**: Client grouping Id
    **CacheHost**: Cache host id | -| cp\*.prod.do.dsp.mp.microsoft.com
    | 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
    **ContentId**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **countryCode**: The country the client is connected from
    **altCatalogId**: If ContentId isn't available, use the download URL instead
    **eId**: Client grouping Id
    **CacheHost**: Cache host id | -| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox)
    **ContentId**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **partitionId**: Client partitioning hint
    **altCatalogId**: If ContentId isn't available, use the download URL instead
    **eId**: Client grouping Id | -| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
    **ContentId**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **altCatalogId**: If ContentId isn't available, use the download URL instead
    **PeerId**: Identity of the device running DO client
    **ReportedIp**: The internal / private IP Address
    **IsBackground**: Is the download interactive or background
    **Uploaded**: Total bytes uploaded to peers
    **Downloaded**: Total bytes downloaded from peers
    **DownloadedCdn**: Total bytes downloaded from CDN
    **Left**: Bytes left to download
    **Peers Wanted**: Total number of peers wanted
    **Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
    **Scope**: The Download mode
    **UploadedBPS**: The upload speed in bytes per second
    **DownloadBPS**: The download speed in Bytes per second
    **eId**: Client grouping Id | +| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services and device configs. | **countryCode**: The country the client is connected from
    **doClientVersion**: The version of the DoSvc client
    **Profile**: The device type (for example, PC or Xbox)
    **eId**: Client grouping ID
    **CacheHost**: Cache host ID | +| cp\*.prod.do.dsp.mp.microsoft.com
    | 443 | Content Policy | Provides content specific policies and as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
    **ContentId**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **countryCode**: The country the client is connected from
    **altCatalogID**: If ContentID isn't available, use the download URL instead
    **eID**: Client grouping ID
    **CacheHost**: Cache host ID | +| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupID and external IP. | **Profile**: The device type (for example, PC or Xbox)
    **ContentID**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **partitionID**: Client partitioning hint
    **altCatalogID**: If ContentID isn't available, use the download URL instead
    **eID**: Client grouping ID | +| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
    **ContentID**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **altCatalogID**: If ContentID isn't available, use the download URL instead
    **PeerID**: Identity of the device running DO client
    **ReportedIp**: The internal / private IP Address
    **IsBackground**: Is the download interactive or background
    **Uploaded**: Total bytes uploaded to peers
    **Downloaded**: Total bytes downloaded from peers
    **DownloadedCdn**: Total bytes downloaded from CDN
    **Left**: Bytes left to download
    **Peers Wanted**: Total number of peers wanted
    **Group ID**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
    **Scope**: The Download mode
    **UploadedBPS**: The upload speed in bytes per second
    **DownloadBPS**: The download speed in Bytes per second
    **eID**: Client grouping ID | | dl.delivery.mp.microsoft.com
    emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | diff --git a/windows/deployment/do/images/mcc-isp-create-resource-fields.png b/windows/deployment/do/images/mcc-isp-create-resource-fields.png new file mode 100644 index 0000000000..f80f8e490a Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-create-resource-fields.png differ diff --git a/windows/deployment/do/images/mcc-isp-create-resource-validated.png b/windows/deployment/do/images/mcc-isp-create-resource-validated.png new file mode 100644 index 0000000000..cfa2901768 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-create-resource-validated.png differ diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md index 114671fd5e..16badd2d4a 100644 --- a/windows/deployment/do/includes/get-azure-subscription.md +++ b/windows/deployment/do/includes/get-azure-subscription.md @@ -2,6 +2,7 @@ author: amymzhou ms.author: amyzhou manager: dougeby +ms.date: 10/18/2022 ms.prod: w10 ms.collection: M365-modern-desktop ms.topic: include @@ -14,4 +15,4 @@ ms.localizationpriority: medium 1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. 1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. 1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. -1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. \ No newline at end of file +1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index 5cbe1535a0..8ba99b0ff9 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -59,8 +59,7 @@ landingContent: - text: Optimize Windows 10 or later update delivery with Configuration Manager url: /mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization - text: Delivery Optimization settings in Microsoft Intune - url: /mem/intune/configuration/delivery-optimization-windows - + url: /mem/intune/configuration/delivery-optimization-windows # Card - title: Microsoft Connected Cache (MCC) for Enterprise and Education diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md index 11915236a8..d9eab5ddf8 100644 --- a/windows/deployment/do/mcc-enterprise-appendix.md +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -12,7 +12,7 @@ ms.technology: itpro-updates # Appendix -## Steps to obtain an Azure Subscription ID +## Steps to obtain an Azure subscription ID [!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] @@ -23,12 +23,20 @@ If you're not able to sign up for a Microsoft Azure subscription with the **Acco - [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). - [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). -## Installing on VMWare +## Hardware specifications -We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made: +Most customers choose to install their cache node on a Windows Server with a nested Hyper-V VM. If this isn't supported in your network, some customers have also opted to install their cache node using VMware. At this time, a Linux-only solution isn't available and Azure VMs don't support the standalone Microsoft Connected Cache. + +### Installing on VMware + +We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made: 1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**. -1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**. +1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**. + +### Installing on Hyper-V + +To learn more about how to configure Intel and AMD processors to support nested virtualization, see [Run Hyper-V in a Virtual Machine with Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization). ## Diagnostics Script @@ -65,17 +73,17 @@ communication operations. The runtime performs several functions: For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). -## Routing local Windows Clients to an MCC +## Routing local Windows clients to an MCC ### Get the IP address of your MCC using ifconfig There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. -#### Registry Key +#### Registry key You can either set your MCC IP address or FQDN using: -1. Registry Key (version 1709 and later): +1. Registry key (version 1709 and later): `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization`
    "DOCacheHost"=" " @@ -86,7 +94,7 @@ You can either set your MCC IP address or FQDN using: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f ``` -1. MDM Path (version 1809 and later): +1. MDM path (version 1809 and later): `.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost` @@ -95,7 +103,7 @@ You can either set your MCC IP address or FQDN using: :::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png"::: -**Verify Content using the DO Client** +## Verify content using the DO client To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index c39e4b5a84..52b3515a34 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -31,18 +31,18 @@ To deploy MCC to your server: For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) -### Provide Microsoft with the Azure Subscription ID +### Provide Microsoft with the Azure subscription ID As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. > [!IMPORTANT] > [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. -For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). +For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). ### Create the MCC resource in Azure -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. +The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below. @@ -221,7 +221,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p 1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. - 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** + 1. You'll be shown a list of existing IoT Hubs in your Azure subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** :::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png"::: :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png"::: @@ -235,7 +235,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p ## Verify proper functioning MCC server -#### Verify Client Side +#### Verify client side Connect to the EFLOW VM and check if MCC is properly running: @@ -305,21 +305,16 @@ sudo iotedge list :::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png"::: -If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command: +If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command: ```bash sudo journalctl -u iotedge -f ``` -For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start. +This command will provide the current status of the starting, stopping of a container, or the container pull and start. :::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png"::: -Use this command to check the IoT Edge Journal - -```bash -sudo journalctl -u iotedge -f -``` > [!NOTE] > You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation. diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md index fac81254f0..2e5773468b 100644 --- a/windows/deployment/do/mcc-enterprise-prerequisites.md +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -24,13 +24,12 @@ ms.technology: itpro-updates Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions. - -2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. +1. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. > [!NOTE] > Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations. - **EFLOW Requires Hyper-V support** + **EFLOW requires Hyper-V support** - On Windows client, enable the Hyper-V feature - On Windows Server, install the Hyper-V role and create a default network switch @@ -44,6 +43,7 @@ ms.technology: itpro-updates VM networking: - An external virtual switch to support outbound and inbound network communication (created during the installation process) +1. **Content endpoints**: If you're using a proxy or firewall, certain endpoints must be allowed through in order for your MCC to cache and serve content. See [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md) for the list of required endpoints. ## Sizing recommendations diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index aa7180c750..885330563a 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -10,7 +10,7 @@ ms.date: 12/31/2017 ms.technology: itpro-updates --- -# Create, Configure, provision, and deploy the cache node in Azure portal +# Create, configure, provision, and deploy the cache node in Azure portal **Applies to** @@ -58,8 +58,8 @@ BGP (Border Gateway Protocol) routing is another method offered for client routi 1. Enter the max allowable egress that your hardware can support. -1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes. -**Note:** Up to nine cache drives are supported. +1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes. +**Note:** This is a **required** field. Up to nine cache drive folders are supported. 1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing). @@ -110,10 +110,10 @@ There are five IDs that the device provisioning script takes as input in order t 1. Copy and paste the script command line shown in the Azure portal. -1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). +1. Run the script in your server terminal for your cache node. The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). > [!NOTE] - > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. + > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to re-provision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. ### General configuration fields @@ -127,12 +127,12 @@ There are five IDs that the device provisioning script takes as input in order t ### Storage fields > [!IMPORTANT] -> All cache drives must have read/write permissions set or the cache node will not function. -> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive` +> All cache drives must have full read/write permissions set or the cache node will not function. +> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrivefolder` | Field Name | Expected Value| Description | |---|---|---| -| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. | +| **Cache drive folder** | File path string | Up to 9 drive folders accessible by the cache node can be configured for each cache node to configure cache storage. Enter the location of the folder in Ubuntu where the external physical drive is mounted. For example: `/dev/sda3/` Each cache drive should have read/write permissions configured. Ensure your disks are mounted and visit [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk) for more information.| | **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | ### Client routing fields diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index 74688ffae3..07d8f242c0 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -69,8 +69,6 @@ sections: answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers. - question: How does Microsoft Connected Cache populate its content? answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD. - - question: What do I do if I need more support and have more questions even after reading this FAQ page? - answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). - question: What CDNs will Microsoft Connected Cache pull content from? answer: | Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time: @@ -82,3 +80,11 @@ sections: $ whois 13.107.4.50|grep "Organization:" Organization: Microsoft Corporation (MSFT) + - question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how will it affect my traffic? + answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic. + - question: I signed up for Microsoft Connected Cache, but I'm not receiving the verification email. What should I do? + answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender "microsoft-noreply@microsoft.com". + - question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned? + answer: Even when the quota of 8k messages is hit, the MCC functionality won't be affected. Your client devices will continue to download content as normal. You'll also not be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the private preview and isn't an issue during public preview. + - question: What do I do if I need more support and have more questions even after reading this FAQ page? + answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index e53324e321..f407f4d6cd 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -24,21 +24,37 @@ This article details the process of signing up for Microsoft Connected Cache for ## Prerequisites Before you begin sign up, ensure you have the following components: -- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/). -- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. -- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. -- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS. + +1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/). + +1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. + +1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. + +1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 20.04 LTS. +1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk). ## Resource creation and sign up process 1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**. - :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace."::: + :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace." lightbox="./images/mcc-isp-search.png"::: -1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource. +1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node. + + :::image type="content" source="./images/mcc-isp-create-resource-fields.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource creation step." lightbox="./images/mcc-isp-create-resource-fields.png"::: > [!IMPORTANT] > After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information. + + After a few moments, you'll see a "Validation successful" message, indicating you can move onto the next step and select **Create**. + + :::image type="content" source="./images/mcc-isp-create-resource-validated.png" alt-text="Screenshot of the Azure portal that shows a green validation successful message for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-create-resource-validated.png"::: + +1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a **Deployment complete** page as below. Select **Go to resource**. + + :::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="Screenshot of the Azure portal that shows a successful deployment for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-deployment-complete.png"::: + 1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for. :::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png"::: @@ -48,7 +64,10 @@ Before you begin sign up, ensure you have the following components: > [!NOTE] > Verification codes expire in 24 hours. You will need to generate a new code if it expires. - :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + + > [!NOTE] + > **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Here’s your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**. 1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node. @@ -57,37 +76,3 @@ Before you begin sign up, ensure you have the following components: During the sign-up process, Microsoft will provide you with a traffic estimation based on your ASN(s). We make estimations based on our predictions on historical data about Microsoft content download volume. We'll use these estimations to recommend hardware or VM configurations. You can review these recommendations within the Azure portal. We make these estimations based on the Microsoft content types that Microsoft Connected Cache serves. To learn more about the types of content that are supported, see [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md). --> - -### Cache performance - -To make sure you're maximizing the performance of your cache node, review the following information: - -#### OS requirements - -The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. - -#### NIC requirements - -- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. -- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. - -#### Drive performance - -The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. - -RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. - -### Hardware configuration example - -There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: - -**Dell PowerEdge R330** - -- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core -- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s -- 4 - Transcend SSD230s 1 TB SATA Drives -- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) - -### Virtual machines - -Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance. \ No newline at end of file diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md index da0003c24f..1e31838cd4 100644 --- a/windows/deployment/do/mcc-isp-verify-cache-node.md +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -16,6 +16,28 @@ ms.technology: itpro-updates This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes. +## Verify cache node installation is complete + +Sign in to the Connected Cache server or use SSH. Run the following command from a terminal to see the running modules (containers): + +```bash +sudo iotedge list +``` + +:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png"::: + +If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command: + +```bash +sudo iotedge system logs -- -f +``` + +For example, this command provides the current status of the starting and stopping of a container, or the container pull and start: + +:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png"::: + +You may need to wait up to 30 minutes for the cache node software to complete downloading and begin caching. + ## Verify functionality on Azure portal Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue. @@ -48,6 +70,14 @@ http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsup If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article. +## Verify BGP routing configuration + +To verify your BGP routes are correctly configured for a cache node, navigate to **Settings > Cache nodes**. Select the cache node you wish to verify BGP routes for. + +Verify that under **Routing Information**, the state of **BGP routes received** is True. Verify the IP space is correct. Lastly, select **Download JSON** next to **Download BGP Routes** to view the BGP routes that your cache node is currently advertising. + +If **BGP routes received** is False, your **IP Space** is 0, or you're experiencing any BGP routing errors, ensure your **ASN** and **IP address** is entered correctly. + ## Monitor cache node health and performance Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance. diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md index 9316c9a5af..5bd6e00e83 100644 --- a/windows/deployment/do/mcc-isp-vm-performance.md +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -1,5 +1,5 @@ --- -title: Enhancing VM performance +title: Enhancing cache performance manager: aaroncz description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs ms.prod: windows-client @@ -10,11 +10,41 @@ ms.technology: itpro-updates ms.date: 12/31/2017 --- -# Enhancing virtual machine performance +# Enhancing cache performance + +To make sure you're maximizing the performance of your cache node, review the following information: + +#### OS requirements + +The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. + +#### NIC requirements + +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. +- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. + +#### Drive performance + +The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. + +RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. + +### Hardware configuration example + +There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: + +**Dell PowerEdge R330** + +- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core +- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s +- 4 - Transcend SSD230s 1 TB SATA Drives +- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + +## Enhancing virtual machine performance In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings. -## Virtual machine settings +### Virtual machine settings Change the following settings to maximize the egress in virtual environments: @@ -27,7 +57,3 @@ Change the following settings to maximize the egress in virtual environments: Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. 2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment. - -## Next steps - -[Support and troubleshooting](mcc-isp-support.md) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 6564dcd26e..c76958e4f8 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -20,59 +20,57 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 -> **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=103506). +> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). -There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows client updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md). +There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This topic summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md). ## Delivery Optimization options You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. -You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. +You'll find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**. -[//]: # (something about Intune UX--perhaps link to relevant Intune docs?) - ### Summary of Delivery Optimization settings -| Group Policy setting | MDM setting | Supported from version | -| --- | --- | --- | -| [Download mode](#download-mode) | DODownloadMode | 1511 | -| [Group ID](#group-id) | DOGroupID | 1511 | -| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | -| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | -| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 | -| [Max Cache Size](#max-cache-size) | DOMaxCacheSize | 1511 | -| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | -| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | -| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | -| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| -| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| -| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | -| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | -| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | -| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | -| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | -| [MaxForegroundDownloadBandwidth](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | -| [MaxBackgroundDownloadBandwidth](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | -| [SetHoursToLimitBackgroundDownloadBandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | -| [SetHoursToLimitForegroundDownloadBandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | -| [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) |DORestrictPeerSelectionBy | 1803 | -| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | -| [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | -| [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | -| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | -| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | -| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | -| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | -| [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | -| [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | +| Group Policy setting | MDM setting | Supported from version | Notes | +| --- | --- | --- | ------- | +| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.| +| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices default to using 'Subnet'. | +| [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. | +| [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. | +| [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | Default value is 259,200 seconds (three days). | +| [Max cache size](#max-cache-size) | DOMaxCacheSize | 1511 | Default value is 20%. | +| [Absolute max cache size (in GBs)](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | Default value is 10 GB.| +| [Modify cache drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | Default to the operating system drive through the %SYSTEMDRIVE% environment variable. | +| [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | Default file size is 50 MB. | +| [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value is 20 GB. | +| [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Recommend setting this to 500 KB/s. Default value is 2500 KB/s. | +| [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. | +| [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery. | +| [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | +| [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | +| [Maximum foreground download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | +| [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | +| [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default isn't set. | +| [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. | +| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | +| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.| +| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | +| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.| +| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | Default is it has no value. | +| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. | +| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | +| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | +| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (deprecated in Windows 10, version 2004) | Default is '0' (unlimited). | ### More detail on Delivery Optimization settings -[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group. +#### Locally cached updates -Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario: +Delivery Optimization uses locally cached updates to deliver contact via peers. The more content available in the cache, the more likely that peering can be used. In cases where devices have enough local storage and you'd like to cache more content. Likewise, if you have limited storage and would prefer to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario: - [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. - [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache. @@ -83,20 +81,35 @@ Delivery Optimization uses locally cached updates. In cases where devices have a All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size). -Additional options available that control the impact Delivery Optimization has on your network include the following: +#### Impact to network -- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization. -- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. -- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month. -- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. -- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the **maximum foreground download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. +More options available that control the impact Delivery Optimization has on your network include the following: + +- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from HTTP sources, rather than other peers in the network. +- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth*hat Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. - [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the **maximum background download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select. - [Select the source of Group IDs](#select-the-source-of-group-ids) restricts peer selection to a specific source. -- [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. -- [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. + +#### Policies to prioritize the use of Peer-to-Peer and Cache Server sources + +When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to both MCC and peers in parallel. If the desired content can’t be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source which is the default behavior. + +##### Peer-to-peer delay fallback settings + +- [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. +- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. + +##### Microsoft Connected Cache (MCC) delay fallback settings + +- [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server. +- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use a cache server. + +**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server. + +#### System resource usage Administrators can further customize scenarios where Delivery Optimization will be used with the following settings: @@ -107,7 +120,7 @@ Administrators can further customize scenarios where Delivery Optimization will ### Download mode -Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Additional technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization). +Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Other technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization). | Download mode option | Functionality when set | | --- | --- | @@ -116,19 +129,17 @@ Download mode dictates which download sources clients are allowed to use when do | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -|Bypass (100) |Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **(0)** or **(99)**. | +| Bypass (100) | This option is deprecated starting in Windows 11. If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. | > [!NOTE] -> Starting in Windows 11, the Bypass option of Download Mode is no longer used. +> Starting in Windows 11, the Bypass option of Download Mode is deprecated. > > [!NOTE] > When you use Azure Active Directory tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices. ### Group ID -By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. - -[//]: # (Configuration Manager boundary group option; GroupID Source policy) +By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but don't fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) @@ -139,14 +150,14 @@ By default, peer sharing on clients using the Group download mode (option 2) is Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source, when using a GroupID policy. The options are: -- 0 = not set +- 0 = Not set - 1 = AD Site - 2 = Authenticated domain SID - 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID) - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. ### Minimum RAM (inclusive) allowed to use Peer Caching @@ -165,7 +176,7 @@ In environments configured for Delivery Optimization, you might want to set an e ### Max Cache Size -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20**. +This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**. ### Absolute Max Cache Size @@ -173,7 +184,7 @@ This setting specifies the maximum number of gigabytes the Delivery Optimization ### Minimum Peer Caching Content File Size -This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50MB** to participate in peering. +This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50 MB** to participate in peering. ### Maximum Download Bandwidth @@ -184,11 +195,11 @@ This setting specifies the maximum download bandwidth that can be used across al ### Maximum Foreground Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. +Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers aren't throttled even when this policy is set. ### Maximum Background Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers are not throttled even when this policy is set. +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers aren't throttled even when this policy is set. ### Percentage of Maximum Download Bandwidth @@ -199,43 +210,45 @@ This setting specifies the maximum download bandwidth that Delivery Optimization ### Max Upload Bandwidth -This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0", or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. +This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0" or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it doesn't cap the upload bandwidth rate at a set rate. ### Set Business Hours to Limit Background Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.** +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.** ### Set Business Hours to Limit Foreground Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.** +Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.** ### Select a method to restrict peer selection -Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there is no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**. +Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**. If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. -### Delay background download from http (in secs) +### Delay background download from HTTP (in secs) -Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** +Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.** -### Delay foreground download from http (in secs) +### Delay foreground download from HTTP (in secs) -Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** +Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.** ### Delay Foreground Download Cache Server Fallback (in secs) -Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.** +Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.** + +By default this policy isn't set. So, ### Delay Background Download Cache Server Fallback (in secs) -Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.** +Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If the 'Delay background download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.** ### Minimum Background QoS -This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. **The default value is 500KB/s** +This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources . The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.** ### Modify Cache Drive @@ -247,7 +260,7 @@ This setting specifies the total amount of data in gigabytes that a Delivery Opt ### Enable Peer Caching while the device connects via VPN -This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering is not allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. ### Allow uploads while the device is on battery while under set Battery level @@ -259,10 +272,10 @@ The device can download from peers while on battery regardless of this policy. ### Cache Server Hostname -Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7. **By default, this policy is empty.** +Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** >[!IMPORTANT] -> Any value will signify that the policy is set. For example, an empty string ("") is not considered empty. +> Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty. ### Cache Server Hostname Source diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 8b49d9f487..a619d741c0 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -25,16 +25,19 @@ ms.date: 12/19/2022 You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. -You will find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**. +You'll find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**. Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows). -**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. +**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5. + +## Allow service endpoints + +When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for more information. ## Allow content endpoints -When using a firewall, it is important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). - +When using a firewall, it's important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). ## Recommended Delivery Optimization settings @@ -57,13 +60,13 @@ Quick-reference table: | Use case | Policy | Recommended value | Reason | | --- | --- | --- | --- | | Hub & spoke topology | Download mode | 1 or 2 | Automatic grouping of peers to match your topology | -| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Leverage peers-to-peer capability in more downloads | +| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Use peers-to-peer capability in more downloads | | Large number of mobile devices | Allow uploads on battery power | 60% | Increase # of devices that can upload while limiting battery drain | -| Labs with AC-powered devices | Content Expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | +| Labs with AC-powered devices | Content expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | ### Hybrid WAN scenario -For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. +For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy. To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. @@ -71,14 +74,14 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza ### Hub and spoke topology with boundary groups -The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection). +The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. -To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. +To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**. > [!NOTE] -> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). +> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optimization for Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). ### Large number of mobile devices @@ -90,11 +93,11 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza ### Plentiful free space and large numbers of devices -Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. +Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you've more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you've more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. -To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices). +To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you've more than 30 devices) or 1 (if you've more than 100 devices). -To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). +To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you've more than 30 devices) or 1 (if you've more than 100 devices). ### Lab scenario @@ -104,18 +107,18 @@ To do this in Group Policy, go to **Computer Configuration\Administrative Templa To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days). +[Learn more](delivery-optimization-test.md) about Delivery Optimization testing scenarios. [!INCLUDE [Monitor Delivery Optimization](includes/waas-delivery-optimization-monitor.md)] +### Monitor with Windows Update for Business Delivery Optimization Report -### Monitor with Update Compliance +Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days. -Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. +:::image type="content" source="/windows/deployment/update/images/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox="/windows/deployment/update/images/wufb-do-overview.png"::: -[[DO status](images/UC_workspace_DO_status.png)](images/UC_workspace_DO_status.png#lightbox) - -For details, see [Delivery Optimization in Update Compliance](../update/update-compliance-delivery-optimization.md). +For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md). ## Troubleshooting @@ -135,17 +138,17 @@ If you don't see any bytes coming from peers the cause might be one of the follo Try these steps: 1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga"). -2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, DownloadMode should be 1, 2, or 3. -3. If DownloadMode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**. +2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DODownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, download mode should be 1, 2, or 3. +3. If the download mode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**. ### The cloud service doesn't see other peers on the network Try these steps: 1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads. -2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices. +2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices. 3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero. -4. If the number of peers is zero and **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices are not reporting the same public IP address, configure **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[GroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. +4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. > [!NOTE] > Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. @@ -155,7 +158,7 @@ Try these steps: Try a Telnet test between two devices on the network to ensure they can connect using port 7680. Follow these steps: 1. Install Telnet by running `dism /online /Enable-Feature /FeatureName:TelnetClient` from an elevated command prompt. -2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success. +2. Run the test. For example, if you are on device with IP 192.168.8.12 and you're trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You'll either see a connection error or a blinking cursor like this /_. The blinking cursor means success. > [!NOTE] > You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test. diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 149bfe398d..8bcab9c5ee 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -21,11 +21,13 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 -> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). +> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). -Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled). +Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is completely optional. -Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization. +To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will seamlessly fall back to the HTTP source to get the requested content. + +You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled). For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). @@ -60,7 +62,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | MDM Agent | Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: | | :heavy_check_mark: | | Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: | | | -| MSIX | Windows 10 2004, Windows 11 | :heavy_check_mark: | | | +| MSIX Installer| Windows 10 2004, Windows 11 | :heavy_check_mark: | | | #### Windows Server diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index bc0d6223b6..dcfac57aad 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -1,13 +1,12 @@ --- title: Microsoft Connected Cache overview -manager: dougeby +manager: aaroncz description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution. ms.prod: windows-client author: carmenf ms.localizationpriority: medium ms.author: carmenf ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates ms.date: 12/31/2017 --- @@ -20,13 +19,21 @@ ms.date: 12/31/2017 - Windows 11 > [!IMPORTANT] -> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Microsoft Connected Cache is currently a preview feature. To view our Microsoft Connected Cache for ISPs early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. +Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings: 1) Microsoft Connected Cache for Internet Service Providers and 2) Microsoft Connected Cache for Enterprise and Education (early preview). Both products are created and managed in the cloud portal. + +## Microsoft Connected Cache for ISPs (preview) +Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. + +## Microsoft Connected Cache for Enterprise and Education (early preview) +Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. -Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: +## IoT Edge + +Both of Microsoft Connected Cache product offerings use Azure IoT Edge. Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: 1. Installs and updates MCC on your edge device. 1. Maintains Azure IoT Edge security standards on your edge device. @@ -51,8 +58,6 @@ The following diagram displays and overview of how MCC functions: :::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png"::: - - ## Next steps - [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md) diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index 5d39e69f91..9253808ee6 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -14,11 +14,10 @@ ms.date: 12/31/2017 # Optimize Windows update delivery - **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -30,7 +29,7 @@ Two methods of peer-to-peer content distribution are available. Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources and the time it takes for clients to retrieve the updates. -- [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. +- [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, and in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. >[!NOTE] >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. @@ -47,7 +46,7 @@ Two methods of peer-to-peer content distribution are available. > [!NOTE] > Microsoft Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache). > -> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). +> In addition to Client Peer Cache, similar functionality is available in the Windows Pre-installation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). ## Express update delivery @@ -57,6 +56,7 @@ Windows client quality update downloads can be large because every package conta > Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. ### How Microsoft supports Express + - **Express on Microsoft Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. - **Express on WSUS Standalone** @@ -67,6 +67,7 @@ Windows client quality update downloads can be large because every package conta ### How Express download works For OS updates that support Express, there are two versions of the file payload stored on the service: + 1. **Full-file version** - essentially replacing the local versions of the update binaries. 2. **Express version** - containing the deltas needed to patch the existing binaries on the device. diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index ad1f0f4c84..1387984499 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "feedback_system": "GitHub", diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md new file mode 100644 index 0000000000..d7608bf6f1 --- /dev/null +++ b/windows/deployment/update/deployment-service-drivers.md @@ -0,0 +1,335 @@ +--- +title: Deploy drivers and firmware updates with Windows Update for Business deployment service. +description: Use Windows Update for Business deployment service to deploy driver and firmware updates. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Deploy drivers and firmware updates with Windows Update for Business deployment service + +***(Applies to: Windows 11 & Windows 10)*** + +The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). + +This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a driver update to clients. In this article, you will: +> [!div class="checklist"] +> +> - [Open Graph Explorer](#open-graph-explorer) +> - [Run queries to identify devices](#run-queries-to-identify-devices) +> - [Enroll devices](#enroll-devices) +> - [Create a deployment audience and add audience members](#create-a-deployment-audience-and-add-audience-members) +> - [Create an update policy](#create-an-update-policy) +> - [Review applicable driver content](#review-applicable-driver-content) +> - [Approve driver content for deployment](#approve-driver-content-for-deployment) +> - [Revoke content approval](#revoke-content-approval) +> - [Unenroll devices](#unenroll-devices) + +## Prerequisites + +All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. + +### Permissions + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] + +## Open Graph Explorer + + +[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] + +## Run queries to identify devices + + +[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] + +## Enroll devices + +When you enroll devices into driver management, the deployment service becomes the authority for driver updates coming from Windows Update. Devices don't receive drivers or firmware from Windows Update until a deployment is manually created or they're added to a driver update policy with approvals. + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)] + +## Create a deployment audience and add audience members + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-audience-graph-explorer.md)] + +Once a device has been enrolled and added to a deployment audience, the Windows Update for Business deployment service will start collecting scan results from Windows Update to build a catalog of applicable drivers to be browsed, approved, and scheduled for deployment. + +## Create an update policy + +Update policies define how content is deployed to a deployment audience. An [update policy](/graph/api/resources/windowsupdates-updatepolicy) ensures deployments to a deployment audience behave in a consistent manner without having to create and manage multiple individual deployments. When a content approval is added to the policy, it's deployed to the devices in the associated audiences. The deployment and monitoring settings are optional. + +> [!IMPORTANT] +> Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for a [content approval](#approve-driver-content-for-deployment) will be combined with the existing update policy's deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used. + + +### Create a policy and define the settings later + +To create a policy without any deployment settings, in the request body specify the **Audience ID** as `id`. In the following example, the **Audience ID** is `d39ad1ce-0123-4567-89ab-cdef01234567`, and the `id` given in the response is the **Policy ID**: + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies + content-type: application/json + + { + "audience": { + "@odata.id": "d39ad1ce-0123-4567-89ab-cdef01234567" + } + } + ``` + +Response returning the policy, without any additional settings specified, that has a **Policy ID** of `9011c330-1234-5678-9abc-def012345678`: + +```json +HTTP/1.1 202 Accepted +content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/updatePolicies/$entity", + "id": "9011c330-1234-5678-9abc-def012345678", + "createdDateTime": "2023-01-25T05:32:21.9721459Z", + "autoEnrollmentUpdateCategories": [], + "complianceChangeRules": [], + "deploymentSettings": { + "schedule": null, + "monitoring": null, + "contentApplicability": null, + "userExperience": null, + "expedite": null + } +} +``` + +### Specify settings during policy creation + +To create a policy with additional settings, in the request body: + - Specify the **Audience ID** as `id` + - Define any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings). + - Add the `content-length` header to the request if a status code of 411 occurs. The value should be the length of the request body in bytes. For information on error codes, see [Microsoft Graph error responses and resource types](/graph/errors). + + In the following driver update policy example, any deployments created by a content approval will start 7 days after approval for **Audience ID** `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies + content-type: application/json + + { + "@odata.type": "#microsoft.graph.windowsUpdates.updatePolicy", + "audience": { + "@odata.id": "d39ad1ce-0123-4567-89ab-cdef01234567" + }, + "complianceChanges": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval" + } + ], + "complianceChangeRules": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApprovalRule", + "contentFilter": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateFilter" + }, + "durationBeforeDeploymentStart": "P7D" + } + ] + } + ``` + + +### Review and edit update policy settings + +To review the policy settings, run the following query using the **Policy ID**, for example `9011c330-1234-5678-9abc-def012345678`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678 + ``` + +To edit the policy settings, **PATCH** the policy using the **Policy ID**. Run the following **PATCH** to automatically approve driver content that's recommended by `Microsoft`for deployment for **Policy ID** `9011c330-1234-5678-9abc-def012345678`: + +``` msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678 +content-type: application/json + +{ + "complianceChangeRules": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApprovalRule", + "contentFilter": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateFilter" + } + } + ], + "deploymentSettings": { + "@odata.type": "#microsoft.graph.windowsUpdates.deploymentSettings", + "contentApplicability": { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApplicabilitySettings", + "offerWhileRecommendedBy": ["microsoft"] + } + } +} +``` + + +## Review applicable driver content + +Once Windows Update for Business deployment service has scan results from devices, the applicability for driver and firmware updates can be displayed for a deployment audience. Each applicable update returns the following information: + +- An `id` for its [catalog entry](/graph/api/resources/windowsupdates-catalogentry) +- The **Azure AD ID** of the devices it's applicable to +- Information describing the update such as the name and version. + +To display [applicable content](/graph/api/resources/windowsupdates-applicablecontent), run a query using the **Audience ID**, for example `d39ad1ce-0123-4567-89ab-cdef01234567`: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/applicableContent +``` + +The following truncated response displays: + - An **Azure AD ID** of `01234567-89ab-cdef-0123-456789abcdef` + - The **Catalog ID** of `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c` + + ```json + "matchedDevices": [ + { + "recommendedBy": [ + "Microsoft" + ], + "deviceId": "01ea3c90-12f5-4093-a4c9-c1434657c976" + } + ], + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry", + "id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c", + "displayName": "Microsoft - Test - 1.0.0.1", + "deployableUntilDateTime": null, + "releaseDateTime": "0001-01-21T04:18:32Z", + "description": "Microsoft test driver update released in January 2021", + "driverClass": "OtherHardware", + "provider": "Microsoft", + "setupInformationFile": null, + "manufacturer": "Microsoft", + "version": "1.0.0.1", + "versionDateTime": "2021-01-11T02:43:14Z" + ``` + +## Approve driver content for deployment + +Each driver update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). Approve content for drivers and firmware by adding a [content approval](/graph/api/resources/windowsupdates-contentapproval) for the catalog entry to an existing policy. Content approval is a [compliance change](/graph/api/resources/windowsupdates-compliancechange) for the policy. + +> [!IMPORTANT] +> Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for the content approval will be combined with the existing [update policy's](#create-an-update-policy) deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used. + +Add a content approval to an existing policy, **Policy ID** `9011c330-1234-5678-9abc-def012345678` for the driver update with the **Catalog ID** `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c`. Schedule the start date for February 14, 2023 at 1 AM UTC: + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry", + "id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c" + } + }, + "deploymentSettings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-14T01:00:00Z" + } + } +} +``` + +The response for a content approval returns content and deployment settings along with an `id`, which is the **Compliance Change ID**. The **Compliance Change ID** is `c03911a7-9876-5432-10ab-cdef98765432` in the following truncated response: + +```json + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "id": "c03911a7-9876-5432-10ab-cdef98765432", + "createdDateTime": "2023-02-02T17:54:39.173292Z", + "isRevoked": false, + "revokedDateTime": "0001-01-01T00:00:00Z", + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry", + "id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c" + } + }, + "deploymentSettings": { + "schedule": { + "startDateTime": "2023-02-14T01:00:00Z", +``` + +Review all of the compliance changes to a policy with the most recent changes listed in the response first. The following example returns the compliance changes for a policy with the **Policy ID** `9011c330-1234-5678-9abc-def012345678` and sorts by `createdDateTime` in descending order: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges?orderby=createdDateTime desc + ``` + + > [!TIP] + > There should only be one **Compliance Change ID** per **Catalog ID** for a policy. If there are multiple **Compliance Change IDs** for the same **Catalog ID** then, most likely, there's multiple deployments for the same piece of content targeted to the same audience but with different deployment behaviors. To remove the duplicate, [delete the compliance change](/graph/api/windowsupdates-compliancechange-delete) with the duplicate **Catalog ID**. Deleting the compliance change will mark any deployments created by the approval as `archived`. + +To retrieve the deployment ID, use the [expand parameter](/graph/query-parameters#expand-parameter) to review the deployment information related the content approval. The following example displays the content approval and the deployment information for **Compliance Change ID** `c03911a7-9876-5432-10ab-cdef98765432` in update **Policy ID** `9011c330-1234-5678-9abc-def012345678`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432/$/microsoft.graph.windowsUpdates.contentApproval?$expand=deployments + ``` + +### Edit deployment settings for a content approval + +Since content approval is a compliance change for the policy, when you [update a content approval](/graph/api/windowsupdates-contentapproval-update), you're editing the compliance change for the policy. The following example changes the `startDateTime` for the **Compliance Change ID** of `c03911a7-9876-5432-10ab-cdef98765432` in the update **Policy ID** `9011c330-1234-5678-9abc-def012345678` to February 28, 2023 at 5 AM UTC: + +```msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432 +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "deploymentSettings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-28T05:00:00Z" + } + } +} +``` + +## Revoke content approval + +Approval for content can be revoked by setting the `isRevoked` property of the [compliance change](/graph/api/resources/windowsupdates-compliancechange) to true. This setting can be changed while a deployment is in progress. However, revoking will only prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new [approval](#approve-driver-content-for-deployment) will need to be created. + +```msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432 +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "isRevoked": true +} +``` + +To display all deployments with the most recently created returned first, order deployments based on the `createdDateTime`: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/deployments?orderby=createdDateTime desc +``` + +## Unenroll devices + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)] + +## Policy considerations for drivers + + +[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)] \ No newline at end of file diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md new file mode 100644 index 0000000000..14b6fec38a --- /dev/null +++ b/windows/deployment/update/deployment-service-expedited-updates.md @@ -0,0 +1,196 @@ +--- +title: Deploy expedited updates with Windows Update for Business deployment service +description: Use Windows Update for Business deployment service to deploy expedited updates. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Deploy expedited updates with Windows Update for Business deployment service + + +***(Applies to: Windows 11 & Windows 10)*** + +In this article, you will: +> [!div class="checklist"] +> +> * [Open Graph Explorer](#open-graph-explorer) +> * [Run queries to identify test devices](#run-queries-to-identify-devices) +> * [List catalog entries for expedited updates](#list-catalog-entries-for-expedited-updates) +> * [Create a deployment](#create-a-deployment) +> * [Add members to the deployment audience](#add-members-to-the-deployment-audience) +> * [Delete a deployment](#delete-a-deployment) + +## Prerequisites + +All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. + +### Permissions + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] + +## Open Graph Explorer + + +[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] + +## Run queries to identify devices + + +[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] + +## List catalog entries for expedited updates + +Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=3` and ordering by `ReleaseDateTimeshows` displays the three most recent updates. + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=3 +``` + +The following truncated response displays a **Catalog ID** of `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432` for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update: + +```json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries", + "value": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432", + "displayName": "01/10/2023 - 2023.01 B Security Updates for Windows 10 and later", + "deployableUntilDateTime": null, + "releaseDateTime": "2023-01-10T00:00:00Z", + "isExpeditable": true, + "qualityUpdateClassification": "security" + }, + ... + ] +} +``` + +## Create a deployment + +When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update with catalog entry ID `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432`, and defines the `expedite` and `userExperience` deployment options in the request body. + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/deployments +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.deployment", + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432" + } + }, + "settings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "expedite": { + "isExpedited": true + }, + "userExperience": { + "daysUntilForcedReboot": 2 + } + } +} +``` + +The request returns a 201 Created response code and a [deployment](/graph/api/resources/windowsupdates-deployment) object in the response body for the newly created deployment, which includes: + +- The **Deployment ID** `de910e12-3456-7890-abcd-ef1234567890` of the newly created deployment. +- The **Audience ID** `d39ad1ce-0123-4567-89ab-cdef01234567` of the newly created deployment audience. + +```json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments/$entity", + "id": "de910e12-3456-7890-abcd-ef1234567890", + "createdDateTime": "2023-02-09T22:55:04.8547517Z", + "lastModifiedDateTime": "2023-02-09T22:55:04.8547524Z", + "state": { + "effectiveValue": "offering", + "requestedValue": "none", + "reasons": [] + }, + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432", + "displayName": null, + "deployableUntilDateTime": null, + "releaseDateTime": "2023-01-10T00:00:00Z", + "isExpeditable": false, + "qualityUpdateClassification": "security" + } + }, + "settings": { + "schedule": null, + "monitoring": null, + "contentApplicability": null, + "userExperience": { + "daysUntilForcedReboot": 2 + }, + "expedite": { + "isExpedited": true + } + }, + "audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/audience/$entity", + "audience": { + "id": "d39ad1ce-0123-4567-89ab-cdef01234567", + "applicableContent": [] + } +} +``` + +## Add members to the deployment audience + +The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be expedited. + +The following example adds two devices to the deployment audience using the **Azure AD ID** for each device: + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience +content-type: application/json + +{ + "addMembers": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + } + ] +} +``` + +To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members + ``` + +## Delete a deployment + +To stop an expedited deployment, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created. + + +The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive +DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +``` + + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)] \ No newline at end of file diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md new file mode 100644 index 0000000000..b1a289befa --- /dev/null +++ b/windows/deployment/update/deployment-service-feature-updates.md @@ -0,0 +1,292 @@ +--- +title: Deploy feature updates with Windows Update for Business deployment service. +description: Use Windows Update for Business deployment service to deploy feature updates. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Deploy feature updates with Windows Update for Business deployment service + +***(Applies to: Windows 11 & Windows 10)*** + +The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). + +This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a feature update to clients. In this article, you will: + +In this article, you will: +> [!div class="checklist"] +> * [Open Graph Explorer](#open-graph-explorer) +> * [Run queries to identify devices](#run-queries-to-identify-devices) +> * [Enroll devices](#enroll-devices) +> * [List catalog entries for feature updates](#list-catalog-entries-for-feature-updates) +> * [Create a deployment](#create-a-deployment) +> * [Add members to the deployment audience](#add-members-to-the-deployment-audience) +> * [Pause a deployment](#pause-a-deployment) +> * [Delete a deployment](#delete-a-deployment) +> * [Unenroll devices](#unenroll-devices) + + +## Prerequisites + +All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. + +### Permissions + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] + +## Open Graph Explorer + + +[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] + +## Run queries to identify devices + + +[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] + +## Enroll devices + +When you enroll devices into feature update management, the deployment service becomes the authority for feature updates coming from Windows Update. +As long as a device remains enrolled in feature update management through the deployment service, the device doesn't receive any other feature updates from Windows Update unless explicitly deployed using the deployment service. A device is offered the specified feature update if it hasn't already received the update. For example, if you deploy Windows 11 feature update version 22H2 to a device that's enrolled into feature update management and is currently on an older version of Windows 11, the device updates to version 22H2. If the device is already running version 22H2 or a later version, it stays on its current version. + +> [!TIP] +> Windows Update for Business reports has a [workbook](wufb-reports-workbook.md#feature-updates-tab) that displays the current operating system version for devices. In the workbook, go to the **Feature updates** tab and in the **In Service feature update** tile, select the **View details** link to open the details flyout. The OS version and Azure AD ID of devices can easily be exported into a .csv file or opened in [Azure Monitor Logs](/azure/azure-monitor/logs/log-query-overview) to help when creating a deployment audience. + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)] + +## List catalog entries for feature updates + +Each feature update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). The `id` returned is the **Catalog ID** and is used to create a deployment. Feature updates are deployable until they reach their support retirement dates. For more information, see the support lifecycle dates for [Windows 10](/lifecycle/products/windows-10-enterprise-and-education) and [Windows 11](/lifecycle/products/windows-11-enterprise-and-education) Enterprise and Education editions. The following query lists all deployable feature update catalog entries: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.featureUpdateCatalogEntry') +``` + +The following truncated response displays a **Catalog ID** of `d9049ddb-0ca8-4bc1-bd3c-41a456ef300f` for the Windows 11, version 22H2 feature update: + +```json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries", + "value": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry", + "id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f", + "displayName": "Windows 11, version 22H2", + "deployableUntilDateTime": "2025-10-14T00:00:00Z", + "releaseDateTime": "2022-09-20T00:00:00Z", + "version": "Windows 11, version 22H2" + } + ] +} +``` + +## Create a deployment + +When creating a deployment for a feature update, there are multiple options available to define how the deployment behaves. The deployment and monitoring settings are optional. The following [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) are defined in the example request body for deploying the Windows 11, version 22H2 feature update (**Catalog ID** of `d9049ddb-0ca8-4bc1-bd3c-41a456ef300f`): + +- Deployment [start date](/graph/api/resources/windowsupdates-schedulesettings) of February 14, 2023 at 5 AM UTC +- [Gradual rollout](/graph/api/resources/windowsupdates-gradualrolloutsettings) at a rate of 100 devices every three days +- [Monitoring rule](/graph/api/resources/windowsupdates-monitoringrule) that will pause the deployment if five devices rollback the feature update +- Default [safeguard hold](/graph/api/resources/windowsupdates-safeguardprofile) behavior of applying all applicable safeguards to devices in a deployment + - When safeguard holds aren't explicitly defined, the default safeguard hold behavior is applied automatically + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/deployments +content-type: application/json + +{ + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry", + "id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f" + } + }, + "settings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-14T05:00:00Z", + "gradualRollout": { + "@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings", + "durationBetweenOffers": "P3D", + "devicesPerOffer": "100" + } + }, + "monitoring": { + "monitoringRules": [ + { + "signal": "rollback", + "threshold": 5, + "action": "pauseDeployment" + } + ] + } + } +} +``` + +The response body will contain: +- The new **Deployment ID**, `de910e12-3456-7890-abcd-ef1234567890` in the example +- The new **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567` in the example +- Any settings defined in the deployment request body + + ```json + { + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments/$entity", + "id": "de910e12-3456-7890-abcd-ef1234567890", + "createdDateTime": "2023-02-07T19:21:15.425905Z", + "lastModifiedDateTime": "2023-02-07T19:21:15Z", + "state": { + "effectiveValue": "scheduled", + "requestedValue": "none", + "reasons": [] + }, + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry", + "id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f", + "displayName": "Windows 11, version 22H2", + "deployableUntilDateTime": "2025-10-14T00:00:00Z", + "releaseDateTime": "0001-01-01T00:00:00Z", + "version": "Windows 11, version 22H2" + } + }, + "settings": { + "contentApplicability": null, + "userExperience": null, + "expedite": null, + "schedule": { + "startDateTime": "2023-02-14T05:00:00Z", + "gradualRollout": { + "@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings", + "durationBetweenOffers": "P3D", + "devicesPerOffer": 100 + } + }, + "monitoring": { + "monitoringRules": [ + { + "signal": "rollback", + "threshold": 5, + "action": "pauseDeployment" + } + ] + } + }, + "audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/audience/$entity", + "audience": { + "id": "d39ad1ce-0123-4567-89ab-cdef01234567", + "applicableContent": [] + } + } + ``` + +### Edit a deployment + +To [update deployment](/graph/api/windowsupdates-deployment-update), PATCH the deployment resource by its **Deployment ID** and supply the updated settings in the request body. The following example keeps the existing gradual rollout settings that were defined when creating the deployment but changes the deployment start date to February 28, 2023 at 5 AM UTC: + +```msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +content-type: application/json + +{ + "settings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-28T05:00:00Z", + "gradualRollout": { + "@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings", + "durationBetweenOffers": "P3D", + "devicesPerOffer": "100" + } + } + } +} + +``` + +Verify the deployment settings for the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +``` + +## Add members to the deployment audience + +The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be offered. + +The following example adds three devices to the deployment audience using the **Azure AD ID** for each device: + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience + content-type: application/json + + { + "addMembers": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde1" + } + ] + } + ``` + +To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members + ``` + +## Pause a deployment + +To pause a deployment, PATCH the deployment to have a `requestedValue` of `paused` for the [deploymentState](/graph/api/resources/windowsupdates-deploymentstate). To resume the deployment, use the value `none` and the state will either update to `offering` or `scheduled` if the deployment hasn't reached the start date yet. + +The following example pauses the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive + +PATCH https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.deployment", + "state": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentState", + "requestedValue": "paused" + } +} +``` + +## Delete a deployment + +To remove the deployment completely, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created. + + +The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive +DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +``` + +## Unenroll devices + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)] diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 3d655149d9..4b8e52781b 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -6,98 +6,67 @@ author: mestew ms.localizationpriority: medium ms.author: mstewart manager: aaroncz -ms.topic: article +ms.topic: overview ms.technology: itpro-updates ms.date: 12/31/2017 --- - - # Windows Update for Business deployment service -**Applies to** +***(Applies to: Windows 11 & Windows 10)*** -- Windows 10 -- Windows 11 +The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It's designed to work with your existing [Windows Update for Business](waas-manage-updates-wufb.md) policies and [Windows Update for Business reports](wufb-reports-overview.md). The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices. The service is privacy focused and backed by leading industry compliance certifications. -The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies. +Windows Update for Business product family has three elements: -The deployment service is designed for IT Pros who are looking for more control than is provided through deferral policies and deployment rings. It provides the following abilities: +- Client policy to govern update experiences and timing, which are available through Group Policy and CSPs +- [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment +- Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell) -- You can schedule deployment of updates to start on a specific date (for example, deploy 20H2 to specified devices on March 14, 2021). -- You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021). -- You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise. -- You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization. -- You can use safeguards against likely update issues that have been identified by Microsoft machine-learning algorithms and automatically hold the deployment for any affected devices. +The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the[Windows Update for Business reports workbook](wufb-reports-workbook.md). -The service is privacy focused and backed by leading industry compliance certifications. +:::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family."::: -## How it works +## How the deployment service works -The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Businesss reports](wufb-reports-overview.md). +With most update management solutions, usually update policies are set on the client itself using either registry edits, Group Policy, or an MDM solution that leverages CSPs. This means that the end user experience and deployment settings for updates are ultimately determined by the individual device settings. However, with Windows Update for Business deployment service, the service is the central point of control for update deployment behavior. Because the deployment service is directly integrated with Windows Update, once the admin defines the deployment behavior, Windows Update is already aware of how device should be directed to install updates when the device scans. The deployment service creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an admin. -:::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text."::: - -Windows Update for Business comprises three elements: -- Client policy to govern update experiences and timing – available through Group Policy and CSPs -- Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell) -- Windows Update for Business reports to monitor update deployment - -Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro. - -:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text."::: Using the deployment service typically follows a common pattern: -1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Intune. -2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service. +1. An admin uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app, or a more complete management solution such as Microsoft Intune. +2. The chosen management tool conveys your approval, scheduling, and device selection information to the deployment service. 3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates. -The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Intune. + :::image type="content" source="media/wufbds-interaction-small.png" alt-text="Diagram displaying "::: -## Prerequisites +The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as [Microsoft Intune](/mem/intune). -To work with the deployment service, devices must meet all these requirements: +## Capabilities of the Windows Update for Business deployment service -- Be running Windows 10, version 1709 or later (or Windows 11) -- Be joined to Azure Active Directory (AD) or Hybrid AD -- Have one of the following Windows 10 or Windows 11 editions installed: - - Pro - - Enterprise - - Education - - Pro Education - - Pro for Workstations +The deployment service is designed for IT Pros who are looking for more control than is provided through deferral policies and deployment rings. The service provides the following capabilities for updates: -Additionally, your organization must have one of the following subscriptions: -- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) -- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) -- Windows Virtual Desktop Access E3 or E5 -- Microsoft 365 Business Premium +- **Approval and scheduling**: Approve and schedule deployment of updates to start on a specific date + - *Example*: Deploy the Windows 11 22H2 feature update to specified devices on February 17, 2023. +- **Gradual rollout**: Stage deployments over a period of days or weeks by specifying gradual rollout settings + - *Example*: Deploy the Windows 11 22H2 feature update to 500 devices per day, beginning on February 17, 2023 +- **Expedite**: Bypass the configured Windows Update for Business policies to immediately deploy a security update across the organization +- **Safeguard holds**: Automatically holds the deployment for devices that may be impacted by an update issue identified by Microsoft machine-learning algorithms -## Getting started +Certain capabilities are available for specific update classifications: -To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application. +|Capabilities | [Quality updates](deployment-service-expedited-updates.md) | [Feature updates](deployment-service-feature-updates.md) | [Drivers and firmware](deployment-service-drivers.md)| +|---|---|---|---| +|Approval and scheduling | | Yes | Yes | +|Gradual rollout | | Yes | | +|Expedite | Yes | | | +|Safeguard holds| | Yes | | -### Using Microsoft Intune - -Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). - -### Scripting common actions using PowerShell - -The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started). - -### Building your own application - -Microsoft Graph makes deployment service APIs available through. Get started with these learning paths: -- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/) -- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/) - -Once you're familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more. ## Deployment protections The deployment service protects deployments through a combination of rollout controls and machine-learning algorithms that monitor deployments and react to issues during the rollout. -### Schedule rollouts with automatic piloting +### Gradual rollout The deployment service allows any update to be deployed over a period of days or weeks. Once an update has been scheduled, the deployment service optimizes the deployment based on the scheduling parameters and unique attributes spanning the devices being updated. The service follows these steps: @@ -106,80 +75,45 @@ The deployment service allows any update to be deployed over a period of days or 3. Start deploying to earlier waves to build coverage of device attributes present in the population. 4. Continue deploying at a uniform rate until all waves are complete and all devices are updated. -This built-in piloting capability complements your existing ring structure and provides another support for reducing and managing risk during an update. Unlike tools such as Desktop Analytics, this capability is intended to operate within each ring. The deployment service doesn't provide a workflow for creating rings themselves. - -You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and other protections within each ring. +This built-in piloting capability complements your existing [deployment ring](waas-quick-start.md) structure and provides another support for reducing and managing risk during an update. This capability is intended to operate within each ring. The deployment service doesn't provide a workflow for creating rings themselves. Continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and other protections within each ring. ### Safeguard holds against likely and known issues -Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out. - -To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold) +Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service also extends safeguard holds to protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out. To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold). ### Monitoring deployments to detect rollback issues During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. -### How to enable deployment protections +## Get started with the deployment service -Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft. +To use the deployment service, you use a management tool built on the platform like Microsoft Intune, script common actions using PowerShell, or build your own application. -#### Device prerequisites +To learn more about the deployment service and the deployment process, see: -- Diagnostic data is set to *Required* or *Optional*. -- The **AllowWUfBCloudProcessing** policy is set to **8**. +- [Prerequisites for Windows Update for Business deployment service](deployment-service-prerequisites.md) +- [Deploy feature updates using Graph Explorer](deployment-service-feature-updates.md) +- [Deploy expedited updates using Graph Explorer](deployment-service-expedited-updates.md) +- [Deploy driver and firmware updates using Graph Explorer](deployment-service-drivers.md) -#### Set the **AllowWUfBCloudProcessing** policy +### Scripting common actions using PowerShell -To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy. +The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started). -| Policy| Sets registry key under `HKLM\Software`| -|--|--| -| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | `\Policies\Microsoft\Windows\DataCollection\AllowWUfBCloudProcessing` | -| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | `\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` | +### Building your own application -Following is an example of setting the policy using Intune: +Microsoft Graph makes deployment service APIs available through. Get started with the resources below: -1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/) +- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/) -2. Select **Devices** > **Configuration profiles** > **Create profile**. +- Windows Update for Business deployment service [sample driver deployment application](https://github.com/microsoftgraph/windowsupdates-webapplication-sample) on GitHub +- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) -3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**. +### Use Microsoft Intune -4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**. - -5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**. - - Name: **AllowWUfBCloudProcessing** - - Description: Enter a description. - - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - - Data type: **Integer** - - Value: **8** - -6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. - -7. In **Review + create**, review your settings, and then select **Create**. - -8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: - - `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` - -## Best practices -Follow these suggestions for the best results with the service. - -### Device onboarding - -- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day). - -- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors. - -### General - -Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. - - -## Next steps - -To learn more about the deployment service, try the following: +Microsoft Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see: - [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) -- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) +- [Expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates) + diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md new file mode 100644 index 0000000000..ad489103a6 --- /dev/null +++ b/windows/deployment/update/deployment-service-prerequisites.md @@ -0,0 +1,108 @@ +--- +title: Prerequisites for the Windows Update for Business deployment service +description: Prerequisites for using the Windows Update for Business deployment service. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Windows Update for Business deployment service prerequisites + +***(Applies to: Windows 11 & Windows 10)*** + +Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites. + +## Azure and Azure Active Directory + +- An Azure subscription with [Azure Active Directory](/azure/active-directory/) +- Devices must be Azure Active Directory-joined and meet the below OSrequirements. + - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). + - Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business + +## Licensing + +Windows Update for Business deployment service requires users of the devices to have one of the following licenses: + +- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) +- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) +- Windows Virtual Desktop Access E3 or E5 +- Microsoft 365 Business Premium + +## Operating systems and editions + +- Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions +- Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions + +Windows Update for Business deployment service supports Windows client devices on the **General Availability Channel**. + +### Windows operating system updates + +- Expediting updates requires the *Update Health Tools* on the clients. The tools are installed starting with [KB 4023057](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a). To confirm the presence of the Update Health Tools on a device: + - Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**. + - As an Admin, run the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}` + +- For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended + +## Diagnostic data requirements + +Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to [deploy driver updates](deployment-service-drivers.md), devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the *Required* level (previously called *Basic*) for these features. + +When you use [Windows Update for Business reports](wufb-reports-overview.md) in conjunction with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting: + +- *Optional* level (previously *Full*) for Windows 11 devices +- *Enhanced* level for Windows 10 devices + +## Permissions + +- [Windows Update for Business deployment service](/graph/api/resources/adminwindowsupdates) operations require [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) + - Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have the permissions. + +> [!NOTE] +> Leveraging other parts of the Graph API might require additional permissions. For example, to display [device](/graph/api/resources/device) information, a minimum of [Device.Read.All](/graph/permissions-reference#device-permissions) permission is needed. + +## Required endpoints + +- Have access to the following endpoints: + +- [Windows Update endpoints](/windows/privacy/manage-windows-1809-endpoints#windows-update) + - *.prod.do.dsp.mp.microsoft.com + - *.windowsupdate.com + - *.dl.delivery.mp.microsoft.com + - *.update.microsoft.com + - *.delivery.mp.microsoft.com + - tsfe.trafficshaping.dsp.mp.microsoft.com +- Windows Update for Business deployment service endpoints + + - devicelistenerprod.microsoft.com + - login.windows.net + - payloadprod*.blob.core.windows.net + +- [Windows Push Notification Services](/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config): *(Recommended, but not required. Without this access, devices might not expedite updates until their next daily check for updates.)* + - *.notify.windows.com + + +## Limitations + + +[!INCLUDE [Windows Update for Business deployment service limitations](./includes/wufb-deployment-limitations.md)] + +## Policy considerations for drivers + + +[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)] + + +## General tips for the deployment service + +Follow these suggestions for the best results with the service: + +- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day). + +- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors. + +- Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md index f584bbae71..f6be148c37 100644 --- a/windows/deployment/update/deployment-service-troubleshoot.md +++ b/windows/deployment/update/deployment-service-troubleshoot.md @@ -15,10 +15,7 @@ ms.date: 12/31/2017 # Troubleshoot the Windows Update for Business deployment service -**Applies to** - -- Windows 10 -- Windows 11 +***(Applies to: Windows 11 & Windows 10)*** This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json). @@ -35,3 +32,30 @@ This troubleshooting guide addresses the most common issues that IT administrato - Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates). - **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors. + +### The device installed a newer update then the expedited update I deployed + +There are some scenarios when a deployment to expedite an update results in the installation of a more recent update than specified in policy. This result occurs when the newer update includes and surpasses the specified update, and that newer update is available before a device checks in to install the update that's specified in the expedite update policy. + +Installing the most recent quality update reduces disruptions to the device and user while applying the benefits of the intended update. This avoids having to install multiple updates, which each might require separate reboots. + +A more recent update is deployed when the following conditions are met: + +- The device isn't targeted with a deferral policy that blocks installation of a more recent update. In this case, the most recently available update that isn't deferred is the update that might install. + +- During the process to expedite an update, the device runs a new scan that detects the newer update. This can occur due to the timing of: + - When the device restarts to complete installation + - When the device runs its daily scan + - When a new update becomes available + + When a scan identifies a newer update, Windows Update attempts to stop installation of the original update, cancel the restart, and then starts the download and installation of the more recent update. + +While expedite update deployments will override an update deferral for the update version that's specified, they don't override deferrals that are in place for any other update version. + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)] + +## Policy considerations for drivers + + +[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)] diff --git a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md new file mode 100644 index 0000000000..fda5f5a881 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md @@ -0,0 +1,63 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + +A deployment audience is a collection of devices that you want to deploy updates to. The audience needs to be created first, then members are added to the audience. Use the following steps to create a deployment audience, add members, and verify it: + +1. To create a new audience, **POST** to the [deployment audience](/graph/api/resources/windowsupdates-deploymentaudience) resource with a request body of `{}`. + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences + content-type: application/json + + {} + ``` + + The POST returns an HTTP status code of `201 Created` as a response with the following body, where `id` is the **Audience ID**: + + ```json + { + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deploymentAudiences/$entity", + "id": "d39ad1ce-0123-4567-89ab-cdef01234567", + "reportingDeviceCount": 0, + "applicableContent": [] + } + ``` + + +1. Add devices, using their **Azure AD ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Azure AD ID** of the device. + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience + content-type: application/json + + { + "addMembers": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde1" + } + ] + } + ``` + +1. To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members + ``` diff --git a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md new file mode 100644 index 0000000000..d8c96ee718 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md @@ -0,0 +1,45 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content through the deployment service, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following list describes driver related update policies that can affect deployments through the deployment service: + +### Policies that exclude drivers from Windows Update for a device + +The following policies exclude drivers from Windows Update for a device: + +- **Locations of policies that exclude drivers**: + - **Group Policy**: `\Windows Components\Windows Update\Do not include drivers with Windows Updates` set to `enabled` + - **CSP**: [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate) set to `1` + - **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversFromQualityUpdates` set to `1` + - **Intune**: [**Windows Drivers** update setting](/mem/intune/protect/windows-update-settings#update-settings) for the update ring set to `Allow` + +**Behavior with the deployment service**: Devices with driver exclusion polices that are enrolled for **drivers** and added to an audience though the deployment service: + - Will display the applicable driver content in the deployment service + - Won't install drivers that are approved from the deployment service + - If drivers are deployed to a device that's blocking them, the deployment service displays the driver is being offered and reporting displays the install is pending. + +### Policies that define the source for driver updates + +The following policies define the source for driver updates as either Windows Update or Windows Server Update Service (WSUS): + +- **Locations of policies that define an update source**: + - **Group Policy**: `\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\Specify source service for specific classes of Windows Updates` set to `enabled` with the `Driver Updates` option set to `Windows Update` + - **CSP**: [SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourcefordriverupdates) set to `0` for Windows Update as the source + - **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates` set to `0`. Under `\AU`, `UseUpdateClassPolicySource` also needs to be set to `1` + - **Intune**: Not applicable. Intune deploys updates using Windows Update for Business. [Co-managed clients from Configuration Manager](/mem/configmgr/comanage/overview?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) with the workload for Windows Update policies set to Intune will also use Windows Update for Business. + +**Behavior with the deployment service**: Devices with these update source policies that are enrolled for **drivers** and added to an audience though the deployment service: + - Will display the applicable driver content in the deployment service + - Will install drivers that are approved from the deployment service + +> [!NOTE] +> When the scan source for drivers is set to WSUS, the deployment service doesn't get inventory events from devices. This means that the deployment service won't be able to report the applicability of a driver for the device. \ No newline at end of file diff --git a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md new file mode 100644 index 0000000000..0ae067e62f --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md @@ -0,0 +1,45 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +You enroll devices based on the types of updates you want them to receive. Currently, you can enroll devices to receive feature updates (`feature`) or drivers (`driver`). You can enroll devices to receive updates from multiple update classifications. + +1. To enroll devices, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [enrollAssets](/graph/api/windowsupdates-updatableasset-enrollassets). The following example enrolls three devices to receive driver updates: + 1. In Graph Explorer, select **POST** from the drop-down list for the HTTP verb. + 1. Enter the following request into the URL field:
    + `https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/enrollAssets` + 1. In the **Request body** tab, enter the following JSON, supplying the following information: + - **Azure AD Device ID** as `id` + - Either `feature` or `driver` for the updateCategory + + ```json + { + "updateCategory": "driver", + "assets": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde1" + } + ] + } + ``` + + 1. Select the **Run query** button. The results will appear in the **Response** window. In this case, the HTTP status code of `202 Accepted`. + + :::image type="content" source="../media/7512398-deployment-enroll-asset-graph.png" alt-text="Screenshot of successfully enrolling assets through Graph Explorer." lightbox="../media/7512398-deployment-enroll-asset-graph.png" ::: diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md new file mode 100644 index 0000000000..b2f438598f --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md @@ -0,0 +1,54 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +Use the [device](/graph/api/resources/device) resource type to find clients to enroll into the deployment service. Change the query parameters to fit your specific needs. For more information, see [Use query parameters](/graph/query-parameters). + +- Displays the **AzureAD Device ID** and **Name** of all devices: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$select=deviceid,displayName + ``` + +- Displays the **AzureAD Device ID** and **Name** for devices that have a name starting with `Test`: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$filter=startswith(displayName,'Test')&$select=deviceid,displayName + ``` + + +### Add a request header for advanced queries + +For the next requests, set the **ConsistencyLevel** header to `eventual`. For more information about advanced query parameters, see [Advanced query capabilities on Azure AD directory objects](/graph/aad-advanced-queries). + +1. In Graph Explorer, select the **Request headers** tab. +1. For **Key** type in `ConsistencyLevel` and for **Value**, type `eventual`. +1. Select the **Add** button. When you're finished, remove the request header by selecting the trash can icon. + + :::image type="content" source="../media/7512398-deployment-service-graph-modify-header.png" alt-text="Screenshot of the request headers tab in Graph Explorer" lightbox="../media/7512398-deployment-service-graph-modify-header.png"::: + +- Display the **Name** and **Operating system version** for the device that has `01234567-89ab-cdef-0123-456789abcdef` as the **AzureAD Device ID**: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$search="deviceid:01234567-89ab-cdef-0123-456789abcdef"&$select=displayName,operatingSystemVersion + ``` + +- To find devices that likely aren't virtual machines, filter for devices that don't have virtual machine listed as the model but do have a manufacturer listed. Display the **AzureAD Device ID**, **Name**, and **Operating system version** for each device: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$filter=model ne 'virtual machine' and NOT(manufacturer eq null)&$count=true&$select=deviceid,displayName,operatingSystemVersion + ``` + +> [!Tip] +> Requests using the [device](/graph/api/resources/device) resource type typically have both an `id` and a `deviceid`: +> - The `deviceid` is the **Azure AD Device ID** and will be used in this article. +> - Later in this article, this `deviceid` will be used as an `id` when you make certain requests such as adding a device to a deployment audience. +> - The `id` from the [device](/graph/api/resources/device) resource type is usually the Azure AD Object ID, which won't be used in this article. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md new file mode 100644 index 0000000000..23bbb2b2d9 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md @@ -0,0 +1,18 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +The following permissions are needed for the queries listed in this article: + +- [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) for [Windows Update for Business deployment service](/graph/api/resources/adminwindowsupdates) operations. +- At least [Device.Read.All](/graph/permissions-reference#device-permissions) permission to display [device](/graph/api/resources/device) information. + +Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have these permissions. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md new file mode 100644 index 0000000000..3b19cd934d --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md @@ -0,0 +1,34 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +For this article, you'll use Graph Explorer to make requests to the [Microsoft Graph APIs](/graph/api/resources/adminwindowsupdates) to retrieve, add, delete, and update data. Graph Explorer is a developer tool that lets you learn about Microsoft Graph APIs. For more information about using Graph Explorer, see [Get started with Graph Explorer](/graph/graph-explorer/graph-explorer-overview). + +> [!WARNING] +> +> - Requests listed in this article require signing in with a Microsoft 365 account. If needed, a free one month trial is available for [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium). +> - Using a test tenant to learn and verify the deployment process is highly recommended. Graph Explorer is intended to be a learning tool. Ensure you understand [granting consent](/graph/security-authorization) and the [consent type](/graph/api/resources/oauth2permissiongrant#properties) for Graph Explorer before proceeding. + +1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using an Azure Active Directory (Azure AD) user account. +1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission: + 1. Select the **Modify permissions** tab in Graph Explorer. + 1. In the permissions dialog box, select the **WindowsUpdates.ReadWrite.All** permission then select **Consent**. You may need to sign in again to grant consent. + + :::image type="content" source="../media/7512398-wufbds-graph-modify-permission.png" alt-text="Screenshot of the modify permissions tab in Graph Explorer" lightbox="../media/7512398-wufbds-graph-modify-permission.png" ::: + +1. To make requests: + 1. Select either GET, POST, PUT, PATCH, or DELETE from the drop-down list for the HTTP method. + 1. Enter the request into the URL field. The version will populate automatically based on the URL. + 1. If you need to modify the request body, edit the **Request body** tab. + 1. Select the **Run query** button. The results will appear in the **Response** window. + + > [!TIP] + > When reviewing [Microsoft Graph documentation](/graph/), you may notice example requests usually list `content-type: application/json`. Specifying `content-type` typically isn't required for Graph Explorer, but you can add it to the request by selecting the **Headers** tab and adding the `content-type` to the **Request headers** field as the **Key** and `application/json` as the **Value**. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md new file mode 100644 index 0000000000..f85f158a63 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md @@ -0,0 +1,42 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +When a device no longer needs to be managed by the deployment service, unenroll it. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers: + +- Existing driver deployments from the service won't be offered to the device +- The device will continue to receive feature updates from the deployment service +- Drivers may start being installed from Windows Update depending on the device's configuration + +To unenroll a device, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [unenrollAssets](/graph/api/windowsupdates-updatableasset-unenrollassets). In the request body, specify: +- **Azure AD Device ID** as `id` for the device +- Either `feature` or `driver` for the updateCategory + +The following example removes `driver` enrollment for two devices, `01234567-89ab-cdef-0123-456789abcdef` and `01234567-89ab-cdef-0123-456789abcde0`: + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/unenrollAssets +content-type: application/json + +{ + "updateCategory": "driver", + "assets": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + } + ] +} +``` diff --git a/windows/deployment/update/includes/wufb-deployment-limitations.md b/windows/deployment/update/includes/wufb-deployment-limitations.md new file mode 100644 index 0000000000..34e70ba899 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-limitations.md @@ -0,0 +1,13 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +Windows Update for Business deployment service is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Windows Update for Business deployment service doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Windows Update for Business deployment service is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. diff --git a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md new file mode 100644 index 0000000000..4e0d5caaff --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md @@ -0,0 +1,21 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + +## Log location for the Update Health Tools + +The Update Health Tools are used when you deploy expedited updates. In some cases, you may wish to review the logs for the Update Health Tools. + +**Log location**: `%ProgramFiles%\Microsoft Update Health Tools\Logs` + +- The logs are in `.etl` format. + - Microsoft offers [PerfView as a download on GitHub](https://github.com/Microsoft/perfview/blob/main/documentation/Downloading.md), which displays `.etl` files. + +For more information, see [Troubleshooting expedited updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-the-most-out-of-expedited-windows-quality-updates/ba-p/3659741). diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index 3dc65fd476..457b880be1 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/18/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md index 727f6eec4b..1975275322 100644 --- a/windows/deployment/update/includes/wufb-reports-endpoints.md +++ b/windows/deployment/update/includes/wufb-reports-endpoints.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 04/06/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md index 4a9b61242e..5bdb86a402 100644 --- a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md +++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/18/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-recommend.md b/windows/deployment/update/includes/wufb-reports-recommend.md index 94e46ac38f..37caa47a4d 100644 --- a/windows/deployment/update/includes/wufb-reports-recommend.md +++ b/windows/deployment/update/includes/wufb-reports-recommend.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.prod: w10 -ms.collection: M365-modern-desktop +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 12/05/2022 ms.localizationpriority: medium @@ -11,4 +11,5 @@ ms.localizationpriority: medium > [!Important] -> Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology). +> - Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology). +> - Changes have been made to the Windows diagnostic data processor configuration. For more information, see [Windows diagnostic data processor changes](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data). diff --git a/windows/deployment/update/includes/wufb-reports-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md index 6d4248cbb0..5dc0512de0 100644 --- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md +++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/18/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md index 1b22ab60cd..5eab6c5de8 100644 --- a/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md +++ b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/10/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png b/windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png new file mode 100644 index 0000000000..9d0310652a Binary files /dev/null and b/windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png differ diff --git a/windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png b/windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png new file mode 100644 index 0000000000..44fb8ee6ab Binary files /dev/null and b/windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png differ diff --git a/windows/deployment/update/media/7512398-deployment-service-overview.png b/windows/deployment/update/media/7512398-deployment-service-overview.png new file mode 100644 index 0000000000..2e2085fb27 Binary files /dev/null and b/windows/deployment/update/media/7512398-deployment-service-overview.png differ diff --git a/windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png b/windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png new file mode 100644 index 0000000000..cfa73d5175 Binary files /dev/null and b/windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png differ diff --git a/windows/deployment/update/media/7539531-wufb-reports-workbook-drivers.png b/windows/deployment/update/media/7539531-wufb-reports-workbook-drivers.png new file mode 100644 index 0000000000..261418b6ce Binary files /dev/null and b/windows/deployment/update/media/7539531-wufb-reports-workbook-drivers.png differ diff --git a/windows/deployment/update/images/wufb-do-overview.png b/windows/deployment/update/media/wufb-do-overview.png similarity index 100% rename from windows/deployment/update/images/wufb-do-overview.png rename to windows/deployment/update/media/wufb-do-overview.png diff --git a/windows/deployment/update/media/wufbds-product-large.png b/windows/deployment/update/media/wufbds-product-large.png deleted file mode 100644 index f74c499411..0000000000 Binary files a/windows/deployment/update/media/wufbds-product-large.png and /dev/null differ diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 2d8e1183db..2e2c5100e7 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -53,6 +53,7 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru [!INCLUDE [Update Compliance script error codes](./includes/wufb-reports-script-error-codes.md)] ## Verify device configuration - -[!INCLUDE [Endpoints for Update Compliance](./includes/wufb-reports-verify-device-configuration.md)]: + + +[!INCLUDE [Endpoints for Update Compliance](./includes/wufb-reports-verify-device-configuration.md)] diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md index 72b284c0c6..c99c4f7dc8 100644 --- a/windows/deployment/update/update-compliance-privacy.md +++ b/windows/deployment/update/update-compliance-privacy.md @@ -17,6 +17,10 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 + +[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)] + + Update Compliance is fully committed to privacy, centering on these tenets: - **Transparency:** Windows client diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details). diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md index 784ab095bd..a521c8c546 100644 --- a/windows/deployment/update/wufb-reports-configuration-script.md +++ b/windows/deployment/update/wufb-reports-configuration-script.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.localizationpriority: medium ms.topic: article -ms.date: 11/15/2022 +ms.date: 02/10/2023 ms.technology: itpro-updates --- @@ -43,10 +43,6 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru 1. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`. 1. If there are issues, gather the logs and provide them to Microsoft Support. -## Verify device configuration - - -[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-verify-device-configuration.md)] ## Script errors diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index 378595d1f7..a29bce0bb7 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 11/15/2022 +ms.date: 02/10/2023 ms.technology: itpro-updates --- @@ -87,11 +87,6 @@ To share feedback about the Microsoft Learn platform, see [Microsoft Learn feedb Use the following troubleshooting tips to resolve the most common problems when using Windows Update for Business reports: -### Verify client configuration - - -[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-verify-device-configuration.md)] - ### Ensuring devices are configured correctly to send data The first step in troubleshooting Windows Update for Business reports is ensuring that devices are configured. Review [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md) for the settings. We recommend using the [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) for troubleshooting and configuring devices. diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index aa140f9778..13c5e19777 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -16,7 +16,7 @@ ms.technology: itpro-updates Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you: -- Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices +- Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices - Report on devices with update compliance issues - Analyze and display your data in multiple ways diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index cbd081c2c7..ace317b4e1 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 11/15/2022 +ms.date: 02/14/2023 ms.technology: itpro-updates --- @@ -23,6 +23,8 @@ Before you begin the process of adding Windows Update for Business reports to yo - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). - Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports. - The Log Analytics workspace must be in a [supported region](#log-analytics-regions) +- Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md) + ## Permissions @@ -47,19 +49,26 @@ Windows Update for Business reports supports Windows client devices on the follo - General Availability Channel - Windows Update for Business reports *counts* Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them. +### Windows operating system updates + +- For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended + ## Diagnostic data requirements -At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). Some queries in Windows Update for Business reports require devices to send diagnostic data at the following levels: +At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). -- *Optional* level (previously *Full*) for Windows 11 devices +For some queries, such as Windows 11 eligibility reporting, Windows Update for Business reports requires devices to send diagnostic data at the following levels: + +- *Optional* level for Windows 11 devices (previously *Full*) - *Enhanced* level for Windows 10 devices - > [!Note] - > Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names: - > - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) - > - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds** +Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using a policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names: -For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). + + - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) + - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds** + + Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) and [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data). ## Data transmission requirements diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md index 6bd8442700..12318c9c53 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md @@ -20,6 +20,7 @@ Update Event that combines the latest client-based data with the latest service- |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. | | **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Azure AD device ID | +|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID | | **ClientState** | [string](/azure/kusto/query/scalar-data-types/string) | `Installing` | Higher-level bucket of ClientSubstate. | | **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | Last-known state of this update relative to the device, from the client. | | **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. | @@ -29,9 +30,11 @@ Update Event that combines the latest client-based data with the latest service- | **FurthestClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadComplete` | Furthest clientSubstate | | **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2400` | Ranking of furthest clientSubstate | | **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier | +| **IsUpdateHealty** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | True: No issues preventing this device from updating to this update have been found. False: There is something that may prevent this device from updating. | | **OfferReceivedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device last reported entering OfferReceived, else empty. | | **RestartRequiredTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. | | **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. | +| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). | | **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. | | **TargetKBNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `4524570` | KB Article. | @@ -40,8 +43,10 @@ Update Event that combines the latest client-based data with the latest service- | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceUpdateEvent` | The EntityType | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update), or driver | | **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) | +| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update| | **UpdateInstalledTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime when event transitioned to UpdateInstalled, else empty. | +| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. | | **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update | | **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media | diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md index 78efd1d68b..e515e80e13 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md @@ -43,4 +43,4 @@ These alerts are activated as a result of an issue that is device-specific. It i | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update), or driver | diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md index 87184d6464..8e8e34ea82 100644 --- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md @@ -20,15 +20,33 @@ Update Event that comes directly from the service-side. The event has only servi |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | | **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Azure AD tenant to which the device belongs. | -| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | +|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID | +| **DeploymentApprovedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time of the update approval | +| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) |`cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | +| **DeploymentName** | [string](/azure/kusto/query/scalar-data-types/string) |`My deployment` | Friendly name of the created deployment | +| **DeploymentIsExpedited** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | Whether the content is being expedited | +| **DeploymentRevokeTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time the update was revoked | | **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier | | **OfferReadyTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. | +| **PolicyCreatedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time the policy was created | +| **PolicyId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | The policy identifier targeting the update to this device | +| **PolicyName** | [string](/azure/kusto/query/scalar-data-types/string) | `My policy` | Friendly name of the policy | | **ServiceState** | [string](/azure/kusto/query/scalar-data-types/string) | `Offering` | High-level state of update's status relative to device, service-side. | | **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | Low-level state of update's status relative to device, service-side. | | **ServiceSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. | +| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" | | **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | Azure AD tenant ID | | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `ServiceUpdateEvent` | The EntityType | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver | +| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) | +| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update| +| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. | +|**UpdateProvider** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Update provider of drivers and firmware | +| **UpdateRecommendedTime** |[datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time when the update was recommended to the device | +| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update | +|**UpdateVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `20.0.19.3` | Update version of drivers or firmware | +| **UpdateVersionTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Update version date time stamp for drivers and firmware | diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md index f00e02af9e..db70047ed0 100644 --- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md @@ -42,8 +42,10 @@ Alert for both client and service updates. Contains information that needs atten | **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. | | **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. | +| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. | | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver | | **URL** | [string](/azure/kusto/query/scalar-data-types/string) | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. | +| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update| diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index c6ddd21005..279be81249 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -15,14 +15,15 @@ ms.technology: itpro-updates ***(Applies to: Windows 11 & Windows 10)*** -[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into four tab sections: +[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into tab sections: - [Summary](#summary-tab) - [Quality updates](#quality-updates-tab) - [Feature updates](#feature-updates-tab) - [Delivery Optimization](#bkmk_do) +- [Driver updates](#driver-updates-tab) -:::image type="content" source="media/33771278-wufb-reports-workbook-summary.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook with the three tabbed sections outlined in red." lightbox="media/33771278-wufb-reports-workbook-summary.png"::: +:::image type="content" source="media/33771278-wufb-reports-workbook-summary.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook. The three tabbed sections are outlined in red." lightbox="media/33771278-wufb-reports-workbook-summary.png"::: ## Open the Windows Update for Business reports workbook @@ -137,7 +138,40 @@ The **Device status** group for feature updates contains the following items: - **Device compliance status**: Table containing a list of devices getting a feature update and installation information including active alerts for the devices. - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). -## Delivery Optimization (preview tab) +## Driver updates tab + +The **Driver update** tab provides information on driver and firmware update deployments from [Windows Update for Business deployment service](deployment-service-overview.md). Generalized data is at the top of the page in tiles. The data becomes more specific as you navigate lower in this tab. The top of the driver updates tab contains tiles with the following information: + +**Devices taking driver updates**: Count of devices that are installing driver and firmware updates. +**Approved updates**: Count of approved driver updates +**Total policies**: The total number of deployment polices for driver and firmware updates from [Windows Update for Business deployment service](deployment-service-overview.md) +**Active alerts**: Count of active alerts for driver deployments + +Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + +:::image type="content" source="media/7539531-wufb-reports-workbook-drivers.png" alt-text="Screenshot of the update status tab for driver updates." lightbox="media/7539531-wufb-reports-workbook-drivers.png"::: + +Just like the [**Quality updates**](#quality-updates-tab) and [**Feature updates**](#feature-updates-tab) tabs, the **Driver updates** tab is also subdivided into **Update status** and **Device status** groups below the tiles. These different chart groups allow you to easily discover trends in compliance data. + +### Update status group for drivers + +The **Update status** group for driver updates contains the following items: + +- **Update states for all driver updates**: Chart containing the number of devices in a specific state, such as installing, for driver updates. +- **Distribution of Driver Classes**: Chart containing the number of drivers in a specific class. +- **Update alerts for all driver updates**: Chart containing the count of active errors and warnings for driver updates. + +The **Update deployment status** table displays information about deployed driver updates for your devices. Drill-in further by selecting a value from the **TotalDevices** column to display the status of a specific driver for a specific policy along with information about the installation status for each device. + +### Device status group for driver updates + +The **Device status** group for driver updates contains the following items: + +- **Device alerts**: Count of active device alerts for driver updates in each alert classification. +- **Device compliance status**: Table containing a list of devices getting a driver update and installation information including active alerts for the devices. + - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + +## Delivery Optimization The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. @@ -154,7 +188,8 @@ The Delivery Optimization tab is further divided into the following groups: - **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**. - **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**. -:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png"::: +:::image type="content" source="media/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="media/wufb-do-overview.png"::: + ## Customize the workbook diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index a6540780aa..5a0761c2f4 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -79,8 +79,12 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set - Office Click-to-run - Last Intune device check in completed within the last 28 days. - Devices must have Serial Number, Model and Manufacturer. - > [!NOTE] - > Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch. + +> [!NOTE] +> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch. + +> [!NOTE] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index 800f387276..79ff9e1b78 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -17,8 +17,6 @@ msreviewer: hathind > [!IMPORTANT] > Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with remediating issues. -You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. - ## Submit a new support request Support requests are triaged and responded to as they're received. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 3c5bb1f346..92e00968e2 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -91,7 +91,7 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: - Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or -- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). +- An issue occurred which prevented devices from getting a deployment ring assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). There are two automated deployment ring remediation functions: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md index b58aa2938f..cf2a56aadc 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates description: This article explains how Windows feature updates are managed in Autopatch -ms.date: 02/02/2023 +ms.date: 02/17/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -37,6 +37,9 @@ If a device is registered with Windows Autopatch, and the device is: - Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria. - On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device. +> [!IMPORTANT] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. + ## Windows feature update policy configuration If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal: @@ -71,7 +74,15 @@ Windows Autopatch uses Microsoft Intune’s built-in solution, which uses config Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. -## Pausing and resuming a release +## Release management + +> [!NOTE] +> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration). + +### Pausing and resuming a release + +> [!CAUTION] +> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). > [!IMPORTANT] > Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

    For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

    @@ -88,18 +99,18 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 8. If you're resuming an update, you can select one or more deployment rings. 9. Select **Okay**. -If you've paused an update, the specified release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. +If you've paused an update, the specified release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update. > [!NOTE] -> The **Service Paused** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf. +> The **Service Pause** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf. ## Rollback -Windows Autopatch doesn’t support the rollback of Windows Feature updates. +Windows Autopatch doesn’t support the rollback of Windows feature updates. > [!CAUTION] -> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the Windows feature update. +> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). ## Contact support -If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md). Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. +If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md index c8ab6062c6..6245326cc1 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 12/15/2022 +ms.date: 02/17/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: andredm7 --- # Windows quality updates @@ -33,6 +33,9 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). | | Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) | +> [!NOTE] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). + ## Windows quality update releases Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. @@ -54,6 +57,9 @@ Windows Autopatch configures these policies differently across deployment rings ## Release management +> [!NOTE] +> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration). + In the Release management blade, you can: - Track the [Windows quality update schedule](#release-schedule) for devices in the [four deployment rings](windows-autopatch-update-management.md#windows-autopatch-deployment-rings). @@ -89,7 +95,7 @@ By default, the service expedites quality updates as needed. For those organizat **To turn off service-driven expedited quality updates:** 1. Go to **[Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**. -2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited Quality Updates** setting. +2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting. > [!NOTE] > Windows Autopatch doesn't allow customers to request expedited releases. @@ -108,6 +114,11 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea ### Pausing and resuming a release +> [!CAUTION] +> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). + +The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. + If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release. > [!IMPORTANT] @@ -125,12 +136,13 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win 8. If you're resuming an update, you can select one or more deployment rings. 9. Select **Okay**. -There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**. +The three following statuses are associated with paused quality updates: | Status | Description | | ----- | ------ | -| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. | -| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. | +| Service Pause | If the Windows Autopatch service has paused an update, the release will have the **Service Pause** status. You must [submit a support request](../operate/windows-autopatch-support-request.md) to resume the update. | +| Customer Pause | If you've paused an update, the release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite an IT admin's pause. You must select **Resume** to resume the update. | +| Customer & Service Pause | If you and Windows Autopatch have both paused an update, the release will have the **Customer & Service Pause** status. If you resume the update, and the **Service Pause** status still remains, you must [submit a support request](../operate/windows-autopatch-support-request.md) for Windows Autopatch to resume the update deployment on your behalf. | ## Remediating Ineligible and/or Not up to Date devices diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index 6e707c4ca8..8020721473 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -42,6 +42,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: | | Educate users on the Windows Autopatch end user update experience
    • [Windows quality update end user experience](../operate/windows-autopatch-windows-quality-update-end-user-exp.md)
    • [Windows feature update end user experience](../operate/windows-autopatch-windows-feature-update-end-user-exp.md)
    • [Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
    • [Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
    | :heavy_check_mark: | :x: | | Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | +| [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :heavy_check_mark: | :x: | | [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: | | [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: | | [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: | @@ -83,7 +84,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: | | [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: | | [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: | -| Review and respond to Message Center and Service Health Dashboard notifications
    • [Windows quality and feature update communications](../operate/windows-autopatch-windows-quality-update-communications.md)
    • [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
    | :heavy_check_mark: | :x: | +| Review and respond to Message Center and Service Health Dashboard notifications
    • [Windows quality update communications](../operate/windows-autopatch-windows-quality-update-communications.md)
    • [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
    | :heavy_check_mark: | :x: | | [Highlight Windows Autopatch Tenant management alerts that require customer action](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :x: | :heavy_check_mark: | | [Review and respond to Windows Autopatch Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :heavy_check_mark: | :x: | | [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md index c36be7a98b..44447d5697 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md @@ -14,7 +14,7 @@ msreviewer: hathind # Submit a tenant enrollment support request -If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. +If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. > [!NOTE] > After you've successfully enrolled your tenant, this feature will no longer be accessible. You must [submit a support request through the Tenant administration menu](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 5ff4c62390..b66883ee6d 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 09/16/2022 +ms.date: 02/17/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -44,12 +44,15 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 | | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 | -The following Windows OS 10 editions, 1809 builds and architecture are supported in Windows Autopatch: +The following Windows OS 10 editions, 1809+ builds and architecture are supported in Windows Autopatch: - Windows 10 (1809+)/11 Pro - Windows 10 (1809+)/11 Enterprise - Windows 10 (1809+)/11 Pro for Workstations +> [!NOTE] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). + ## Configuration Manager co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 5155521cf1..59f23fbd84 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -14,7 +14,7 @@ msreviewer: hathind # Changes made at tenant enrollment -The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service. +The following configuration details explain the changes made to your tenant when enrolling into the Windows Autopatch service. > [!IMPORTANT] > The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. @@ -27,17 +27,19 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | Enterprise application name | Usage | Permissions | | ----- | ------ | ----- | -| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
    • DeviceManagementApps.ReadWrite.All
    • DeviceManagementConfiguration.ReadWrite.All
    • DeviceManagementManagedDevices.PriviligedOperation.All
    • DeviceManagementManagedDevices.ReadWrite.All
    • DeviceManagementRBAC.ReadWrite.All
    • DeviceManagementServiceConfig.ReadWrite.All
    • Directory.Read.All
    • Group.Create
    • Policy.Read.All
    • WindowsUpdates.Read.Write.All
    | +| Modern Workplace Management | The Modern Workplace Management application:
    • Manages the service
    • Publishes baseline configuration updates
    • Maintains overall service health
    |
    • DeviceManagementApps.ReadWrite.All
    • DeviceManagementConfiguration.ReadWrite.All
    • DeviceManagementManagedDevices.PriviligedOperation.All
    • DeviceManagementManagedDevices.ReadWrite.All
    • DeviceManagementRBAC.ReadWrite.All
    • DeviceManagementServiceConfig.ReadWrite.All
    • Directory.Read.All
    • Group.Create
    • Policy.Read.All
    • WindowsUpdates.ReadWrite.All
    | ### Service principal -Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: +Windows Autopatch will create a service principal in your tenant to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: - Modern Workplace Customer APIs ## Azure Active Directory groups -Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications). +Windows Autopatch will create the required Azure Active Directory groups to operate the service. + +The following groups target Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications). | Group name | Description | | ----- | ----- | @@ -59,8 +61,8 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    | [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked | -| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    |
    1. [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)
    2. [Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)
    3. [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
    4. [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
    5. [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
    6. [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
    |
    1. Enable telemetry change notifications
    2. Enable Telemetry opt-in Settings
    3. Full
    4. Enabled
    5. Enabled
    6. Enabled
    | +| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    | [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) |
    • MDM policy is used
    • GP policy is blocked
    | +| Windows Autopatch - Data Collection | Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device.

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    |
    1. [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)
    2. [Configure Telemetry Opt In Settings UX](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)
    3. [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
    4. [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
    5. [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
    6. [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
    |
    1. Enable telemetry change notifications
    2. Enable Telemetry opt-in Settings
    3. Full
    4. Enabled
    5. Enabled
    6. Enabled
    | ## Deployment rings for Windows 10 and later @@ -76,13 +78,13 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Fast
    |
    • QualityUpdatesDeferralPeriodInDays
    • FeatureUpdatesDeferralPeriodInDays
    • FeatureUpdatesRollbackWindowInDays
    • BusinessReadyUpdatesOnly
    • AutomaticUpdateMode
    • InstallTime
    • DeadlineForFeatureUpdatesInDays
    • DeadlineForQualityUpdatesInDays
    • DeadlineGracePeriodInDays
    • PostponeRebootUntilAfterDeadline
    • DriversExcluded
    |
    • 6
    • 0
    • 30
    • All
    • WindowsDefault
    • 3
    • 5
    • 2
    • 2
    • False
    • False
      • | | Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Broad
      |
      • QualityUpdatesDeferralPeriodInDays
      • FeatureUpdatesDeferralPeriodInDays
      • FeatureUpdatesRollbackWindowInDays
      • BusinessReadyUpdatesOnly
      • AutomaticUpdateMode
      • InstallTime
      • DeadlineForFeatureUpdatesInDays
      • DeadlineForQualityUpdatesInDays
      • DeadlineGracePeriodInDays
      • PostponeRebootUntilAfterDeadline
      • DriversExcluded
      |
      • 9
      • 0
      • 30
      • All
      • WindowsDefault
      • 3
      • 5
      • 5
      • 2
      • False
      • False
        • | -## Feature update policies +## Windows feature update policies - Windows Autopatch - DSS Policy [Test] - Windows Autopatch - DSS Policy [First] - Windows Autopatch - DSS Policy [Fast] - Windows Autopatch - DSS Policy [Broad] -- Windows Autopatch - DSS Policy [Windows 11] +- Modern Workplace DSS Policy [Windows 11] | Policy name | Policy description | Value | | ----- | ----- | ----- | @@ -90,7 +92,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Windows Autopatch - DSS Policy [First] | DSS policy for First device group | Assigned to:
        • Modern Workplace Devices-Windows Autopatch-First
        • Modern Workplace - Windows 11 Pre-Release Test Devices
          • | | Windows Autopatch - DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
          • Modern Workplace Devices-Windows Autopatch-Fast

          Exclude from:
          • Modern Workplace - Windows 11 Pre-Release Test Devices
          | | Windows Autopatch - Policy [Broad] | DSS policy for Broad device group | Assigned to:
          • Modern Workplace Devices-Windows Autopatch-Broad

          Exclude from:
          • Modern Workplace - Windows 11 Pre-Release Test Devices
          | -| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
          • Modern Workplace - Windows 11 Pre-Release Test Devices
          | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
          • Modern Workplace - Windows 11 Pre-Release Test Devices
          | ## Microsoft Office update policies @@ -103,10 +105,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | | Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

          Assigned to:

          1. Modern Workplace Devices-Windows Autopatch-Test
          2. Modern Workplace Devices-Windows Autopatch-First
          3. Modern Workplace Devices-Windows Autopatch-Fast
          4. Modern Workplace Devices-Windows Autopatch-Broad
          |
          1. Enable Automatic Updates
          2. Hide option to enable or disable updates
          3. Update Channel
          4. Channel Name (Device)
          5. Hide Update Notifications
          6. Update Path
          |
          1. Enabled
          2. Enabled
          3. Enabled
          4. Monthly Enterprise Channel
          5. Disabled
          6. Enabled
          | -| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

          Assigned to:

          1. Modern Workplace Devices-Windows Autopatch-Test
          |
          1. Delay downloading and installing updates for Office
          2. Update Deadline
          |
          1. Enabled;Days(Device) == 0 days
          2. Enabled;Update Deadline(Device) == 7 days
          | -| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

          Assigned to:

          1. Modern Workplace Devices-Windows Autopatch-First
          |
          1. Delay downloading and installing updates for Office
          2. Update Deadline
          |
          1. Enabled;Days(Device) == 0 days
          2. Enabled;Update Deadline(Device) == 7 days
          | -| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

          Assigned to:

          1. Modern Workplace Devices-Windows Autopatch-Fast
          |
          1. Delay downloading and installing updates for Office
          2. Update Deadline
          |
          1. Enabled;Days(Device) == 3 days
          2. Enabled;Update Deadline(Device) == 7 days
          | -| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
          Assigned to:
          1. Modern Workplace Devices-Windows Autopatch-Broad
            2. |
            1. Delay downloading and installing updates for Office
            2. Update Deadline
            |
            1. Enabled;Days(Device) == 7 days
            2. Enabled;Update Deadline(Device) == 7 days
            | +| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

            Assigned to:

            1. Modern Workplace Devices-Windows Autopatch-Test
            |
            1. Delay downloading and installing updates for Office
            2. Update Deadline
            |
            1. Enabled; `Days(Device) == 0 days`
            2. Enabled; `Update Deadline(Device) == 7 days`
            | +| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

            Assigned to:

            1. Modern Workplace Devices-Windows Autopatch-First
            |
            1. Delay downloading and installing updates for Office
            2. Update Deadline
            |
            1. Enabled; `Days(Device) == 0 days`
            2. Enabled; `Update Deadline(Device) == 7 days`
            | +| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

            Assigned to:

            1. Modern Workplace Devices-Windows Autopatch-Fast
            |
            1. Delay downloading and installing updates for Office
            2. Update Deadline
            |
            1. Enabled; `Days(Device) == 3 days`
            2. Enabled; `Update Deadline(Device) == 7 days`
            | +| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
            Assigned to:
            1. Modern Workplace Devices-Windows Autopatch-Broad
              2. |
              1. Delay downloading and installing updates for Office
              2. Update Deadline
              |
              1. Enabled; `Days(Device) == 7 days`
              2. Enabled; `Update Deadline(Device) == 7 days`
              | ## Microsoft Edge update policies diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index ceede02bef..747f5c18ae 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 01/31/2023 +ms.date: 02/22/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -24,9 +24,20 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the Microsoft Windows 10/11 diagnostic data section | +| [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md#) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version) | +| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility) | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) | +| [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) | +| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section | | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] | -| [Register your devices](../deploy/windows-autopatch-register-devices.md) |
              • Updated the Built-in roles required for registration section
              • Added more information about assigning less-privileged user accounts
              | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) |
              • Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section
              • Added more information about assigning less-privileged user accounts
              | + +### February service release + +| Message center post number | Description | +| ----- | ----- | +| [MC517330](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Ability to opt out of Microsoft 365 App updates | +| [MC517327](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned service maintenance downtime for European Union (EU) Windows Autopatch customers enrolled before November 8, 2022 | ## January 2023 diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index f1b885b970..c1b07ce9d8 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier1" + ], "audience": "ITPro", "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index c7c58e1c97..0e92139786 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 12/13/2018 ms.topic: how-to --- @@ -179,4 +180,4 @@ When resetting the size of your data history to a lower value, be sure to turn o ## Related Links - [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer) -- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?) \ No newline at end of file +- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index ad82dd742d..d94dfccb33 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -7,6 +7,7 @@ localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/27/2017 ms.topic: reference --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 08d84ce2f3..e5c6bbb3a2 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -7,6 +7,7 @@ localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/27/2017 ms.topic: reference --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 82c0da11c8..dc1df5efdf 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -7,6 +7,7 @@ localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/27/2017 ms.topic: reference --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 7e66c4320a..b0975595c9 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -7,6 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/27/2017 ms.topic: reference --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 0511791230..c1efb0d547 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -7,6 +7,7 @@ localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/27/2017 ms.topic: reference --- diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 3c972e9333..01ea346024 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 06/04/2020 ms.topic: conceptual --- diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 669941fd55..247eab8256 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/11/2016 ms.collection: highpri ms.topic: conceptual --- diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 122f0717a3..ea7edc20e5 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/09/2018 ms.collection: highpri ms.topic: how-to --- @@ -172,4 +173,4 @@ The **Review problem reports** tool opens, showing you your Windows Error Report - Restart the *DiagTrack* service, through the Services tab in task manager, and open Diagnostic Data Viewer. -**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text. \ No newline at end of file +**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text. diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 01d4412ac3..4810a1dd57 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 10/12/2017 ms.topic: reference --- diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index f111d92f7a..fb53b23a7e 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 06/28/2021 ms.collection: highpri ms.topic: reference --- diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index d3e9576785..5494398cf6 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 05/15/2019 ms.topic: conceptual --- diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index f1c14f475f..f83a2778dc 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/07/2016 ms.collection: highpri ms.topic: conceptual --- diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 9de85e40cf..37ab742b30 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 0bd15bbb50..4f20129c27 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- @@ -495,4 +496,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file +- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 20e9fec7fb..d83acf0faf 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 1903 diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index bfbd385697..71a9674bfc 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 1909 diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index a95f038a8d..9e492fa5e4 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 2004 diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index c292c6f1ed..dbce1a6460 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 0e47b473b6..9292ba3890 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md index 49eb5a3b58..423e60aac0 100644 --- a/windows/privacy/manage-windows-21h2-endpoints.md +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md index 0c95faec8a..76b11fdfd5 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -8,6 +8,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 08/26/2022 ms.topic: reference --- diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 134027663f..e640615c80 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -7,6 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 05/28/2020 ms.collection: highpri ms.topic: reference --- diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 113a447b76..90eb52b460 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -7,6 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 05/28/2020 ms.collection: highpri ms.topic: reference --- diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 0dc8c28071..c981c76fa6 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 05/20/2019 ms.topic: conceptual --- @@ -251,4 +252,4 @@ An administrator can configure privacy-related settings, such as choosing to onl * [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) * [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report) * [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md) -* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) \ No newline at end of file +* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index 480e474f63..7b46179c9d 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 12/17/2020 ms.topic: reference --- # Windows 11 connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md index f4777d4afa..164bc33b67 100644 --- a/windows/privacy/windows-diagnostic-data-1703.md +++ b/windows/privacy/windows-diagnostic-data-1703.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/31/2017 ms.topic: reference --- diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 04381116ab..63ed56d1a2 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/31/2017 ms.collection: highpri ms.topic: reference --- diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index 692ea4127b..85910f867e 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 06/29/2018 ms.topic: reference --- # Windows 10, version 1809, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index cffad0f0e4..544fdaf06d 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 06/29/2018 ms.topic: reference --- diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md index 364bbda151..6ff9f92fef 100644 --- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 07/20/2020 ms.topic: reference --- # Windows 10, version 1909, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md index 72c2c99868..095cbad7b5 100644 --- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 05/11/2020 ms.topic: reference --- # Windows 10, version 2004, connection endpoints for non-Enterprise editions @@ -195,4 +196,3 @@ The following methodology was used to derive the network endpoints: |www.microsoft.com|HTTP|Connected User Experiences and Telemetry, Microsoft Data Management service |www.msftconnecttest.com|HTTP|Network Connection (NCSI) |www.office.com|HTTPS|Microsoft Office - diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md index a909428902..7980832e2b 100644 --- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 12/17/2020 ms.topic: reference --- # Windows 10, version 20H2, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md index 379e4110bc..d168f6790d 100644 --- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 12/17/2020 ms.topic: reference --- # Windows 10, version 21H1, connection endpoints for non-Enterprise editions diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index dc04109fd8..9f840b293a 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -328,8 +328,6 @@ href: identity-protection/credential-guard/credential-guard-requirements.md - name: Manage Credential Guard href: identity-protection/credential-guard/credential-guard-manage.md - - name: Hardware readiness tool - href: identity-protection/credential-guard/dg-readiness-tool.md - name: Credential Guard protection limits href: identity-protection/credential-guard/credential-guard-protection-limits.md - name: Considerations when using Credential Guard diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 27db0f26ae..6d99441988 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -23,7 +23,7 @@ Windows 11 includes the cloud services that are listed in the following table:
              Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

              To learn more, see [Mobile device management](/windows/client-management/mdm/). | -| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

              The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

              To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| +| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

              The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

              To learn more, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).| | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

              The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

              If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

              With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

              To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md index 768b1e3c3f..2edd15d942 100644 --- a/windows/security/cryptography-certificate-mgmt.md +++ b/windows/security/cryptography-certificate-mgmt.md @@ -1,7 +1,6 @@ --- title: Cryptography and Certificate Management description: Get an overview of cryptography and certificate management in Windows -search.appverid: MET150 author: paolomatarazzo ms.author: paoloma manager: aaroncz @@ -9,9 +8,6 @@ ms.topic: conceptual ms.date: 09/07/2021 ms.prod: windows-client ms.technology: itpro-security -ms.localizationpriority: medium -ms.collection: -ms.custom: ms.reviewer: skhadeer, raverma --- diff --git a/windows/security/docfx.json b/windows/security/docfx.json index bb2804df03..54f2278102 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.localizationpriority": "medium", @@ -74,6 +77,16 @@ "identity-protection/hello-for-business/*.md": "erikdau", "identity-protection/credential-guard/*.md": "zwhittington", "identity-protection/access-control/*.md": "sulahiri" + }, + "ms.collection":{ + "identity-protection/hello-for-business/*.md": "tier1", + "information-protection/bitlocker/*.md": "tier1", + "information-protection/personal-data-encryption/*.md": "tier1", + "information-protection/pluton/*.md": "tier1", + "information-protection/tpm/*.md": "tier1", + "threat-protection/auditing/*.md": "tier3", + "threat-protection/windows-defender-application-control/*.md": "tier3", + "threat-protection/windows-firewall/*.md": "tier3" } }, "template": [], diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md index 262ed05694..781c1f164d 100644 --- a/windows/security/encryption-data-protection.md +++ b/windows/security/encryption-data-protection.md @@ -1,7 +1,6 @@ --- title: Encryption and data protection in Windows description: Get an overview encryption and data protection in Windows 11 and Windows 10 -search.appverid: MET150 author: frankroj ms.author: frankroj manager: aaroncz @@ -9,9 +8,6 @@ ms.topic: overview ms.date: 09/22/2022 ms.prod: windows-client ms.technology: itpro-security -ms.localizationpriority: medium -ms.collection: -ms.custom: ms.reviewer: rafals --- diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index 0f1ca8d5c4..4ddce5cb4e 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -29,14 +29,14 @@ Object owners generally grant permissions to security groups rather than to indi This content set contains: -- [Dynamic Access Control Overview](dynamic-access-control.md) -- [Security identifiers](security-identifiers.md) -- [Security Principals](security-principals.md) +- [Dynamic Access Control Overview](/windows-server/identity/solution-guides/dynamic-access-control-overview) +- [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers) +- [Security Principals](/windows-server/identity/ad-ds/manage/understand-security-principals) - [Local Accounts](local-accounts.md) - - [Active Directory Accounts](active-directory-accounts.md) - - [Microsoft Accounts](microsoft-accounts.md) - - [Service Accounts](service-accounts.md) - - [Active Directory Security Groups](active-directory-security-groups.md) + - [Active Directory Accounts](/windows-server/identity/ad-ds/manage/understand-default-user-accounts) + - [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts) + - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts) + - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups) ## Practical applications diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif deleted file mode 100644 index fb60cd5599..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png deleted file mode 100644 index 93e5e8e098..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png deleted file mode 100644 index 7aad6b6a7b..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png deleted file mode 100644 index 2b6c1394b9..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png deleted file mode 100644 index 65508e5cf4..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png deleted file mode 100644 index 4653a66f29..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png deleted file mode 100644 index b4e379a357..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png deleted file mode 100644 index c725fd4f55..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png deleted file mode 100644 index 999303a2d6..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png deleted file mode 100644 index b80fc69397..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png deleted file mode 100644 index 412f425ccf..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png deleted file mode 100644 index b80fc69397..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png deleted file mode 100644 index b2f6d3e1e2..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png deleted file mode 100644 index 8dda5403cf..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png deleted file mode 100644 index e96b26abe1..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif b/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif deleted file mode 100644 index d8a4d99dd2..0000000000 Binary files a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/corpnet.gif b/windows/security/identity-protection/access-control/images/corpnet.gif deleted file mode 100644 index f76182ee25..0000000000 Binary files a/windows/security/identity-protection/access-control/images/corpnet.gif and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png deleted file mode 100644 index e70fa02c92..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png deleted file mode 100644 index 085993f92c..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png deleted file mode 100644 index 282cdb729d..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png deleted file mode 100644 index 89fc916400..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png deleted file mode 100644 index d8d5af1336..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png deleted file mode 100644 index ba3f15f597..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png deleted file mode 100644 index 2d44e29e1b..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png deleted file mode 100644 index 89136d1ba0..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png deleted file mode 100644 index f2d3a7596b..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg b/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg deleted file mode 100644 index cd7d341065..0000000000 Binary files a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg and /dev/null differ diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 5a35d2853f..f6baab162b 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -4,6 +4,7 @@ description: Learn how to secure and manage access to the resources on a standal ms.date: 12/05/2022 ms.collection: - highpri + - tier2 ms.topic: article appliesto: - ✅ Windows 10 and later diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index e4eb399ed3..ec9ce3c4e8 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -1,9 +1,10 @@ --- title: Manage Windows Defender Credential Guard (Windows) -description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools. +description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry. ms.date: 11/23/2022 ms.collection: - highpri + - tier2 ms.topic: article appliesto: - ✅ Windows 10 and later @@ -38,7 +39,7 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the ## Enable Windows Defender Credential Guard -Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. +Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy) or the [registry](#enable-windows-defender-credential-guard-by-using-the-registry). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. > [!NOTE] @@ -151,19 +152,6 @@ To enable, use the Control Panel or the Deployment Image Servicing and Managemen > [!NOTE] > You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. -### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool - -You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). - -```cmd -DG_Readiness_Tool.ps1 -Enable -AutoReboot -``` - -> [!IMPORTANT] -> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. -> -> This is a known issue. - ### Review Windows Defender Credential Guard performance #### Is Windows Defender Credential Guard running? @@ -178,17 +166,6 @@ You can view System Information to check that Windows Defender Credential Guard :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe)."::: -You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). - -```cmd -DG_Readiness_Tool_v3.6.ps1 -Ready -``` - -> [!IMPORTANT] -> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. -> -> This is a known issue. - > [!NOTE] > For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md deleted file mode 100644 index 5051ce94cd..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ /dev/null @@ -1,494 +0,0 @@ ---- -title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows) -description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows. -ms.date: 11/22/2022 -ms.topic: reference -appliesto: -- ✅ Windows 10 and later -- ✅ Windows Server 2016 and later ---- - -# Windows Defender Credential Guard: scripts for certificate authority issuance policies - -Expand each section to see the PowerShell scripts: - -
              -
              -Get the available issuance policies on the certificate authority - -Save this script file as get-IssuancePolicy.ps1. - -```powershell -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$Identity, -$LinkedToGroup -) -####################################### -## Strings definitions ## -####################################### -Data getIP_strings { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted. -help2 = Usage: -help3 = The following parameter is mandatory: -help4 = -LinkedToGroup: -help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. -help6 = "no" will return only Issuance Policies that are not currently linked to any group. -help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. -help8 = The following parameter is optional: -help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. -help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. -help11 = Examples: -errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" -ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". -ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". -ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: -LinkedIPs = The following Issuance Policies are linked to groups: -displayName = displayName : {0} -Name = Name : {0} -dn = distinguishedName : {0} - InfoName = Linked Group Name: {0} - InfoDN = Linked Group DN: {0} -NonLinkedIPs = The following Issuance Policies are NOT linked to groups: -'@ -} -##Import-LocalizedData getIP_strings -import-module ActiveDirectory -####################################### -## Help ## -####################################### -function Display-Help { - "" - $getIP_strings.help1 - "" -$getIP_strings.help2 -"" -$getIP_strings.help3 -" " + $getIP_strings.help4 -" " + $getIP_strings.help5 - " " + $getIP_strings.help6 - " " + $getIP_strings.help7 -"" -$getIP_strings.help8 - " " + $getIP_strings.help9 - "" - $getIP_strings.help10 -"" -"" -$getIP_strings.help11 - " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" - " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" - " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" -"" -} -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -$configNCDN = [String]$root.configurationNamingContext -if ( !($Identity) -and !($LinkedToGroup) ) { -display-Help -break -} -if ($Identity) { - $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * - if ($OIDs -eq $null) { -$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity -write-host $errormsg -ForegroundColor Red - } - foreach ($OID in $OIDs) { - if ($OID."msDS-OIDToGroupLink") { -# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $groupName = $group.Name -# Analyze the group - if ($group.groupCategory -ne "Security") { -$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - } - } - return $OIDs - break -} -if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" - $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*****************************************************" - write-host $getIP_strings.LinkedIPs - write-host "*****************************************************" - write-host "" - if ($LinkedOIDs -ne $null){ - foreach ($OID in $LinkedOIDs) { -# Display basic information about the Issuance Policies - "" - $getIP_strings.displayName -f $OID.displayName - $getIP_strings.Name -f $OID.Name - $getIP_strings.dn -f $OID.distinguishedName -# Get the linked group. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $getIP_strings.InfoName -f $group.Name - $getIP_strings.InfoDN -f $groupDN -# Analyze the group - $OIDName = $OID.displayName - $groupName = $group.Name - if ($group.groupCategory -ne "Security") { - $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - write-host "" - } - }else{ -write-host "There are no issuance policies that are mapped to a group" - } - if ($LinkedToGroup -eq "yes") { - return $LinkedOIDs - break - } -} -if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" - $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*********************************************************" - write-host $getIP_strings.NonLinkedIPs - write-host "*********************************************************" - write-host "" - if ($NonLinkedOIDs -ne $null) { - foreach ($OID in $NonLinkedOIDs) { -# Display basic information about the Issuance Policies -write-host "" -$getIP_strings.displayName -f $OID.displayName -$getIP_strings.Name -f $OID.Name -$getIP_strings.dn -f $OID.distinguishedName -write-host "" - } - }else{ -write-host "There are no issuance policies which are not mapped to groups" - } - if ($LinkedToGroup -eq "no") { - return $NonLinkedOIDs - break - } -} -``` -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. - -
              - -
              -
              -Link an issuance policy to a group - -Save the script file as set-IssuancePolicyToGroupLink.ps1. - -```powershell -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$IssuancePolicyName, -$groupOU, -$groupName -) -####################################### -## Strings definitions ## -####################################### -Data ErrorMsg { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. -help2 = Usage: -help3 = The following parameters are required: -help4 = -IssuancePolicyName: -help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. -help6 = The following parameter is optional: -help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. -help8 = Examples: -help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. -help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. -MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" -NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". -IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} -MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". -confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? -OUCreationSuccess = Organizational Unit "{0}" successfully created. -OUcreationError = Error: Organizational Unit "{0}" could not be created. -OUFoundSuccess = Organizational Unit "{0}" was successfully found. -multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". -confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? -groupCreationSuccess = Univeral Security group "{0}" successfully created. -groupCreationError = Error: Univeral Security group "{0}" could not be created. -GroupFound = Group "{0}" was successfully found. -confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? -UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. -UnlinkError = Removing the link failed. -UnlinkExit = Exiting without removing the link from the issuance policy to the group. -IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. -ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". -ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". -ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: -ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? -LinkSuccess = The certificate issuance policy was successfully linked to the specified group. -LinkError = The certificate issuance policy could not be linked to the specified group. -ExitNoLinkReplacement = Exiting without setting the new link. -'@ -} -# import-localizeddata ErrorMsg -function Display-Help { -"" -write-host $ErrorMsg.help1 -"" -write-host $ErrorMsg.help2 -"" -write-host $ErrorMsg.help3 -write-host "`t" $ErrorMsg.help4 -write-host "`t" $ErrorMsg.help5 -"" -write-host $ErrorMsg.help6 -write-host "`t" $ErrorMsg.help7 -"" -"" -write-host $ErrorMsg.help8 -"" -write-host $ErrorMsg.help9 -".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " -"" -write-host $ErrorMsg.help10 -'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' -"" -} -# Assumption: The group to which the Issuance Policy is going -# to be linked is (or is going to be created) in -# the domain the user running this script is a member of. -import-module ActiveDirectory -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -if ( !($IssuancePolicyName) ) { -display-Help -break -} -####################################### -## Find the OID object ## -## (aka Issuance Policy) ## -####################################### -$searchBase = [String]$root.configurationnamingcontext -$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * -if ($OID -eq $null) { -$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($OID.GetType().IsArray) { -$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -else { -$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName -write-host $tmp -ForeGroundColor Green -} -####################################### -## Find the container of the group ## -####################################### -if ($groupOU -eq $null) { -# default to the Users container -$groupContainer = $domain.UsersContainer -} -else { -$searchBase = [string]$domain.DistinguishedName -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -if ($groupContainer.count -gt 1) { -$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase -write-host $tmp -ForegroundColor Red -break; -} -elseif ($groupContainer -eq $null) { -$tmp = $ErrorMsg.confirmOUcreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName -if ($?){ -$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU -write-host $tmp -ForegroundColor Green -} -else{ -$tmp = $ErrorMsg.OUCreationError -f $groupOU -write-host $tmp -ForeGroundColor Red -break; -} -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name -write-host $tmp -ForegroundColor Green -} -} -####################################### -## Find the group ## -####################################### -if (($groupName -ne $null) -and ($groupName -ne "")){ -##$searchBase = [String]$groupContainer.DistinguishedName -$searchBase = $groupContainer -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -if ($group -ne $null -and $group.gettype().isarray) { -$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($group -eq $null) { -$tmp = $ErrorMsg.confirmGroupCreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" -if ($?){ -$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName -write-host $tmp -ForegroundColor Green -}else{ -$tmp = $ErrorMsg.groupCreationError -f $groupName -write-host $tmp -ForeGroundColor Red -break -} -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.GroupFound -f $group.Name -write-host $tmp -ForegroundColor Green -} -} -else { -##### -## If the group is not specified, we should remove the link if any exists -##### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" -if ($?) { -$tmp = $ErrorMsg.UnlinkSuccess -write-host $tmp -ForeGroundColor Green -}else{ -$tmp = $ErrorMsg.UnlinkError -write-host $tmp -ForeGroundColor Red -} -} -else { -$tmp = $ErrorMsg.UnlinkExit -write-host $tmp -break -} -} -else { -$tmp = $ErrorMsg.IPNotLinked -write-host $tmp -ForeGroundColor Yellow -} -break; -} -####################################### -## Verify that the group is ## -## Universal, Security, and ## -## has no members ## -####################################### -if ($group.GroupScope -ne "Universal") { -$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -if ($group.GroupCategory -ne "Security") { -$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -$members = Get-ADGroupMember -Identity $group -if ($members -ne $null) { -$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} -break; -} -####################################### -## We have verified everything. We ## -## can create the link from the ## -## Issuance Policy to the group. ## -####################################### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName -write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Replace $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} else { -$tmp = $Errormsg.ExitNoLinkReplacement -write-host $tmp -break -} -} -else { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Add $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} -``` - -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. - -
              diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md index 6548d02f17..0ab05c22ab 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ b/windows/security/identity-protection/credential-guard/credential-guard.md @@ -5,6 +5,7 @@ ms.date: 11/22/2022 ms.topic: article ms.collection: - highpri + - tier2 appliesto: - ✅ Windows 10 and later - ✅ Windows Server 2016 and later diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md deleted file mode 100644 index d834db9710..0000000000 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ /dev/null @@ -1,1381 +0,0 @@ ---- -title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool -description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script -ms.date: 11/22/2022 -ms.topic: reference -appliesto: -- ✅ Windows 10 and later -- ✅ Windows Server 2016 and later ---- - -# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool - -```powershell -# Script to find out if a machine is Device Guard compliant. -# The script requires a driver verifier present on the system. - -param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier) - -Set-StrictMode -Version Latest - -$path = "C:\DGLogs\" -$LogFile = $path + "DeviceGuardCheckLog.txt" - -$CompatibleModules = New-Object System.Text.StringBuilder -$FailingModules = New-Object System.Text.StringBuilder -$FailingExecuteWriteCheck = New-Object System.Text.StringBuilder - -$DGVerifyCrit = New-Object System.Text.StringBuilder -$DGVerifyWarn = New-Object System.Text.StringBuilder -$DGVerifySuccess = New-Object System.Text.StringBuilder - - -$Sys32Path = "$env:windir\system32" -$DriverPath = "$env:windir\system32\drivers" - -#generated by certutil -encode -$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA -HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC -NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC -NwoDFQwAAAABCisGAQQBgjdMAwEMAAAAAQorBgEEAYI3TAUBDAAAAAEKKwYBBAGC -N0wLAQEAAAAGAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAAYAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -BgAAAAEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAA -AQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAUAAAABAAAA -AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABAAAAAEAAAABAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAYAAAABAAAAAgAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABgAAAAEAAAADAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAQAAAAUAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAADgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAEAAAAOAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAA4AAAABAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -DgAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAA -AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAA4AAAABAAAA -AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADgAAAAEAAAADAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAAAQAAAAEAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQAAAABAAAAAQAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAPye3j3MoJGGstO/m3OKIFDLGlVN -otyttV8/cu4XchN4AQAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAAYAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -DgAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAHAAAA -AQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAoAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAKAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAQAAAAYAAAABAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAABwAAAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAAFAAAAIMAAAAAAAAADIAAAAsAAAAAAAAAAAAAAAEAAAAAAAAA -AgAAAAAAAAADAAAAAAAAAAQAAAAAAAAABQAAAAAAAAALAAAAAAAAAAwAAAAAAAAA -DQAAAAAAAAAOAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAMAAAAAAAAAAyAAAASAAAABgAAAAAAAAAHAAAAAAAAAAgAAAAAAAAA -CQAAAAAAAAAKAAAAAAAAABMAAAAAAAAADwAAAAAAAAAQAAAAAAAAABEAAAAAAAAA -EgAAAAAAAAAUAAAAAAAAABUAAAAAAAAAGgAAAAAAAAAbAAAAAAAAABwAAAAAAAAA -FgAAAAAAAAAXAAAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAgAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA -SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAQAAABJAGQAAAAAAAMAAAAMAAAA -MAAzADEAMAAxADcAAAAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA -SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAgAAABOAGEAbQBlAAAAAAADAAAA -JgAAAEQAZQBmAGEAdQBsAHQAVwBpAG4AZABvAHcAcwBBAHUAZABpAHQAAAAAAAAA -AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAA -BQAAAAYAAAA=" - -$HSTITest_Encoded = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADxXZfstTz5v7U8+b+1PPm/2GH4vrc8+b+8RGq/ojz5v9hh+r63PPm/2GH9vr48+b+1PPi/qjz5v9hh+b60PPm/2GHwvrc8+b/YYfu+tDz5v1JpY2i1PPm/AAAAAAAAAABQRQAAZIYFAGt3EVgAAAAAAAAAAPAAIiALAg4AABIAAAAaAAAAAAAAkBsAAAAQAAAAAACAAQAAAAAQAAAAAgAACgAAAAoAAAAKAAAAAAAAAABwAAAABAAAxcwAAAMAYEEAAAQAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAEDkAAGQAAAB0OQAABAEAAAAAAAAAAAAAAFAAACABAAAAAAAAAAAAAABgAAAYAAAAwDUAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAA0AAAAAAAAAAAAAAA4DAAAEgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAMURAAAAEAAAABIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAB4DwAAADAAAAAQAAAAFgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAwAUAAABAAAAAAgAAACYAAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAACABAAAAUAAAAAIAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAYAAAAAGAAAAACAAAAKgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIiVwkCFVWV0FWQVdIi+xIg+wwM/9IjUU4TIv5iX1ISI1NSIl9QEUzyYl9OEyNRUBIiUQkIDPS6AwJAACL2D1XAAeAD4WrAAAAi0VASGnYDCIAAP8V/yAAAI13CEyLw0iLyIvW/xX2IAAATIvwSIXAdQe7DgAHgOtxi104/xXWIAAARIvDi9ZIi8j/FdAgAABIi/BIhcB1B7sOAAeA6x5IjUU4TIvOTI1FQEiJRCQgSYvWSI1NSOiNCAAAi9j/FZUgAABNi8Yz0kiLyP8VlyAAAEiF9nQU/xV8IAAATIvGM9JIi8j/FX4gAAA5fUhAD5THQYk/i8NIi1wkYEiDxDBBX0FeX15dw8zMzMzMzMzMzOkzCAAAzMzMzMzMzEiJXCQYSIl0JCBXSIHscAEAAEiLBbsuAABIM8RIiYQkYAEAAA8QBRkhAACL8kiL+TPSSI1MJGBBuPQAAADzD39EJFDo6g4AAEiDZCQwAEiNTCRQg2QkQABFM8nHRCQogAAAALoAAABAx0QkIAMAAABFjUEB/xWSHwAASIvYSIP4/3RGQbkCAAAARTPAM9JIi8j/FX0fAACD+P90HkiDZCQgAEyNTCRARIvGSIvXSIvL/xVmHwAAhcB1Bv8VPB8AAEiLy/8VYx8AAEiLjCRgAQAASDPM6AsLAABMjZwkcAEAAEmLWyBJi3MoSYvjX8PMzMzMzMxIg+woM9JMi8lIhcl0Hrr///9/M8BEi8I4AXQJSP/BSYPoAXXzTYXAdSEz0rhXAAeAM8mFwEgPScp4C41RAUmLyejG/v//SIPEKMNJK9Dr4czMzMzMzMzMSIlcJAhIiXQkEFdIg+wgQYvZSYv4SIvy6Iv///+L00iLz+iN/v//SIvOSItcJDBIi3QkOEiDxCBf6Wr////MzMzMzMyJVCQQSIPsKAkRSI0Nsx8AAOhO////ugQAAABIjUwkOOhL/v//SI0NqB8AAOgz////SIPEKMPMzMzMzMxAVVNWV0FUQVVBVkFXSI1sJOFIgeyYAAAASIsF6CwAAEgzxEiJRQ9FM/ZIiVXnM9JIiU3vRIl1p0GL3kiJXbdJi8BIiUXXTYvpRIl1r0GL/kSJdfdFi+ZIiVX7RYv+SIlVA0yJdc9IhckPhBEFAABIhcAPhAgFAABNhckPhP8EAABBgzkBdBHHRaeAAAAAvwJAAIDp7QQAAEiNDQkfAADohP7//0WLfQREiX2/SWnfDCIAAP8Vtx0AAEyLw7oIAAAASIvI/xWuHQAATIvgSIXAdShIjQ3vHgAA6Er+////FUwdAAAPt/iBzwAAB4CFwA9O+EmL3umLBAAASI0N9x4AAOgi/v//RIl1s0WF/w+EiwIAAEmNXQhIiV3HSY20JAwCAABIjQ32HgAA6Pn9//+LQwiJhvT9//+FwHktPbsAAMB1EUiNDe4eAADo2f3//+kaAgAASI0N/R4AAOjI/f//g02nQOkFAgAAixtJA92DOwN0Gw+6bacIugEAAABIjY78/f//6Dv+///p4AEAAEyNhgD+//+6BAAAAEmLwEiNSwgPEAFIjYmAAAAADxEASI2AgAAAAA8QSZAPEUiQDxBBoA8RQKAPEEmwDxFIsA8QQcAPEUDADxBJ0A8RSNAPEEHgDxFA4A8QSfAPEUjwSIPqAXWuQbkAAgAASI0VgB4AAEiNDYEeAADodP3//4uLCAIAALoAEAAAQYv+TI0ES0iBwQwCAABMA8FIi85MK8ZIjYL+7/9/SIXAdBdBD7cECGaFwHQNZokBSIPBAkiD6gF13UiF0nUJSIPpAr96AAeAZkSJMUiNFSYeAABIjQ0nHgAAQbkAIAAATIvG6AH9//9MjXMEQYsOjUH/g/gDD4fDAAAA/0SN90iNFQMeAACJjvj9//9BuQQAAABIjQ34HQAATYvG6Mj8//9BiwaDfIX3AXZESI2O/P3//7oEAAAA6PH8//9Biw6D6QF0JYPpAXQag+kBdA+D+QEPhaIAAACDTacI63eDTacE63GDTacC62uDTacB62WD+AF1YIuDCAIAAEyNRa9BuQQAAACJRa9IjRWTHQAASI0NrB0AAOhP/P//RTP2RDl1r3UOD7ptpwlBjVYI6TX+//9IjYMMAgAASIlFz+sZD7ptpwlIjY78/f//ugIAAADoWfz//0Uz9otFs0iBxgwiAABIg0XHDP/AiUWzQTvHcxdIi13H6ZP9//+/BUAAgEiLXbfp5wEAAEQ5dad0DkiNDU0dAADoePv//+vji12v/xW1GgAARIvDuggAAABIi8j/FawaAABIiUW3SIvYSIXAdRZIjQ1JHQAA6ET7//+/FwAA0OmXAQAASI0NYx0AAOgu+///i0WvRI2wBgEAAEaNNHBEiXWzRYX/D4TFAAAASY1cJAhJjXUISI0N+xsAAOj++v//gXv4uwAAwHUOSI0N/hsAAOjp+v//63xEOXYEcxS6EAAAAA+6bacJSIvL6Gv7///rYosOSQPNi4EIAgAAO0WvdAe6CAAAAOvaRTPATI0MQUyNFAhEOUWvdjpMi3W3Qw+2jBAMAgAA99FDhIwIDAIAAHQID7ptpwmDCyBDioQIDAIAAEMIBDBB/8BEO0Wvcs5Ei3WzSIPGDEiBwwwiAABJg+8BD4VM////RIt9v0iLXbdFM/ZEOXWndBFIjQ0OHAAA6Dn6///pkQAAAEGL9kQ5da8PhoQAAABMi3W3TIttz0iNDYgcAADoE/r//4vGTI1Fq0G5AQAAAEiNFZgcAABCigwwSo0cKCILiE2rSI0NlBwAAOg/+v//QbkBAAAASI0VkhwAAEyLw0iNDZgcAADoI/r//4oDOEWrdBBIjQ2dHAAA6Lj5//+DTacg/8Y7da9yjuly+///v1cAB4BIjQ2sHAAA6Jf5//9BuQQAAABMjUWnSI0VphwAAEiNDa8cAADo0vn//02F5HRdTIt150iLdddNhfZ0NEQ5PnIvSI0NnBwAAOhX+f//QYvHSYvUTGnADCIAAEmLzuh0BwAASI0NmxwAAOg2+f//6wW/VwAHgESJPv8VbhgAAE2LxDPSSIvI/xVwGAAASIXbdBT/FVUYAABMi8Mz0kiLyP8VVxgAAEiLRe9IhcB0BYtNp4kIi8dIi00PSDPM6NMDAABIgcSYAAAAQV9BXkFdQVxfXltdw8zMzMzMzMxIi8RIiVgISIloEEiJcBhXQVZBV0iD7DCDYNgATYvxSYv4TI1I2EiL8kyL+UUzwDPSuaYAAAD/FWwYAACL2D0EAADAdAkPuusc6dkAAACDfCQgFHMKuwVAAIDpyAAAAItcJCD/FacXAABEi8O6CAAAAEiLyP8VnhcAAEiL6EiFwHUKuw4AB4DpmwAAAESLRCQgRTPJSIvQuaYAAAD/FQYYAACL2IXAeQYPuusc6zdIjQ2TGwAA6A74//+LVCQgSIvN6A73//9IjQ2LGwAA6Pb3//9Mi81Mi8dIi9ZJi8/ovfj//4vYSIt8JHCLdCQgSIX/dBk5N3IVTYX2dBBEi8ZIi9VJi87o8AUAAOsFu1cAB4CJN/8V9xYAAEyLxTPSSIvI/xX5FgAASItsJFiLw0iLXCRQSIt0JGBIg8QwQV9BXl/DzMzMzMzMSIlcJAhXSIPsIIP6AXU8SI0VmhcAAEiNDYsXAADoaAMAAIXAdAczwOmjAAAASI0VbBcAAEiNDV0XAADoVgMAAP8FKiUAAOmAAAAAhdJ1fDkVUyUAAHRtSIsNGiUAAOgxAgAASIsNFiUAAEiL+OgiAgAASI1Y+OsXSIsL6BQCAABIhcB0Bv8VBRcAAEiD6whIO99z5IM9DSUAAAR2FP8VJRYAAEyLxzPSSIvI/xUnFgAA6O4BAABIiQXDJAAASIkFtCQAAIMlpSQAAAC4AQAAAEiLXCQwSIPEIF/DzMzMzMzMzMzMzMzMzMzMzMzMzMzMSIlcJAhIiXQkEFdIg+wgSYv4i9pIi/GD+gF1BeijAQAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pBwAAAMzMzMzMzMxMiUQkGIlUJBBIiUwkCFNWV0iB7JAAAACL+kiL8cdEJCABAAAAhdJ1EzkVDSQAAHULM9uJXCQg6d8AAACNQv+D+AF3MkyLhCTAAAAA6Hv+//+L2IlEJCDrFTPbiVwkIIu8JLgAAABIi7QksAAAAIXbD4SlAAAATIuEJMAAAACL10iLzujoAQAAi9iJRCQg6xUz24lcJCCLvCS4AAAASIu0JLAAAACD/wF1SIXbdURFM8Az0kiLzui1AQAA6xOLvCS4AAAASIu0JLAAAACLXCQgRTPAM9JIi87o7/3//+sTi7wkuAAAAEiLtCSwAAAAi1wkIIX/dAWD/wN1IEyLhCTAAAAAi9dIi87ov/3//4vYiUQkIOsGM9uJXCQgi8NIgcSQAAAAX15bw8zMzMzMzMzMzMxmZg8fhAAAAAAASDsN6SIAAHUQSMHBEGb3wf//dQHDSMHJEOmSAQAAzMzMzMzMSP8ltRQAAMzMzMzMzMzMzDPJSP8lmxQAAMzMzMzMzMxIiVwkIFVIi+xIg+wgSINlGABIuzKi3y2ZKwAASIsFiSIAAEg7ww+FjwAAAEiNTRj/FU4UAABIi0UYSIlFEP8VABQAAIvASDFFEP8V/BMAAIvASDFFEP8VIBQAAIvASMHgGEgxRRD/FRAUAACLwEiNTRBIM0UQSDPBSI1NIEiJRRD/FeUTAACLRSBIuf///////wAASMHgIEgzRSBIM0UQSCPBSLkzot8tmSsAAEg7w0gPRMFIiQXxIQAASItcJEhI99BIiQXqIQAASIPEIF3DzMzMzMzM/yXYEgAAzMzMzMzM/yXEEgAAzMzMzMzMzMxIg+wog/oBdQb/FTUTAAC4AQAAAEiDxCjDzMzMzMzMzMzMzMzMzMzMzMzMzMIAAMzMzMzMzMzMzEBTSIPsIEiL2TPJ/xWTEgAASIvL/xWCEgAA/xUUEwAASIvIugkEAMBIg8QgW0j/JfgSAADMzMzMzMzMzMzMzMzMzMzMSIlMJAhIgeyIAAAASI0NHSIAAP8VLxMAAEiLBQgjAABIiUQkSEUzwEiNVCRQSItMJEj/FSATAABIiUQkQEiDfCRAAHRCSMdEJDgAAAAASI1EJFhIiUQkMEiNRCRgSIlEJChIjQXHIQAASIlEJCBMi0wkQEyLRCRISItUJFAzyf8VyxIAAOsjSIsFOiIAAEiLAEiJBZAiAABIiwUpIgAASIPACEiJBR4iAABIiwV3IgAASIkF6CAAAEiLhCSQAAAASIkF6SEAAMcFvyAAAAkEAMDHBbkgAAABAAAAxwXDIAAAAwAAALgIAAAASGvAAEiNDbsgAABIxwQBAgAAALgIAAAASGvAAUiNDaMgAABIixUsIAAASIkUAbgIAAAASGvAAkiNDYggAABIixUZIAAASIkUAbgIAAAASGvAAEiLDf0fAABIiUwEaLgIAAAASGvAAUiLDfAfAABIiUwEaEiNDdwPAADoU/7//0iBxIgAAADDzMzMzMzMzMzMzMzMzMzMzMzMzMzM/yWUEAAAzMzMzMzM/yWQEAAAzMzMzMzM/yWMEAAAzMzMzMzMzMxIg+woTYtBOEiLykmL0egRAAAAuAEAAABIg8Qow8zMzMzMzMxAU0WLGEiL2kGD4/hMi8lB9gAETIvRdBNBi0AITWNQBPfYTAPRSGPITCPRSWPDSosUEEiLQxCLSAhIA0sI9kEDD3QMD7ZBA4Pg8EiYTAPITDPKSYvJW+kl/P//zMzMzMzMzMzMzMxmZg8fhAAAAAAA/+DMzMzMzMxAVUiD7CBIi+pIiU04SIsBixCJVSRIiU1AM8BIg8QgXcPMQFVIg+wgSIvqSIlNSEiLAYsQiVUoSIlNUDPASIPEIF3DzEBVSIPsIEiL6kiJTVhIiwGLEIlVLEiJTWAzwEiDxCBdw8xAVUiD7CBIi+pIiU1oSIsBixCJVTBIiU1wM8BIg8QgXcPMQFVIg+wgSIvqSIlNeEiLAYsQiVU0SImNgAAAADPASIPEIF3DzEBVSIPsIEiL6kiDxCBdw8wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBAAIABAAAA8EAAgAEAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAgAEAAAAAAAAAAAAAAAAAAAAAAAAAKDIAgAEAAAAwMgCAAQAAAFgyAIABAAAABQAAAAAAAAAANQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeD4AAAAAAABkPwAAAAAAAG4/AAAAAAAAAAAAAAAAAADOOwAAAAAAAMA7AAAAAAAAAAAAAAAAAAAQPQAAAAAAACw9AAAAAAAA6j4AAAAAAAAAAAAAAAAAAPo+AAAAAAAA2D4AAAAAAADMPgAAAAAAAAAAAAAAAAAACD8AAAAAAAAAAAAAAAAAAFI8AAAAAAAAFj8AAAAAAABGPAAAAAAAAAAAAAAAAAAA9DwAAAAAAAAAAAAAAAAAAJ48AAAAAAAAtDwAAAAAAABePQAAAAAAAEo9AAAAAAAAAAAAAAAAAACEPAAAAAAAAAAAAAAAAAAA5DwAAAAAAADKPAAAAAAAAAAAAAAAAAAAZDwAAAAAAAB0PAAAAAAAAAAAAAAAAAAAsD4AAAAAAAD6OwAAAAAAACg8AAAAAAAADjwAAAAAAAAAAAAAAAAAAHAeAIABAAAAACEAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAgEQAAkBsAAHAeAADAHgAAAAAAAC5caHN0aXRyYWNlLmxvZwAgUHJvdmlkZXJFcnJvcjoAOlByb3ZpZGVyRXJyb3IgAERldGVybWluaW5nIENvdW50LiAAAAAAAAAAAAAAAAAAICEhISBFcnJvciBidWZmZXIgZmFpbGVkIGFsbG9jYXRpb24gISEhIAAAAAAAAAAARGV0ZXJtaW5lIFNlY3VyaXR5RmVhdHVyZXNTaXplLiAAAAAAAAAAAExvb3AuLi4gAAAAAAAAAAAAAAAAAAAAACBVbnN1cHBvcnRlZCBBSVAgaWdub3JlZCAAAAAAAAAAICEhISBVRUZJIFByb3RvY29sIEVycm9yIERldGVjdGVkICEhISAAADpJRCAAAAAAIElEOgAAAAA6RVJST1IgACBFUlJPUjoAOlJPTEUgAAAgUk9MRToAAAAAAAAAAAAAOnNlY3VyaXR5RmVhdHVyZXNTaXplIAAAAAAAAAAAAAAgc2VjdXJpdHlGZWF0dXJlc1NpemU6AAAAAAAAAAAAACAhISEgRXJyb3IgZGV0ZWN0ZWQsIGJhaWxpbmcgb3V0ICEhISAAAAAAAAAAAAAAAFZlcmlmaWVkIGJ1ZmZlciBhbGxvY2F0aW9uIGZhaWxlZC4AAAAAAAAAAAAAAAAAAExvb3Bpbmcgb24gcHJvdmlkZXJzIHRvIGFjY3VtdWxhdGUgaW1wbGVtZW50ZWQgYW5kIHZlcmlmaWVkLgAAAABDb21wYXJpbmcgcmVxdWlyZWQgYnl0ZSB0byB2ZXJpZmllZC4uLgAAOlZFUklGSUVEIAAAAAAAACBWRVJJRklFRDoAAAAAAAA6UkVRVUlSRUQgAAAAAAAAIFJFUVVJUkVEOgAAAAAAAAAAAAAAAAAAISEhIHZlcmlmaWVkIGJ5dGUgZG9lcyBub3QgbWF0Y2ggcmVxdWlyZWQgISEhAAAAQ0xFQU5VUCAAAAAAAAAAADpPVkVSQUxMAAAAAAAAAABPVkVSQUxMOgAAAAAAAAAAUHJvdmlkZXIgRXJyb3JzIGNvcHkgc3RhcnQAAAAAAABQcm92aWRlciBFcnJvcnMgY29weSBlbmQAAAAAAAAAAEJMT0IgU3RhcnQ6AAAAAAA6QkxPQiBFbmQgIAAAAAAAAAAAAGt3EVgAAAAAAgAAACUAAAD4NQAA+BsAAAAAAABrdxFYAAAAAA0AAACgAQAAIDYAACAcAABSU0RT1J4Ttoijw0G4zY0uYG3g7wEAAABIc3RpVGVzdC5wZGIAAAAAR0NUTAAQAADwEAAALnRleHQkbW4AAAAA8CAAABIAAAAudGV4dCRtbiQwMAACIQAAwwAAAC50ZXh0JHgAADAAAOAAAAAucmRhdGEkYnJjAADgMAAASAEAAC5pZGF0YSQ1AAAAACgyAAAQAAAALjAwY2ZnAAA4MgAACAAAAC5DUlQkWENBAAAAAEAyAAAIAAAALkNSVCRYQ1oAAAAASDIAAAgAAAAuQ1JUJFhJQQAAAABQMgAACAAAAC5DUlQkWElaAAAAAFgyAAAYAAAALmNmZ3VhcmQAAAAAcDIAAIgDAAAucmRhdGEAAPg1AADIAQAALnJkYXRhJHp6emRiZwAAAMA3AABQAQAALnhkYXRhAAAQOQAAZAAAAC5lZGF0YQAAdDkAAPAAAAAuaWRhdGEkMgAAAABkOgAAFAAAAC5pZGF0YSQzAAAAAHg6AABIAQAALmlkYXRhJDQAAAAAwDsAALgDAAAuaWRhdGEkNgAAAAAAQAAAEAAAAC5kYXRhAAAAEEAAALAFAAAuYnNzAAAAAABQAAAgAQAALnBkYXRhAAABEwgAEzQMABNSDPAK4AhwB2AGUBkkBwASZDMAEjQyABIBLgALcAAAbCAAAGABAAABBAEABEIAAAEPBgAPZAcADzQGAA8yC3ABCAEACEIAABknCgAZARMADfAL4AnQB8AFcARgAzACUGwgAACIAAAAARgKABhkDAAYVAsAGDQKABhSFPAS4BBwGRgFABgBEgARcBBgDzAAAEYgAAAGAAAAGBwAAC0cAAAIIQAALRwAAEocAABkHAAAKiEAAGQcAACCHAAAkRwAAEwhAACRHAAApBwAALMcAABuIQAAsxwAAM8cAADpHAAAkCEAAOkcAAD5GwAA7xwAALUhAAAAAAAAAQYCAAYyAlABCgQACjQGAAoyBnAAAAAAAQAAAAENBAANNAkADTIGUAEGAgAGMgIwAQwCAAwBEQABAAAAAQIBAAIwAAAAAAAAAAAAAAAAAAAAAAAAd24RWAAAAABMOQAAAQAAAAIAAAACAAAAODkAAEA5AABIOQAAEBAAACARAABZOQAAYzkAAAAAAQBIU1RJVEVTVC5kbGwAUXVlcnlIU1RJAFF1ZXJ5SFNUSWRldGFpbHMAmDoAAAAAAAAAAAAA2jsAAAAxAACYOwAAAAAAAAAAAAA8PAAAADIAAAA7AAAAAAAAAAAAAHI9AABoMQAAgDsAAAAAAAAAAAAAkj0AAOgxAABYOwAAAAAAAAAAAACyPQAAwDEAADA7AAAAAAAAAAAAANY9AACYMQAAaDsAAAAAAAAAAAAAAD4AANAxAAAgOwAAAAAAAAAAAAAkPgAAiDEAALA6AAAAAAAAAAAAAE4+AAAYMQAAeDoAAAAAAAAAAAAAkD4AAOAwAADQOgAAAAAAAAAAAAAiPwAAODEAAPA6AAAAAAAAAAAAAEI/AABYMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4PgAAAAAAAGQ/AAAAAAAAbj8AAAAAAAAAAAAAAAAAAM47AAAAAAAAwDsAAAAAAAAAAAAAAAAAABA9AAAAAAAALD0AAAAAAADqPgAAAAAAAAAAAAAAAAAA+j4AAAAAAADYPgAAAAAAAMw+AAAAAAAAAAAAAAAAAAAIPwAAAAAAAAAAAAAAAAAAUjwAAAAAAAAWPwAAAAAAAEY8AAAAAAAAAAAAAAAAAAD0PAAAAAAAAAAAAAAAAAAAnjwAAAAAAAC0PAAAAAAAAF49AAAAAAAASj0AAAAAAAAAAAAAAAAAAIQ8AAAAAAAAAAAAAAAAAADkPAAAAAAAAMo8AAAAAAAAAAAAAAAAAABkPAAAAAAAAHQ8AAAAAAAAAAAAAAAAAACwPgAAAAAAAPo7AAAAAAAAKDwAAAAAAAAOPAAAAAAAAAAAAAAAAAAABwBfaW5pdHRlcm1fZQAGAF9pbml0dGVybQBhcGktbXMtd2luLWNvcmUtY3J0LWwyLTEtMC5kbGwAANACUnRsQ2FwdHVyZUNvbnRleHQAjQRSdGxMb29rdXBGdW5jdGlvbkVudHJ5AAC3BVJ0bFZpcnR1YWxVbndpbmQAAG50ZGxsLmRsbAAGAEhlYXBGcmVlAAAAAEdldFByb2Nlc3NIZWFwAAAEAEVuY29kZVBvaW50ZXIAAQBEZWNvZGVQb2ludGVyAAAAUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIADQBHZXRDdXJyZW50UHJvY2Vzc0lkABEAR2V0Q3VycmVudFRocmVhZElkAAAUAEdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lABgAR2V0VGlja0NvdW50AAABAERpc2FibGVUaHJlYWRMaWJyYXJ5Q2FsbHMAEQBVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAA8AU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAwAR2V0Q3VycmVudFByb2Nlc3MATQBUZXJtaW5hdGVQcm9jZXNzAABhcGktbXMtd2luLWNvcmUtaGVhcC1sMS0yLTAuZGxsAGFwaS1tcy13aW4tY29yZS11dGlsLWwxLTEtMC5kbGwAYXBpLW1zLXdpbi1jb3JlLXByb2ZpbGUtbDEtMS0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLXByb2Nlc3N0aHJlYWRzLWwxLTEtMi5kbGwAYXBpLW1zLXdpbi1jb3JlLXN5c2luZm8tbDEtMi0xLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWxpYnJhcnlsb2FkZXItbDEtMi0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWVycm9yaGFuZGxpbmctbDEtMS0xLmRsbAAAAABfX0Nfc3BlY2lmaWNfaGFuZGxlcgAAYXBpLW1zLXdpbi1jb3JlLWNydC1sMS0xLTAuZGxsAADbAU50UXVlcnlTeXN0ZW1JbmZvcm1hdGlvbgAAWQBXcml0ZUZpbGUAUwBTZXRGaWxlUG9pbnRlcgAABQBHZXRMYXN0RXJyb3IAAAUAQ3JlYXRlRmlsZUEAAABDbG9zZUhhbmRsZQACAEhlYXBBbGxvYwBhcGktbXMtd2luLWNvcmUtZmlsZS1sMS0yLTEuZGxsAGFwaS1tcy13aW4tY29yZS1oYW5kbGUtbDEtMS0wLmRsbAAzAG1lbWNweQAANwBtZW1zZXQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyot8tmSsAAM1dINJm1P//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAXEQAAwDcAACwRAAAaEgAA1DcAACASAABwEgAA8DcAAHgSAAC2EgAA+DcAALwSAADyEgAACDgAAPgSAABRGQAAEDgAAFgZAACaGgAAMDgAAKAaAAB7GwAAyDgAAJAbAADNGwAA+DcAANQbAAD8HAAASDgAABAdAAAuHQAA2DgAAFQdAAAkHgAA3DgAAEQeAABdHgAA8DcAAHweAACwHgAA6DgAAMAeAAAxIAAA8DgAAGwgAACJIAAA8DcAAJAgAADrIAAA/DgAAAAhAAACIQAA+DgAAAghAAAqIQAAwDgAACohAABMIQAAwDgAAEwhAABuIQAAwDgAAG4hAACQIQAAwDgAAJAhAAC1IQAAwDgAALUhAADFIQAAwDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAABgAAAAAoAigaKCAoIigkKAoojCiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - -function Log($message) -{ - $message | Out-File $LogFile -Append -Force -} - -function LogAndConsole($message) -{ - Write-Host $message - Log $message -} - -function LogAndConsoleWarning($message) -{ - Write-Host $message -foregroundcolor "Yellow" - Log $message -} - -function LogAndConsoleSuccess($message) -{ - Write-Host $message -foregroundcolor "Green" - Log $message -} - -function LogAndConsoleError($message) -{ - Write-Host $message -foregroundcolor "Red" - Log $message -} - -function IsExempted([System.IO.FileInfo] $item) -{ - $cert = (Get-AuthenticodeSignature $item.FullName).SignerCertificate - if($cert.ToString().Contains("CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")) - { - Log $item.FullName + "MS Exempted" - return 1 - } - else - { - Log $item.FullName + "Not-exempted" - Log $cert.ToString() - return 0 - } -} - -function CheckExemption($_ModName) -{ - $mod1 = Get-ChildItem $Sys32Path $_ModName - $mod2 = Get-ChildItem $DriverPath $_ModName - if($mod1) - { - Log "NonDriver module" + $mod1.FullName - return IsExempted($mod1) - } - elseif($mod2) - { - Log "Driver Module" + $mod2.FullName - return IsExempted($mod2) - } - -} - -function CheckFailedDriver($_ModName, $CIStats) -{ - Log "Module: " $_ModName.Trim() - if(CheckExemption($_ModName.Trim()) - eq 1) - { - $CompatibleModules.AppendLine("Windows Signed: " + $_ModName.Trim()) | Out-Null - return - } - $index = $CIStats.IndexOf("execute pool type count:".ToLower()) - if($index -eq -1) - { - return - } - $_tempStr = $CIStats.Substring($index) - $Result = "PASS" - $separator = "`r`n","" - $option = [System.StringSplitOptions]::RemoveEmptyEntries - $stats = $_tempStr.Split($separator,$option) - Log $stats.Count - - $FailingStat = "" - foreach( $stat in $stats) - { - $_t =$stat.Split(":") - if($_t.Count -eq 2 -and $_t[1].trim() -ne "0") - { - $Result = "FAIL" - $FailingStat = $stat - break - } - } - if($Result.Contains("PASS")) - { - $CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null - } - elseif($FailingStat.Trim().Contains("execute-write")) - { - $FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null - } - else - { - $FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null - } - Log "Result: " $Result -} - -function ListCIStats($_ModName, $str1) -{ - $i1 = $str1.IndexOf("Code Integrity Statistics:".ToLower()) - if($i1 -eq -1 ) - { - Log "String := " $str1 - Log "Warning! CI Stats are missing for " $_ModName - return - } - $temp_str1 = $str1.Substring($i1) - $CIStats = $temp_str1.Substring(0).Trim() - - CheckFailedDriver $_ModName $CIStats -} - -function ListDrivers($str) -{ - $_tempStr= $str - - $separator = "module:","" - $option = [System.StringSplitOptions]::RemoveEmptyEntries - $index1 = $_tempStr.IndexOf("MODULE:".ToLower()) - if($index1 -lt 0) - { - return - } - $_tempStr = $_tempStr.Substring($Index1) - $_SplitStr = $_tempStr.Split($separator,$option) - - - Log $_SplitStr.Count - LogAndConsole "Verifying each module please wait ... " - foreach($ModuleDetail in $_Splitstr) - { - #LogAndConsole $Module - $Index2 = $ModuleDetail.IndexOf("(") - if($Index2 -eq -1) - { - "Skipping .." - continue - } - $ModName = $ModuleDetail.Substring(0,$Index2-1) - Log "Driver: " $ModName - Log "Processing module: " $ModName - ListCIStats $ModName $ModuleDetail - } - - $DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile - LogAndConsole $DriverScanCompletedMessage - - if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 ) - { - $WarningMessage = "Incompatible HVCI Kernel Driver Modules found" - if($HLK) - { - LogAndConsoleError $WarningMessage - } - else - { - LogAndConsoleWarning $WarningMessage - } - - LogAndConsoleError $FailingExecuteWriteCheck.ToString() - if($HLK) - { - LogAndConsoleError $FailingModules.ToString() - } - else - { - LogAndConsoleWarning $FailingModules.ToString() - } - if($FailingModules.Length -ne 0 -or $FailingExecuteWriteCheck.Length -ne 0 ) - { - if($HLK) - { - $DGVerifyCrit.AppendLine($WarningMessage) | Out-Null - } - else - { - $DGVerifyWarn.AppendLine($WarningMessage) | Out-Null - } - } - } - else - { - LogAndConsoleSuccess "No Incompatible Drivers found" - } -} - -function ListSummary() -{ - if($DGVerifyCrit.Length -ne 0 ) - { - LogAndConsoleError "Machine is not Device Guard / Credential Guard compatible because of the following:" - LogAndConsoleError $DGVerifyCrit.ToString() - LogAndConsoleWarning $DGVerifyWarn.ToString() - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 0 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 0 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 0 /f ' - } - - } - elseif ($DGVerifyWarn.Length -ne 0 ) - { - LogAndConsoleSuccess "Device Guard / Credential Guard can be enabled on this machine.`n" - LogAndConsoleWarning "The following additional qualifications, if present, can enhance the security of Device Guard / Credential Guard on this system:" - LogAndConsoleWarning $DGVerifyWarn.ToString() - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 1 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 1 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 1 /f ' - } - } - else - { - LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n" - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 2 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 2 /f ' - } - } -} - - -function Instantiate-Kernel32 { - try - { - Add-Type -TypeDefinition @" - using System; - using System.Diagnostics; - using System.Runtime.InteropServices; - - public static class Kernel32 - { - [DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)] - public static extern IntPtr LoadLibrary( - [MarshalAs(UnmanagedType.LPStr)]string lpFileName); - - [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)] - public static extern IntPtr GetProcAddress( - IntPtr hModule, - string procName); - } - -"@ - } - catch - { - Log $_.Exception.Message - LogAndConsole "Instantiate-Kernel32 failed" - } -} - -function Instantiate-HSTI { - try - { - Add-Type -TypeDefinition @" - using System; - using System.Diagnostics; - using System.Runtime.InteropServices; - using System.Net; - - public static class HstiTest3 - { - [DllImport("hstitest.dll", CharSet = CharSet.Unicode)] - public static extern int QueryHSTIdetails( - ref HstiOverallError pHstiOverallError, - [In, Out] HstiProviderErrorDuple[] pHstiProviderErrors, - ref uint pHstiProviderErrorsCount, - byte[] hstiPlatformSecurityBlob, - ref uint pHstiPlatformSecurityBlobBytes); - - [DllImport("hstitest.dll", CharSet = CharSet.Unicode)] - public static extern int QueryHSTI(ref bool Pass); - - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] - public struct HstiProviderErrorDuple - { - internal uint protocolError; - internal uint role; - internal HstiProviderErrors providerError; - [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)] - internal string ID; - [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)] - internal string ErrorString; - } - - [FlagsAttribute] - public enum HstiProviderErrors : int - { - None = 0x00000000, - VersionMismatch = 0x00000001, - RoleUnknown = 0x00000002, - RoleDuplicated = 0x00000004, - SecurityFeatureSizeMismatch = 0x00000008, - SizeTooSmall = 0x00000010, - VerifiedMoreThanImplemented = 0x00000020, - VerifiedNotMatchImplemented = 0x00000040 - } - - [FlagsAttribute] - public enum HstiOverallError : int - { - None = 0x00000000, - RoleTooManyPlatformReference = 0x00000001, - RoleTooManyIbv = 0x00000002, - RoleTooManyOem = 0x00000004, - RoleTooManyOdm = 0x00000008, - RoleMissingPlatformReference = 0x00000010, - VerifiedIncomplete = 0x00000020, - ProtocolErrors = 0x00000040, - BlobVersionMismatch = 0x00000080, - PlatformSecurityVersionMismatch = 0x00000100, - ProviderError = 0x00000200 - } - - } -"@ - - $LibHandle = [Kernel32]::LoadLibrary("C:\Windows\System32\hstitest.dll") - $FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails") - $FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI") - - if ([System.IntPtr]::Size -eq 8) - { - #assuming 64 bit - Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())" - Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())" - } - else - { - return - } - $overallError = New-Object HstiTest3+HstiOverallError - $providerErrorDupleCount = New-Object int - $blobByteSize = New-Object int - $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize) - - [byte[]]$blob = New-Object byte[] $blobByteSize - [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount - $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize) - $string = $null - $blob | foreach { $string = $string + $_.ToString("X2")+"," } - - $hstiStatus = New-Object bool - $hr = [HstiTest3]::QueryHSTI([ref] $hstiStatus) - - LogAndConsole "HSTI Duple Count: $providerErrorDupleCount" - LogAndConsole "HSTI Blob size: $blobByteSize" - LogAndConsole "String: $string" - LogAndConsole "HSTIStatus: $hstiStatus" - if(($blobByteSize -gt 512) -and ($providerErrorDupleCount -gt 0) -and $hstiStatus) - { - LogAndConsoleSuccess "HSTI validation successful" - } - elseif(($providerErrorDupleCount -eq 0) -or ($blobByteSize -le 512)) - { - LogAndConsoleWarning "HSTI is absent" - $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null - } - else - { - $ErrorMessage = "HSTI validation failed" - if($HLK) - { - LogAndConsoleError $ErrorMessage - $DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null - } - else - { - LogAndConsoleWarning $ErrorMessage - $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null - } - } - - } - catch - { - LogAndConsoleError $_.Exception.Message - LogAndConsoleError "Instantiate-HSTI failed" - } -} - - -function CheckDGRunning($_val) -{ - $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard - for($i=0; $i -lt $DGObj.SecurityServicesRunning.length; $i++) - { - if($DGObj.SecurityServicesRunning[$i] -eq $_val) - { - return 1 - } - - } - return 0 -} - -function CheckDGFeatures($_val) -{ - $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard - Log "DG_obj $DG_obj" - Log "DG_obj.AvailableSecurityProperties.length $DG_obj.AvailableSecurityProperties.length" - for($i=0; $i -lt $DGObj.AvailableSecurityProperties.length; $i++) - { - if($DGObj.AvailableSecurityProperties[$i] -eq $_val) - { - return 1 - } - - } - return 0 -} - -function PrintConfigCIDetails($_ConfigCIState) -{ - $_ConfigCIRunning = "Config-CI is enabled and running." - $_ConfigCIDisabled = "Config-CI is not running." - $_ConfigCIMode = "Not Enabled" - switch ($_ConfigCIState) - { - 0 { $_ConfigCIMode = "Not Enabled" } - 1 { $_ConfigCIMode = "Audit mode" } - 2 { $_ConfigCIMode = "Enforced mode" } - default { $_ConfigCIMode = "Not Enabled" } - } - - if($_ConfigCIState -ge 1) - { - LogAndConsoleSuccess "$_ConfigCIRunning ($_ConfigCIMode)" - } - else - { - LogAndConsoleWarning "$_ConfigCIDisabled ($_ConfigCIMode)" - } -} - -function PrintHVCIDetails($_HVCIState) -{ - $_HvciRunning = "HVCI is enabled and running." - $_HvciDisabled = "HVCI is not running." - - if($_HVCIState) - { - LogAndConsoleSuccess $_HvciRunning - } - else - { - LogAndConsoleWarning $_HvciDisabled - } -} - -function PrintCGDetails ($_CGState) -{ - $_CGRunning = "Credential-Guard is enabled and running." - $_CGDisabled = "Credential-Guard is not running." - - if($_CGState) - { - LogAndConsoleSuccess $_CGRunning - } - else - { - LogAndConsoleWarning $_CGDisabled - } -} - -if(![IO.Directory]::Exists($path)) -{ - New-Item -ItemType directory -Path $path -} -else -{ - #Do Nothing!! -} - -function IsRedstone -{ - $_osVersion = [environment]::OSVersion.Version - Log $_osVersion - #Check if build Major is Windows 10 - if($_osVersion.Major -lt 10) - { - return 0 - } - #Check if the build is post Threshold2 (1511 release) => Redstone - if($_osVersion.Build -gt 10586) - { - return 1 - } - #default return False - return 0 -} - -function ExecuteCommandAndLog($_cmd) -{ - try - { - Log "Executing: $_cmd" - $CmdOutput = Invoke-Expression $_cmd | Out-String - Log "Output: $CmdOutput" - } - catch - { - Log "Exception while exectuing $_cmd" - Log $_.Exception.Message - } - - -} - -function PrintRebootWarning -{ - LogAndConsoleWarning "Please reboot the machine, for settings to be applied." -} - -function AutoRebootHelper -{ - if($AutoReboot) - { - LogAndConsole "PC will restart in 30 seconds" - ExecuteCommandAndLog 'shutdown /r /t 30' - } - else - { - PrintRebootWarning - } - -} - -function VerifierReset -{ - $verifier_state = verifier /query | Out-String - if(!$verifier_state.ToString().Contains("No drivers are currently verified.")) - { - ExecuteCommandAndLog 'verifier.exe /reset' - } - AutoRebootHelper -} - -function PrintHardwareReq -{ - LogAndConsole "###########################################################################" - LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard" - LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT" - LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT" - LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr" - LogAndConsole "########################################################################### `n" -} - -function CheckDriverCompat -{ - $_HVCIState = CheckDGRunning(2) - if($_HVCIState) - { - LogAndConsoleWarning "HVCI is already enabled on this machine, driver compat list might not be complete." - LogAndConsoleWarning "Please disable HVCI and run the script again..." - } - $verifier_state = verifier /query | Out-String - if($verifier_state.ToString().Contains("No drivers are currently verified.")) - { - LogAndConsole "Enabling Driver verifier" - verifier.exe /flags 0x02000000 /all /bootmode oneboot /log.code_integrity - - LogAndConsole "Enabling Driver Verifier and Rebooting system" - Log $verifier_state - LogAndConsole "Please re-execute this script after reboot...." - if($AutoReboot) - { - LogAndConsole "PC will restart in 30 seconds" - ExecuteCommandAndLog 'shutdown /r /t 30' - } - else - { - LogAndConsole "Please reboot manually and run the script again...." - } - exit - } - else - { - LogAndConsole "Driver verifier already enabled" - Log $verifier_state - ListDrivers($verifier_state.Trim().ToLowerInvariant()) - } -} -function IsDomainController -{ - $_isDC = 0 - $CompConfig = Get-WmiObject Win32_ComputerSystem - foreach ($ObjItem in $CompConfig) - { - $Role = $ObjItem.DomainRole - Log "Role=$Role" - Switch ($Role) - { - 0 { Log "Standalone Workstation" } - 1 { Log "Member Workstation" } - 2 { Log "Standalone Server" } - 3 { Log "Member Server" } - 4 - { - Log "Backup Domain Controller" - $_isDC=1 - break - } - 5 - { - Log "Primary Domain Controller" - $_isDC=1 - break - } - default { Log "Unknown Domain Role" } - } - } - return $_isDC -} - -function CheckOSSKU -{ - $osname = $((Get-ComputerInfo).WindowsProductName).ToLower() - $_SKUSupported = 0 - Log "OSNAME:$osname" - $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server") - $HLKAllowed = @("windows 10 pro") - foreach ($SKUent in $SKUarray) - { - if($osname.ToString().Contains($SKUent.ToLower())) - { - $_SKUSupported = 1 - break - } - } - - # For running HLK tests only, professional SKU's are marked as supported. - if($HLK) - { - if($osname.ToString().Contains($HLKAllowed.ToLower())) - { - $_SKUSupported = 1 - } - } - $_isDomainController = IsDomainController - if($_SKUSupported) - { - LogAndConsoleSuccess "This PC edition is Supported for DeviceGuard"; - if(($_isDomainController -eq 1) -and !$HVCI -and !$DG) - { - LogAndConsoleError "This PC is configured as a Domain Controller, Credential Guard is not supported on DC." - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "This PC edition is Unsupported for Device Guard" - $DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 0 /f ' - } -} - -function CheckOSArchitecture -{ - $OSArch = $(Get-WmiObject win32_operatingsystem).OSArchitecture.ToLower() - Log $OSArch - if($OSArch -match ("^64\-?\s?bit")) - { - LogAndConsoleSuccess "64 bit architecture" - } - elseif($OSArch -match ("^32\-?\s?bit")) - { - LogAndConsoleError "32 bit architecture" - $DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null - } - else - { - LogAndConsoleError "Unknown architecture" - $DGVerifyCrit.AppendLine("Unknown OS, OS Architecture failure.") | Out-Null - } -} - -function CheckSecureBootState -{ - try { - $_secureBoot = Confirm-SecureBootUEFI - } - catch - { - $_secureBoot = $false - } - Log $_secureBoot - if($_secureBoot) - { - LogAndConsoleSuccess "Secure Boot is present" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "Secure Boot is absent / not enabled." - LogAndConsoleError "If Secure Boot is supported on the system, enable Secure Boot in the BIOS and run the script again." - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 0 /f ' - $DGVerifyCrit.AppendLine("Secure boot validation failed.") | Out-Null - } -} - -function CheckVirtualization -{ - $_vmmExtension = $(Get-WMIObject -Class Win32_processor).VMMonitorModeExtensions - $_vmFirmwareExtension = $(Get-WMIObject -Class Win32_processor).VirtualizationFirmwareEnabled - $_vmHyperVPresent = (Get-CimInstance -Class Win32_ComputerSystem).HypervisorPresent - Log "VMMonitorModeExtensions $_vmmExtension" - Log "VirtualizationFirmwareEnabled $_vmFirmwareExtension" - Log "HyperVisorPresent $_vmHyperVPresent" - - #success if either processor supports and enabled or if hyper-v is present - if(($_vmmExtension -and $_vmFirmwareExtension) -or $_vmHyperVPresent ) - { - LogAndConsoleSuccess "Virtualization firmware check passed" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "Virtualization firmware check failed." - LogAndConsoleError "If Virtualization extensions are supported on the system, enable hardware virtualization (Intel Virtualization Technology, Intel VT-x, Virtualization Extensions, or similar) in the BIOS and run the script again." - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 0 /f ' - $DGVerifyCrit.AppendLine("Virtualization firmware check failed.") | Out-Null - } -} - -function CheckTPM -{ - $TPMLockout = $(get-tpm).LockoutCount - - if($TPMLockout) - { - - if($TPMLockout.ToString().Contains("Not Supported for TPM 1.2")) - { - if($HLK) - { - LogAndConsoleSuccess "TPM 1.2 is present." - } - else - { - $WarningMsg = "TPM 1.2 is Present. TPM 2.0 is Preferred." - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - } - else - { - LogAndConsoleSuccess "TPM 2.0 is present." - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 2 /f ' - } - else - { - $WarningMsg = "TPM is absent or not ready for use" - if($HLK) - { - LogAndConsoleError $WarningMsg - $DGVerifyCrit.AppendLine($WarningMsg) | Out-Null - } - else - { - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 0 /f ' - } -} - -function CheckSecureMOR -{ - $isSecureMOR = CheckDGFeatures(4) - Log "isSecureMOR= $isSecureMOR " - if($isSecureMOR -eq 1) - { - LogAndConsoleSuccess "Secure MOR is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 2 /f ' - } - else - { - $WarningMsg = "Secure MOR is absent" - if($HLK) - { - LogAndConsoleError $WarningMsg - $DGVerifyCrit.AppendLine($WarningMsg) | Out-Null - } - else - { - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 0 /f ' - } -} - -function CheckNXProtection -{ - $isNXProtected = CheckDGFeatures(5) - Log "isNXProtected= $isNXProtected " - if($isNXProtected -eq 1) - { - LogAndConsoleSuccess "NX Protector is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleWarning "NX Protector is absent" - $DGVerifyWarn.AppendLine("NX Protector is absent") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 0 /f ' - } -} - -function CheckSMMProtection -{ - $isSMMMitigated = CheckDGFeatures(6) - Log "isSMMMitigated= $isSMMMitigated " - if($isSMMMitigated -eq 1) - { - LogAndConsoleSuccess "SMM Mitigation is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleWarning "SMM Mitigation is absent" - $DGVerifyWarn.AppendLine("SMM Mitigation is absent") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 0 /f ' - } -} - -function CheckHSTI -{ - LogAndConsole "Copying HSTITest.dll" - try - { - $HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded) - [System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded) - - } - catch - { - LogAndConsole $_.Exception.Message - LogAndConsole "Copying and loading HSTITest.dll failed" - } - - Instantiate-Kernel32 - Instantiate-HSTI -} - -function PrintToolVersion -{ - LogAndConsole "" - LogAndConsole "###########################################################################" - LogAndConsole "" - LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." - LogAndConsole "" - LogAndConsole "###########################################################################" - LogAndConsole "" - -} - -PrintToolVersion - -if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -and !($ResetVerifier)) -{ - #Print Usage if none of the options are specified - LogAndConsoleWarning "How to read the output:" - LogAndConsoleWarning "" - LogAndConsoleWarning " 1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG" - LogAndConsoleWarning " 2. Yellow Warnings: This device can be used to enable and use DG/CG, but `n additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr" - LogAndConsoleWarning " 3. Green Messages: This device is fully compliant with DG/CG requirements`n" - - LogAndConsoleWarning "###########################################################################" - LogAndConsoleWarning "" - LogAndConsoleWarning "Hardware requirements for enabling Device Guard and Credential Guard" - LogAndConsoleWarning " 1. Hardware: Recent hardware that supports virtualization extension with SLAT" - LogAndConsoleWarning "" - LogAndConsoleWarning "########################################################################### `n" - - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path" - LogAndConsoleWarning "Log file with details is found here: C:\DGLogs `n" - - LogAndConsoleWarning "To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path `n" - - LogAndConsoleWarning "To Enable only HVCI" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -HVCI `n" - - LogAndConsoleWarning "To Enable only CG" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -CG `n" - - LogAndConsoleWarning "To Verify if DG/CG is enabled" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n" - - LogAndConsoleWarning "To Disable DG/CG." - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Disable `n" - - LogAndConsoleWarning "To Verify if DG/CG is disabled" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n" - - LogAndConsoleWarning "To Verify if this device is DG/CG Capable" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable`n" - - LogAndConsoleWarning "To Verify if this device is HVCI Capable" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable -HVCI`n" - - LogAndConsoleWarning "To Auto reboot with each option" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot`n" - LogAndConsoleWarning "###########################################################################" - LogAndConsoleWarning "" - LogAndConsoleWarning "When the Readiness Tool with '-capable' is run the following RegKey values are set:" - LogAndConsoleWarning "" - LogAndConsoleWarning "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" - LogAndConsoleWarning "CG_Capable" - LogAndConsoleWarning "DG_Capable" - LogAndConsoleWarning "HVCI_Capable" - LogAndConsoleWarning "" - LogAndConsoleWarning "Value 0 = not possible to enable DG/CG/HVCI on this device" - LogAndConsoleWarning "Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI" - LogAndConsoleWarning "Value 2 = fully compatible for DG/CG/HVCI" - LogAndConsoleWarning "" - LogAndConsoleWarning "########################################################################### `n" -} - -$user = [Security.Principal.WindowsIdentity]::GetCurrent(); -$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) - -if(!$TestForAdmin) -{ - LogAndConsoleError "This script requires local administrator privileges. Please execute this script as a local administrator." - exit -} - -$isRunningOnVM = (Get-WmiObject win32_computersystem).model -if($isRunningOnVM.Contains("Virtual")) -{ - LogAndConsoleWarning "Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization." -} - - -<# Check the DG status if enabled or disabled, meaning if the device is ready or not #> -if($Ready) -{ - PrintHardwareReq - - $DGRunning = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning - $_ConfigCIState = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).CodeIntegrityPolicyEnforcementStatus - Log "Current DGRunning = $DGRunning, ConfigCI= $_ConfigCIState" - $_HVCIState = CheckDGRunning(2) - $_CGState = CheckDGRunning(1) - - if($HVCI) - { - Log "_HVCIState: $_HVCIState" - PrintHVCIDetails $_HVCIState - } - elseif($CG) - { - Log "_CGState: $_CGState" - PrintCGDetails $_CGState - - if($_CGState) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 0 /f' - } - } - elseif($DG) - { - Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - - PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState - - if($_ConfigCIState -and $_HVCIState) - { - LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running." - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f' - } - else - { - LogAndConsoleWarning "Not all services are running." - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f' - } - } - else - { - Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - - PrintCGDetails $_CGState - PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState - - if(($DGRunning.Length -ge 2) -and ($_CGState) -and ($_HVCIState) -and ($_ConfigCIState -ge 1)) - { - LogAndConsoleSuccess "HVCI, Credential Guard, and Config CI are enabled and running." - } - else - { - LogAndConsoleWarning "Not all services are running." - } - } -} - -<# Enable and Disable #> -if($Enable) -{ - PrintHardwareReq - - LogAndConsole "Enabling Device Guard and Credential Guard" - LogAndConsole "Setting RegKeys to enable DG/CG" - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f' - #Only SecureBoot is required as part of RequirePlatformSecurityFeatures - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f' - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f' - } - - if(!$HVCI -and !$DG) - { - # value is 2 for both Th2 and RS1 - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 2 /f' - } - if(!$CG) - { - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f' - } - } - - try - { - if(!$HVCI -and !$CG) - { - if(!$SIPolicyPath) - { - Log "Writing Decoded SIPolicy.p7b" - $SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded) - [System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded) - } - else - { - LogAndConsole "Copying user provided SIpolicy.p7b" - $CmdOutput = Copy-Item $SIPolicyPath "$env:windir\System32\CodeIntegrity\SIPolicy.p7b" | Out-String - Log $CmdOutput - } - } - } - catch - { - LogAndConsole "Writing SIPolicy.p7b file failed" - } - - LogAndConsole "Enabling Hyper-V and IOMMU" - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately" - #Enable/Disable IOMMU separately - ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart' - } - $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String - if(!$CmdOutput.Contains("The operation completed successfully.")) - { - $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Online /All /NoRestart | Out-String - } - - Log $CmdOutput - if($CmdOutput.Contains("The operation completed successfully.")) - { - LogAndConsoleSuccess "Enabling Hyper-V and IOMMU successful" - #Reg key for HLK validation of DISM.EXE step - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 1 /f' - } - else - { - LogAndConsoleWarning "Enabling Hyper-V failed please check the log file" - #Reg key for HLK validation of DISM.EXE step - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 0 /f' - } - AutoRebootHelper -} - -if($Disable) -{ - LogAndConsole "Disabling Device Guard and Credential Guard" - LogAndConsole "Deleting RegKeys to disable DG/CG" - - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f' - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f' - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f' - } - else - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f' - } - - if(!$CG) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f' - if($_isRedstone) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f' - } - } - - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f' - } - - if(!$HVCI -and !$CG) - { - ExecuteCommandAndLog 'del "$env:windir\System32\CodeIntegrity\SIPolicy.p7b"' - } - - if(!$HVCI -and !$DG -and !$CG) - { - LogAndConsole "Disabling Hyper-V and IOMMU" - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately" - #Enable/Disable IOMMU separately - ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart' - } - $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String - if(!$CmdOutput.Contains("The operation completed successfully.")) - { - $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Online /NoRestart | Out-String - } - Log $CmdOutput - if($CmdOutput.Contains("The operation completed successfully.")) - { - LogAndConsoleSuccess "Disabling Hyper-V and IOMMU successful" - } - else - { - LogAndConsoleWarning "Disabling Hyper-V failed please check the log file" - } - - #set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS - #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always - #this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS - $FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random - Log "FreeDrive=$FreeDrive" - ExecuteCommandAndLog 'mountvol $FreeDrive /s' - $CmdOutput = Copy-Item "$env:windir\System32\SecConfig.efi" $FreeDrive\EFI\Microsoft\Boot\SecConfig.efi -Force | Out-String - LogAndConsole $CmdOutput - ExecuteCommandAndLog 'bcdedit /create "{0cb3b571-2f2e-4343-a879-d86a476d7215}" /d DGOptOut /application osloader' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" path \EFI\Microsoft\Boot\SecConfig.efi' - ExecuteCommandAndLog 'bcdedit /set "{bootmgr}" bootsequence "{0cb3b571-2f2e-4343-a879-d86a476d7215}"' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" loadoptions DISABLE-LSA-ISO,DISABLE-VBS' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" device partition=$FreeDrive' - ExecuteCommandAndLog 'mountvol $FreeDrive /d' - #steps complete - - } - AutoRebootHelper -} - -if($Clear) -{ - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" /f' - VerifierReset -} - -if($ResetVerifier) -{ - VerifierReset -} - -<# Is machine Device Guard / Cred Guard Capable and Verify #> -if($Capable) -{ - PrintHardwareReq - - LogAndConsole "Checking if the device is DG/CG Capable" - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsoleWarning "Capable is currently fully supported in Redstone only.." - } - $_StepCount = 1 - if(!$CG) - { - LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== " - $_StepCount++ - CheckDriverCompat - } - - LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== " - $_StepCount++ - CheckSecureBootState - - if(!$HVCI -and !$DG -and !$CG) - { - #check only if sub-options are absent - LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== " - $_StepCount++ - CheckHSTI - } - - LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== " - $_StepCount++ - CheckOSArchitecture - - LogAndConsole " ====================== Step $_StepCount Supported OS SKU ====================== " - $_StepCount++ - CheckOSSKU - - LogAndConsole " ====================== Step $_StepCount Virtualization Firmware ====================== " - $_StepCount++ - CheckVirtualization - - if(!$HVCI -and !$DG) - { - LogAndConsole " ====================== Step $_StepCount TPM version ====================== " - $_StepCount++ - CheckTPM - - LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== " - $_StepCount++ - CheckSecureMOR - } - - LogAndConsole " ====================== Step $_StepCount NX Protector ====================== " - $_StepCount++ - CheckNXProtection - - LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== " - $_StepCount++ - CheckSMMProtection - - LogAndConsole " ====================== End Check ====================== " - - LogAndConsole " ====================== Summary ====================== " - ListSummary - LogAndConsole "To learn more about required hardware and software please visit: https://aka.ms/dgwhcr" -} - - -# SIG # Begin signature block -## REPLACE -# SIG # End signature block - -``` diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 33c5c76b9f..a82f25aa93 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -267,7 +267,7 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, 10.10.0.1 10.10.0.2 corp.contoso.com - + ``` @@ -280,12 +280,12 @@ This example configures an IpConfig signal type using a dnsSuffix element and a ```xml - - corp.contoso.com - + + corp.contoso.com + , - + ``` diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index b7b06e3193..299c09d7f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -37,5 +37,5 @@ Suppose instead that you sign in on **Device B** and change your password for yo - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index c9bc5a12f3..e6a01bb2b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -89,4 +89,4 @@ To use Iris authentication, you’ll need a [HoloLens 2 device](/hololens/). All - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index a73ef3f3f2..5d92d9dcb7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -3,6 +3,7 @@ title: Configure Windows Hello for Business Policy settings in an on-premises ce description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario ms.collection: - highpri + - tier1 ms.date: 12/12/2022 appliesto: - ✅ Windows 10 and later diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 64b6af4819..22f170e86e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -55,7 +55,7 @@ Following are the various deployment guides and models included in this topic: - [On Premises Key Trust Deployment](hello-deployment-key-trust.md) - [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) -For Windows Hello for Business hybrid [certificate trust prerequisites](hello-hybrid-cert-trust-prereqs.md#directory-synchronization) and [key trust prerequisites](hello-hybrid-key-trust-prereqs.md#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments. +For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments. ## Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 424f82c737..26fb7abfb6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -3,6 +3,7 @@ title: Deploy certificates for remote desktop sign-in description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials. ms.collection: - ContentEngagementFY23 + - tier1 ms.topic: article ms.date: 11/15/2022 appliesto: diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index c853063c26..982ee0f388 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -4,6 +4,7 @@ metadata: description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business. ms.collection: - highpri + - tier1 ms.topic: faq ms.date: 01/06/2023 appliesto: diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index adfbe58657..d6d35b189a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -76,5 +76,5 @@ The computer is ready for dual enrollment. Sign in as the privileged user first * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) * [Windows Hello and password changes](hello-and-password-changes.md) * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -* [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 6bae92fc12..9f461f9697 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -55,5 +55,5 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) * [Windows Hello and password changes](hello-and-password-changes.md) * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -* [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index e1aa2e7acb..519b34bd34 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -3,6 +3,7 @@ title: Pin Reset description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. ms.collection: - highpri + - tier1 ms.date: 07/29/2022 appliesto: - ✅ Windows 10 and later @@ -265,5 +266,5 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 2281821bdc..2f1c460668 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -5,6 +5,8 @@ ms.date: 02/24/2021 appliesto: - ✅ Windows 10 and later ms.topic: article +ms.collection: + - tier1 --- # Remote Desktop @@ -56,5 +58,5 @@ Users appreciate convenience of biometrics and administrators value the security - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 7bec9c2543..b3765851fa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -101,7 +101,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while ### More information on cloud experience host -[Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md) +[Windows Hello for Business and device registration](/azure/active-directory/devices/device-registration-how-it-works) ## Cloud Kerberos trust diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 9f3670151c..40e094e6c7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -52,5 +52,5 @@ For more information read [how authentication works](hello-how-it-works-authenti - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 2cc6e81fff..677bc65d0e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -14,7 +14,7 @@ ms.topic: how-to If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] -> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. +> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) before you continue. Steps you'll perform include: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 80f86ef481..9d45b8bed7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -77,4 +77,4 @@ Before moving to the next section, ensure the following steps are complete: > - Update group memberships for the AD FS service account > [!div class="nextstepaction"] -> [Next: configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) \ No newline at end of file +> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 0a6ef16c6e..ce118ce681 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -27,14 +27,12 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which ## Azure AD Kerberos and cloud Kerberos trust authentication -*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.\ -For *Azure AD joined devices* to have single sign-on (SSO) to on-premises resources protected by Active Directory, they must trust and validate the DC certificates. For this to happen, a certificate revocation list (CRL) must be published to an endpoint accessible by the Azure AD joined devices. +*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust. -*Cloud Kerberos trust* uses *Azure AD Kerberos*, which doesn't require any of the above PKI to request TGTs. +Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\ +With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers. -With *Azure AD Kerberos*, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers. - -When *Azure AD Kerberos* is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: +When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: - Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers - Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object @@ -45,7 +43,7 @@ For more information about how Azure AD Kerberos enables access to on-premises r For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust). > [!IMPORTANT] -> When implementing the *hybrid cloud Kerberos trust* deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. +> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. ## Prerequisites @@ -73,9 +71,9 @@ The following scenarios aren't supported using Windows Hello for Business cloud ## Deployment steps -Deploying *Windows Hello for Business cloud Kerberos trust* consists of two steps: +Deploying Windows Hello for Business cloud Kerberos trust consists of two steps: -1. Set up *Azure AD Kerberos* +1. Set up Azure AD Kerberos 1. Configure a Windows Hello for Business policy and deploy it to the devices ### Deploy Azure AD Kerberos @@ -86,7 +84,7 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl ### Configure Windows Hello for Business policy -After setting up the *Azure AD Kerberos object*, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). +After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) @@ -116,7 +114,7 @@ Windows Hello for Business settings are also available in the settings catalog. ### Configure cloud Kerberos trust policy -To configure the *cloud Kerberos trust* policy, follow the steps below: +To configure the cloud Kerberos trust policy, follow the steps below: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. @@ -156,7 +154,7 @@ You can also create a Group Policy Central Store and copy them their respective #### Create the Windows Hello for Business group policy object -You can configure Windows devices to enable *Windows Hello for Business cloud Kerberos trust* using a Group Policy Object (GPO). +You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO). 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory 1. Edit the Group Policy object from Step 1 @@ -168,7 +166,7 @@ You can configure Windows devices to enable *Windows Hello for Business cloud Ke --- > [!IMPORTANT] -> If the *Use certificate for on-premises authentication* policy is enabled, *certificate trust* will take precedence over *cloud Kerberos trust*. Ensure that the machines that you want to enable *cloud Kerberos trust* have this policy *not configured* or *disabled*. +> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*. ## Provision Windows Hello for Business @@ -196,11 +194,11 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell ### Sign-in -Once a user has set up a PIN with *cloud Kerberos trust*, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. +Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. ## Migrate from key trust deployment model to cloud Kerberos trust -If you deployed Windows Hello for Business using the *key trust model*, and want to migrate to the *cloud Kerberos trust model*, follow these steps: +If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps: 1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) @@ -209,14 +207,14 @@ If you deployed Windows Hello for Business using the *key trust model*, and want > [!NOTE] > For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. > -> Without line of sight to a DC, even when the client is configured to use *cloud Kerberos trust*, the system will fall back to *key trust* if *cloud Kerberos trust* login fails. +> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails. ## Migrate from certificate trust deployment model to cloud Kerberos trust > [!IMPORTANT] -> There is no *direct* migration path from *certificate trust* deployment to *cloud Kerberos trust* deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. +> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. -If you deployed Windows Hello for Business using the *certificate trust model*, and want to use the *cloud Kerberos trust model*, you must redeploy Windows Hello for Business by following these steps: +If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: 1. Disable the certificate trust policy 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index e1ed3396b6..518283865d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -3,6 +3,7 @@ title: Windows Hello for Business Deployment Prerequisite Overview description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models ms.collection: - highpri +- tier1 ms.date: 12/13/2022 appliesto: - ✅ Windows 10 and later diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 8c3bfe995d..e666aa4beb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -3,6 +3,7 @@ title: Manage Windows Hello in your organization (Windows) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. ms.collection: - highpri + - tier1 ms.date: 2/15/2022 appliesto: - ✅ Windows 10 and later diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 48c16385f3..d6e6de308d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -3,6 +3,7 @@ title: Windows Hello for Business Overview (Windows) description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. ms.collection: - highpri + - tier1 ms.topic: conceptual appliesto: - ✅ Windows 10 and later @@ -110,5 +111,5 @@ Windows Hello for Business with a key, including cloud Kerberos trust, doesn't s - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index c3c5912b26..f3e0b27534 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -87,7 +87,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. +The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. > [!NOTE] > RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 69e4a380e5..0efcd603a1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -52,6 +52,6 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 89fe8f84ce..6b65c109d3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -3,6 +3,7 @@ title: Why a PIN is better than an online password (Windows) description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password. ms.collection: - highpri + - tier1 ms.date: 10/23/2017 appliesto: - ✅ Windows 10 and later @@ -81,5 +82,5 @@ If you only had a biometric sign-in configured and, for any reason, were unable - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png b/windows/security/identity-protection/hello-for-business/images/SetupAPin.png deleted file mode 100644 index 50029cc00e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png b/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png deleted file mode 100644 index 93085b03a8..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png deleted file mode 100644 index 88aaf424f0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png deleted file mode 100644 index 3d547d05fc..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png b/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png deleted file mode 100644 index d98d871f21..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png deleted file mode 100644 index caacf8a566..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png deleted file mode 100644 index 226f85eeb0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png deleted file mode 100644 index 067c109808..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png deleted file mode 100644 index f2c38239f3..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png deleted file mode 100644 index 74cea5f0b5..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png deleted file mode 100644 index e95fd1b9ba..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png deleted file mode 100644 index c973e43aec..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png deleted file mode 100644 index 70aaa2db9d..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png deleted file mode 100644 index eadf1eb285..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png deleted file mode 100644 index 56cced034f..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png deleted file mode 100644 index e4e4555942..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png deleted file mode 100644 index 390bfecafd..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png deleted file mode 100644 index a136973f04..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png deleted file mode 100644 index c78baecd49..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png deleted file mode 100644 index 96fe45bbcf..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png deleted file mode 100644 index 004d3a3f25..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png deleted file mode 100644 index 9d66d330fd..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png deleted file mode 100644 index dea61f116e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png deleted file mode 100644 index 831e12fe59..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png deleted file mode 100644 index 21f4159d80..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png deleted file mode 100644 index 49c4dee983..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png deleted file mode 100644 index c2a4f36704..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png deleted file mode 100644 index 0ec08ecbc0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png deleted file mode 100644 index 46db47b6f0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/createPin.png b/windows/security/identity-protection/hello-for-business/images/createPin.png deleted file mode 100644 index 91e079feca..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/createPin.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/dsregcmd.png deleted file mode 100644 index 85bc6491cf..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png b/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png deleted file mode 100644 index 7f0be5249d..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png deleted file mode 100644 index 72c94fb321..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png deleted file mode 100644 index 64f85b1f54..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png deleted file mode 100644 index 6894047f98..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png deleted file mode 100644 index 3167588d7b..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_filter.png b/windows/security/identity-protection/hello-for-business/images/hello_filter.png deleted file mode 100644 index 611bbfad70..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_filter.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_gear.png b/windows/security/identity-protection/hello-for-business/images/hello_gear.png deleted file mode 100644 index b74cf682ac..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_gear.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_lock.png b/windows/security/identity-protection/hello-for-business/images/hello_lock.png deleted file mode 100644 index 5643cecec0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_lock.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_users.png b/windows/security/identity-protection/hello-for-business/images/hello_users.png deleted file mode 100644 index c6750396dd..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_users.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png deleted file mode 100644 index 8b003013f0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png deleted file mode 100644 index 44bbc4a572..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png deleted file mode 100644 index df7973e2ca..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png deleted file mode 100644 index eb3458bf76..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png deleted file mode 100644 index 6011b3c66e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png deleted file mode 100644 index ac1752b75b..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png deleted file mode 100644 index 2835e56049..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png deleted file mode 100644 index 4874ca4516..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png deleted file mode 100644 index c6572cbd5a..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png deleted file mode 100644 index 3a72066a31..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png deleted file mode 100644 index c3754b5389..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png deleted file mode 100644 index 97db24c262..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png deleted file mode 100644 index 80f9d53d2c..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png deleted file mode 100644 index 97ad2a1bfb..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/mfa.png b/windows/security/identity-protection/hello-for-business/images/mfa.png deleted file mode 100644 index b7086b9b79..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/mfa.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png deleted file mode 100644 index 174cf0a790..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png deleted file mode 100644 index 028f06544c..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png deleted file mode 100644 index 322a4fcbdc..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png b/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png deleted file mode 100644 index f86101b1e8..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg deleted file mode 100644 index d9acfd8170..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg deleted file mode 100644 index 21d37405a7..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md deleted file mode 100644 index a5b340a3f8..0000000000 --- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -ms.date: 12/08/2022 -ms.topic: include ---- - -[!INCLUDE [hello-intro](hello-intro.md)] -- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] -- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)] -- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] ---- \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md deleted file mode 100644 index b637be9beb..0000000000 --- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -ms.date: 12/08/2022 -ms.topic: include ---- - -[!INCLUDE [hello-intro](hello-intro.md)] -- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] -- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)] -- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] ---- \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index 0c6b760604..75e29c597a 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -16,6 +16,7 @@ metadata: ms.date: 01/22/2021 ms.collection: - highpri + - tier1 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new diff --git a/windows/security/identity-protection/images/application-guard-and-system-guard.png b/windows/security/identity-protection/images/application-guard-and-system-guard.png deleted file mode 100644 index b4b883db90..0000000000 Binary files a/windows/security/identity-protection/images/application-guard-and-system-guard.png and /dev/null differ diff --git a/windows/security/identity-protection/images/remote-credential-guard.png b/windows/security/identity-protection/images/remote-credential-guard.png deleted file mode 100644 index d8e3598dc9..0000000000 Binary files a/windows/security/identity-protection/images/remote-credential-guard.png and /dev/null differ diff --git a/windows/security/identity-protection/images/traditional-windows-software-stack.png b/windows/security/identity-protection/images/traditional-windows-software-stack.png deleted file mode 100644 index 0da610c368..0000000000 Binary files a/windows/security/identity-protection/images/traditional-windows-software-stack.png and /dev/null differ diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index e094da893b..63c2e03d67 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -7,6 +7,7 @@ ms.author: paoloma manager: aaroncz ms.collection: - highpri + - tier2 ms.topic: article ms.localizationpriority: medium ms.date: 01/12/2018 @@ -51,12 +52,12 @@ Use the following table to compare different Remote Desktop connection security | Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode | |--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server | +| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server | | **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

              For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). | | **Helps prevent**                    |      N/A          |
              • Pass-the-Hash
              • Use of a credential after disconnection
              |
              • Pass-the-Hash
              • Use of domain identity during connection
              | | **Credentials supported from the remote desktop client device** |
              • Signed on credentials
              • Supplied credentials
              • Saved credentials
              |
              • Signed on credentials only |
                • Signed on credentials
                • Supplied credentials
                • Saved credentials
                | | **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. | -| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host’s identity**. | +| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. | | **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account | | **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol | @@ -71,7 +72,7 @@ and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/c ## Remote Desktop connections and helpdesk support scenarios -For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects. +For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects. Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf). @@ -90,7 +91,7 @@ The Remote Desktop client device: - Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine. -- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host. +- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host. - Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard. @@ -100,7 +101,7 @@ The Remote Desktop remote host: - Must be running at least Windows 10, version 1607 or Windows Server 2016. - Must allow Restricted Admin connections. -- Must allow the client’s domain user to access Remote Desktop connections. +- Must allow the client's domain user to access Remote Desktop connections. - Must allow delegation of non-exportable credentials. There are no hardware requirements for Windows Defender Remote Credential Guard. @@ -128,7 +129,7 @@ You must enable Restricted Admin or Windows Defender Remote Credential Guard on - Add a new DWORD value named **DisableRestrictedAdmin**. - - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard. + - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0. 3. Close Registry Editor. @@ -156,6 +157,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C > [!NOTE] > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard. - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. @@ -181,7 +183,7 @@ mstsc.exe /remoteGuard ## Considerations when using Windows Defender Remote Credential Guard -- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied. +- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied. - Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory. @@ -189,4 +191,4 @@ mstsc.exe /remoteGuard - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own. -- The server and client must authenticate using Kerberos. \ No newline at end of file +- The server and client must authenticate using Kerberos. diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index 3c1b301625..10b6bda518 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -8,6 +8,7 @@ ms.reviewer: ardenw manager: aaroncz ms.collection: - highpri + - tier2 ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index a968914652..8037f68045 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -3,6 +3,7 @@ title: How User Account Control works (Windows) description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. ms.collection: - highpri + - tier2 ms.topic: article ms.localizationpriority: medium ms.date: 09/23/2021 diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index f3c8c14d4e..979a7ae1f1 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -3,6 +3,7 @@ title: User Account Control Group Policy and registry key settings (Windows) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. ms.collection: - highpri + - tier2 ms.topic: article ms.date: 04/19/2017 appliesto: diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index 35851d61af..93502be3e3 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -3,6 +3,7 @@ title: User Account Control (Windows) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. ms.collection: - highpri + - tier2 ms.topic: article ms.date: 09/24/2011 appliesto: diff --git a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png b/windows/security/identity-protection/vpn/images/custom-vpn-profile.png deleted file mode 100644 index b229c96b68..0000000000 Binary files a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png b/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png deleted file mode 100644 index 9f4efabc3f..0000000000 Binary files a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png b/windows/security/identity-protection/vpn/images/vpn-intune-policy.png deleted file mode 100644 index 4224979bbd..0000000000 Binary files a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png b/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png deleted file mode 100644 index 7277b7a598..0000000000 Binary files a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png and /dev/null differ diff --git a/windows/security/images/fall-creators-update-next-gen-security.png b/windows/security/images/fall-creators-update-next-gen-security.png deleted file mode 100644 index 62aaa46f8d..0000000000 Binary files a/windows/security/images/fall-creators-update-next-gen-security.png and /dev/null differ diff --git a/windows/security/images/icons/accessibility.svg b/windows/security/images/icons/accessibility.svg deleted file mode 100644 index 21a6b4f235..0000000000 --- a/windows/security/images/icons/accessibility.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/images/icons/powershell.svg b/windows/security/images/icons/powershell.svg deleted file mode 100644 index ab2d5152ca..0000000000 --- a/windows/security/images/icons/powershell.svg +++ /dev/null @@ -1,20 +0,0 @@ - - - - - - - - - - MsPortalFx.base.images-10 - - - - - - - - - - \ No newline at end of file diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg deleted file mode 100644 index dbbad7d780..0000000000 --- a/windows/security/images/icons/provisioning-package.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg deleted file mode 100644 index 06ab4c09d7..0000000000 --- a/windows/security/images/icons/registry.svg +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - - - - - - - - - - - - - - Icon-general-18 - - - \ No newline at end of file diff --git a/windows/security/images/next-generation-windows-security-vision.png b/windows/security/images/next-generation-windows-security-vision.png deleted file mode 100644 index a598365cb7..0000000000 Binary files a/windows/security/images/next-generation-windows-security-vision.png and /dev/null differ diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png deleted file mode 100644 index e062b0d292..0000000000 Binary files a/windows/security/images/windows-security-app-w11.png and /dev/null differ diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md deleted file mode 100644 index f928705138..0000000000 --- a/windows/security/includes/improve-request-performance.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - ->[!TIP] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.microsoft.com -> - api-eu.securitycenter.microsoft.com -> - api-uk.securitycenter.microsoft.com diff --git a/windows/security/includes/intune-custom-settings-info.md b/windows/security/includes/intune-custom-settings-info.md deleted file mode 100644 index 9509d5b13d..0000000000 --- a/windows/security/includes/intune-custom-settings-info.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 01/03/2022 -ms.topic: include ---- - -For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/windows/security/includes/intune-settings-catalog-1.md b/windows/security/includes/intune-settings-catalog-1.md deleted file mode 100644 index 2ddfc8d6b6..0000000000 --- a/windows/security/includes/intune-settings-catalog-1.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 01/03/2022 -ms.topic: include ---- - -To configure devices with Microsoft Intune, use the settings catalog: - - > [!TIP] - > If you're browsing with an account that can create Intune policies, you can skip to step 5 by using this direct link to create a Settings catalog policy (opens in a new tab). - -1. Go to the Microsoft Endpoint Manager admin center -2. Select **Devices > Configuration profiles > Create profile** -3. Select **Platform > Windows 10 and later** and **Profile type > Settings catalog** -4. Select **Create** -5. Specify a **Name** and, optionally, a **Description** > **Next** -6. In the settings picker, add the following settings: \ No newline at end of file diff --git a/windows/security/includes/intune-settings-catalog-2.md b/windows/security/includes/intune-settings-catalog-2.md deleted file mode 100644 index 9558ed41a7..0000000000 --- a/windows/security/includes/intune-settings-catalog-2.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 01/03/2022 -ms.topic: include ---- - -7. Select **Next** -8. Optionally, add *scope tags* > **Next** -9. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** -10. Review the policy configuration and select **Create** \ No newline at end of file diff --git a/windows/security/includes/intune-settings-catalog-info.md b/windows/security/includes/intune-settings-catalog-info.md deleted file mode 100644 index 8387d702ff..0000000000 --- a/windows/security/includes/intune-settings-catalog-info.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 01/03/2022 -ms.topic: include ---- - -For more information about how to create policies with the Intune settings catalog, see [Use the settings catalog to configure settings](/mem/intune/configuration/settings-catalog). \ No newline at end of file diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md deleted file mode 100644 index d4b4560d8f..0000000000 --- a/windows/security/includes/machineactionsnote.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - ->[!Note] -> This page focuses on performing a machine action via API. See [take response actions on a machine](/microsoft-365/security/defender-endpoint/respond-machine-alerts) for more information about response actions functionality via Microsoft Defender for Endpoint. \ No newline at end of file diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md deleted file mode 100644 index 0b0b2be701..0000000000 --- a/windows/security/includes/microsoft-defender-api-usgov.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - ->[!NOTE] ->If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov#api). \ No newline at end of file diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md deleted file mode 100644 index bd9a8d2c0d..0000000000 --- a/windows/security/includes/microsoft-defender.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -> [!IMPORTANT] -> The improved [Microsoft 365 Defender portal](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. [Learn what's new](/microsoft-365/security/mtp/overview-security-center). diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md deleted file mode 100644 index c0212561bd..0000000000 --- a/windows/security/includes/prerelease.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -> [!IMPORTANT] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml index b917a468f8..daa9cba013 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml @@ -10,6 +10,7 @@ metadata: audience: ITPro ms.collection: - highpri + - tier1 ms.topic: faq ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 32a6c0816b..bc4ad1b106 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -90,17 +90,17 @@ To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-ne ### Protecting Thunderbolt and other DMA ports -There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. +There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled: ![Kernel DMA protection.](images/kernel-dma-protection.png) -If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: +If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: 1. Require a password for BIOS changes -2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) +2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11): @@ -141,7 +141,7 @@ Enable secure boot and mandatorily prompt a password to change BIOS settings. Fo ### Tricking BitLocker to pass the key to a rogue operating system -An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5. +An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5. An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key. diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 811287a4d3..c0f495b8a6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -8,6 +8,7 @@ ms.author: frankroj manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml index 24016c5ca6..4f7256eadb 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml @@ -10,6 +10,7 @@ metadata: audience: ITPro ms.collection: - highpri + - tier1 ms.topic: faq ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 38d6bcb2f9..8b776366c3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -9,6 +9,7 @@ ms.author: frankroj manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index b86eb930d8..93dc998a8a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -36,7 +36,7 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well. > [!NOTE] -> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users: +> To manage Bitlocker via CSP (Configuration Service Provider), except to enable and disable it, regardless of your management platform, one of the following licenses must be assigned to your users: > - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5). > - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5). diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml index 8398ff5cb5..3243fdb178 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -10,6 +10,7 @@ metadata: audience: ITPro ms.collection: - highpri + - tier1 ms.topic: faq ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 5cc2a4ae6c..a3b7a72ca1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -8,6 +8,7 @@ author: frankroj manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 495549c66c..39eb80e0aa 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -10,6 +10,7 @@ ms.reviewer: rafals manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md deleted file mode 100644 index 11ce21de12..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Breaking out of a BitLocker recovery loop -description: This article for IT professionals describes how to break out of a BitLocker recovery loop. -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz -ms.collection: - - highpri -ms.topic: conceptual -ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security ---- - -# Breaking out of a BitLocker recovery loop - -Sometimes, following a crash, the operating system might not be able to successful boot due to the recovery screen repeatedly prompting to enter a recovery key. This experience can be frustrating. - -If the correct BitLocker recovery key has been entered multiple times but are unable to continue past the initial recovery screen, follow these steps to break out of the loop: - -> [!NOTE] -> Try these steps only after the device has been restarted at least once. - -1. On the initial recovery screen, don't enter The recovery key. Instead, select **Skip this drive**. - -2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**. - -3. From the WinRE command prompt, manually unlock the drive with the following command: - -```cmd -manage-bde.exe -unlock C: -rp -``` - -4. Suspend the protection on the operating system with the following command: - -```cmd -manage-bde.exe -protectors -disable C: -``` - -5. Once the command is run, exit the command prompt and continue to boot into the operating system. diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index ea25cc99da..ba44582914 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -9,6 +9,7 @@ ms.author: frankroj manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index fe24fac2a4..1592e527a6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -9,6 +9,7 @@ ms.author: frankroj manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/images/4509186-en-1.png b/windows/security/information-protection/bitlocker/images/4509186-en-1.png deleted file mode 100644 index 11f986fb68..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509186-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509188-en-1.png b/windows/security/information-protection/bitlocker/images/4509188-en-1.png deleted file mode 100644 index 5b5b7b1b4a..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509188-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509189-en-1.png b/windows/security/information-protection/bitlocker/images/4509189-en-1.png deleted file mode 100644 index 8d243a1899..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509189-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509190-en-1.png b/windows/security/information-protection/bitlocker/images/4509190-en-1.png deleted file mode 100644 index bd37969b5d..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509190-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509191-en-1.png b/windows/security/information-protection/bitlocker/images/4509191-en-1.png deleted file mode 100644 index 00ef607ab3..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509191-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509193-en-1.png b/windows/security/information-protection/bitlocker/images/4509193-en-1.png deleted file mode 100644 index 2085613b3d..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509193-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509194-en-1.png b/windows/security/information-protection/bitlocker/images/4509194-en-1.png deleted file mode 100644 index f4506c399b..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509194-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509195-en-1.png b/windows/security/information-protection/bitlocker/images/4509195-en-1.png deleted file mode 100644 index cbecb03c4e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509195-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509196-en-1.png b/windows/security/information-protection/bitlocker/images/4509196-en-1.png deleted file mode 100644 index 01e94b1243..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509196-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509198-en-1.png b/windows/security/information-protection/bitlocker/images/4509198-en-1.png deleted file mode 100644 index 9056658662..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509198-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509199-en-1.png b/windows/security/information-protection/bitlocker/images/4509199-en-1.png deleted file mode 100644 index d68a22eef7..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509199-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509200-en-1.png b/windows/security/information-protection/bitlocker/images/4509200-en-1.png deleted file mode 100644 index 689bb19299..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509200-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509201-en-1.png b/windows/security/information-protection/bitlocker/images/4509201-en-1.png deleted file mode 100644 index d521e86eed..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509201-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509202-en-1.png b/windows/security/information-protection/bitlocker/images/4509202-en-1.png deleted file mode 100644 index bfcd2326b6..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509202-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509203-en-1.png b/windows/security/information-protection/bitlocker/images/4509203-en-1.png deleted file mode 100644 index 05acc571fe..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509203-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509204-en-1.png b/windows/security/information-protection/bitlocker/images/4509204-en-1.png deleted file mode 100644 index fa13f38ba9..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509204-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509205-en-1.png b/windows/security/information-protection/bitlocker/images/4509205-en-1.png deleted file mode 100644 index a4f5cc15d2..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509205-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509206-en-1.png b/windows/security/information-protection/bitlocker/images/4509206-en-1.png deleted file mode 100644 index 7b7e449443..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509206-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg deleted file mode 100644 index 95afbf2ccc..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg deleted file mode 100644 index d2caa05b03..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg deleted file mode 100644 index 14a30db7c4..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg deleted file mode 100644 index e691dcbc53..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg deleted file mode 100644 index 40ddf183f6..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png b/windows/security/information-protection/bitlocker/images/feedback-app-icon.png deleted file mode 100644 index c600883c0e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg b/windows/security/information-protection/bitlocker/images/pcptool-output.jpg deleted file mode 100644 index 91d10e6c66..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png b/windows/security/information-protection/bitlocker/images/psget-winevent-1.png deleted file mode 100644 index 21adc928de..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png b/windows/security/information-protection/bitlocker/images/psget-winevent-2.png deleted file mode 100644 index 2941452109..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png deleted file mode 100644 index 53b374d26e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png deleted file mode 100644 index bc299cc0e9..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png b/windows/security/information-protection/bitlocker/images/ts-tpm-1.png deleted file mode 100644 index 1bef01d587..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png b/windows/security/information-protection/bitlocker/images/ts-tpm-2.png deleted file mode 100644 index d4d825029c..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png b/windows/security/information-protection/bitlocker/images/ts-tpm-3.png deleted file mode 100644 index 2acac0f3ea..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png b/windows/security/information-protection/bitlocker/images/ts-tpm-4.png deleted file mode 100644 index cb5b84d6b9..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png b/windows/security/information-protection/bitlocker/images/ts-tpm-5.png deleted file mode 100644 index 3b3cd2b961..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png b/windows/security/information-protection/bitlocker/images/ts-tpm-6.png deleted file mode 100644 index 4e82b9b76e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png b/windows/security/information-protection/bitlocker/images/ts-tpm-7.png deleted file mode 100644 index 8fb9446d93..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png and /dev/null differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg deleted file mode 100644 index f1c25c116c..0000000000 Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg and /dev/null differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/images/kernel-dma-protection-security-center.png deleted file mode 100644 index dfd30ba2a2..0000000000 Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.png and /dev/null differ diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 234c8a6eba..49d276838c 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -1,12 +1,13 @@ --- title: Kernel DMA Protection (Windows) -description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. +description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 01/05/2023 ms.technology: itpro-security @@ -18,7 +19,7 @@ ms.technology: itpro-security - Windows 10 - Windows 11 -In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots) +In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots) Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. @@ -32,9 +33,9 @@ The DMA capability is what makes PCI devices the highest performing devices avai These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. Access to these devices required the user to turn off power to the system and disassemble the chassis. -Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress). +Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress). -Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs. +Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs. It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks. @@ -102,15 +103,15 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. - For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. + For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ## Frequently asked questions -### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? -In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. +### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? +In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot? -No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. +No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. ### How can I check if a certain driver supports DMA-remapping? DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of two means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (that is, the device driver does not support DMA-remapping). @@ -122,7 +123,7 @@ Check the driver instance for the device you are testing. Some drivers may have ![Experience of a user about Kernel DMA protection](images/device-details-tab.png) -### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? +### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? If the peripherals do have class drivers provided by Windows, use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers). diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index edec923f61..80d41fa3fb 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -5,8 +5,9 @@ ms.prod: windows-client ms.localizationpriority: medium author: dansimp manager: aaroncz -ms.collection: +ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 05/12/2022 ms.author: dansimp @@ -91,13 +92,13 @@ To trust and boot operating systems, like Linux, and components signed by the UE 1. Open the firmware menu, either: - - Boot the PC, and press the manufacturer’s key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there’s often a screen that mentions the key. If there’s not one, or if the screen goes by too fast to see it, check your manufacturer’s site. + - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site. - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings. -2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the “3rd Party CA”. +2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA". -3. Save changes and exit. +3. Save changes and exit. Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust. @@ -132,6 +133,8 @@ Depending on the implementation and configuration, the server can now determine Figure 2 illustrates the Measured Boot and remote attestation process. + + ![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png) *Figure 2. Measured Boot proves the PC's health to a remote server* diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index 5545248585..1f711c3493 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -14,7 +14,7 @@ ms.technology: itpro-security # Back up the TPM recovery information to AD DS **Applies to** -- Windows 10 +- Windows 10 - Windows 11 - Windows Server 2016 and above @@ -22,7 +22,7 @@ ms.technology: itpro-security - Windows 10, version 1607 or later -With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). +With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). ## Related topics diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md deleted file mode 100644 index 5fabd8a69f..0000000000 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Change the TPM owner password (Windows) -description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. -ms.reviewer: -ms.prod: windows-client -author: dansimp -ms.author: dansimp -manager: aaroncz -ms.topic: conceptual -ms.date: 01/18/2022 -ms.technology: itpro-security ---- - -# Change the TPM owner password - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. - -## About the TPM owner password - -Starting with Windows 10, version 1607, or Windows 11, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. - -> [!IMPORTANT] -> Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. For Windows 10 versions newer than 1703 the default value for this key is 5. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. Unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved. - -Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. - -Without the owner password you can still perform all the preceding actions by means of a physical presence confirmation from UEFI. - -### Other TPM management options - -Instead of changing your owner password, you can also use the following options to manage your TPM: - -- **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). - -- **Turn off the TPM**   With TPM 1.2 and Windows 10, versions 1507 and 1511, or Windows 11, you can turn off the TPM. Do this if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm). - -## Change the TPM owner password - -With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password. - -To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout. - -## Use the TPM cmdlets - -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index df275cf0b3..d1f3ca2437 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -30,9 +30,9 @@ The Windows operating system improves most existing security features in the ope The TPM is a cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. The TPM helps with all these scenarios and more. -Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. +Historically, TPMs have been discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. -TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM's features. The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). @@ -40,7 +40,7 @@ OEMs implement the TPM as a component in a trusted computing platform, such as a The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not. -Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability. +Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability. ## TPM in Windows @@ -58,15 +58,15 @@ The Platform Crypto Provider, introduced in the Windows 8 operating system, expo - **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. -These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically. +These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM's dictionary attack protection automatically. ## Virtual Smart Card -Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers. +Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers. -In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes “something the user has” but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses. +In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes "something the user has" but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses. -For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access. +For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates "lost card" and "card left at home" scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access. ## Windows Hello for Business @@ -87,21 +87,21 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA. ## BitLocker Drive Encryption -BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data. +BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data. In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities: -- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. +- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. - **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS). -Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. +Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume's decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. -Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot. +Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the "TPM-only" configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot. ## Device Encryption -Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key. +Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the "TPM-only" configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key. For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data. @@ -111,7 +111,7 @@ Windows 8 introduced Measured Boot as a way for the operating system to record t The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off). -Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted. +Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system's starting state to determine whether the running operating system should be trusted. TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware. @@ -133,7 +133,7 @@ Mobile device management (MDM) solutions can receive simple security assertions ## Credential Guard -Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization. +Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user's credentials (such as a logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer's memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a "pass the hash" attack, a malware technique that infects one machine to infect many machines across an organization. Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return. @@ -141,17 +141,17 @@ The resulting solution provides defense in depth, because even if malware runs i ## Conclusion -The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features. +The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM's major features.
                |Feature | Benefits when used on a system with a TPM| |---|---| -| Platform Crypto Provider |
                • If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
                • The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
                | +| Platform Crypto Provider |
                • If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
                • The TPM's dictionary attack mechanism protects PIN values to use a certificate.
                | | Virtual Smart Card |
                • Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.
                | -| Windows Hello for Business |
                • Credentials provisioned on a device cannot be copied elsewhere.
                • Confirm a device’s TPM before credentials are provisioned.
                | +| Windows Hello for Business |
                • Credentials provisioned on a device cannot be copied elsewhere.
                • Confirm a device's TPM before credentials are provisioned.
                | | BitLocker Drive Encryption |
                • Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
                | -|Device Encryption |
                • With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
                | +|Device Encryption |
                • With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection.
                | | Measured Boot |
                • A hardware root of trust contains boot measurements that help detect malware during remote attestation.
                | | Health Attestation |
                • MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
                | | Credential Guard |
                • Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
                | diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index dc54432a56..0fa4cfb623 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -8,6 +8,7 @@ ms.author: dansimp manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security @@ -71,7 +72,7 @@ You can use the Windows Defender Security Center app to clear the TPM as a troub Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again. > [!WARNING] -> Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing the TPM.” +> Clearing the TPM can result in data loss. For more information, see the next section, "Precautions to take before clearing the TPM." ### Precautions to take before clearing the TPM diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md deleted file mode 100644 index 1ec4c72de8..0000000000 --- a/windows/security/information-protection/tpm/manage-tpm-commands.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: Manage TPM commands (Windows) -description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. -ms.author: dansimp -ms.prod: windows-client -author: dulcemontemayor -manager: aaroncz -ms.topic: conceptual -ms.date: 09/06/2021 -ms.technology: itpro-security ---- - -# Manage TPM commands - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. - -After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands. - -The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group. - -**To block TPM commands by using the Local Group Policy Editor** - -1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - - > [!NOTE] - > Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS). - -2. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**. - -3. Under **System**, click **Trusted Platform Module Services**. - -4. In the details pane, double-click **Configure the list of blocked TPM commands**. - -5. Click **Enabled**, and then click **Show**. - -6. For each command that you want to block, click **Add**, enter the command number, and then click **OK**. - - > [!NOTE] - > For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/). - -7. After you have added numbers for each command that you want to block, click **OK** twice. - -8. Close the Local Group Policy Editor. - -**To block or allow TPM commands by using the TPM MMC** - -1. Open the TPM MMC (tpm.msc) - -2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - -3. In the console tree, click **Command Management**. A list of TPM commands is displayed. - -4. In the list, select a command that you want to block or allow. - -5. Under **Actions**, click **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy. - -**To block new commands** - -1. Open the TPM MMC (tpm.msc). - - If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - -2. In the console tree, click **Command Management**. A list of TPM commands is displayed. - -3. In the **Action** pane, click **Block New Command**. The **Block New Command** dialog box is displayed. - -4. In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list. - -## Use the TPM cmdlets - -You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) \ No newline at end of file diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md deleted file mode 100644 index b348034a8d..0000000000 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: Manage TPM lockout (Windows) -description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. -ms.reviewer: -ms.author: dansimp -ms.prod: windows-client -author: dulcemontemayor -manager: aaroncz -ms.topic: conceptual -ms.date: 09/06/2021 -ms.technology: itpro-security ---- -# Manage TPM lockout - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. - -## About TPM lockout - -The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode. - -TPM ownership is taken upon first boot by Windows. By default, Windows does not retain the TPM owner password. - -In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values. - -**TPM 1.2** - -The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time. - -**TPM 2.0** - -TPM 2.0 devices have standardized lockout behavior, which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event, which increases the counter will cause the counter to decrease by 1. - -If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher. - -## Reset the TPM lockout by using the TPM MMC - -> [!NOTE] -> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607 and higher. - -The following procedure explains the steps to reset the TPM lockout by using the TPM MMC. - -**To reset the TPM lockout** - -1. Open the TPM MMC (tpm.msc). - -2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard. - -3. Choose one of the following methods to enter the TPM owner password: - - - If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location. - - - If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided. - - > [!NOTE] - > If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it. - -## Use Group Policy to manage TPM lockout settings - -The TPM Group Policy settings in the following list are located at: - -**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** - -- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#standard-user-lockout-duration) - - This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization. - -- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-individual-lockout-threshold) - - This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization. - -- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-total-lockout-threshold) - - This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization. - -For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#anti-hammering). - -## Use the TPM cmdlets - -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) \ No newline at end of file diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index 34b14b5105..6e27cc9532 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -35,13 +35,13 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after. -It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match. +It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values will not match. ## What happens when PCR banks are switched? When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs. -As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled. +As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled. ## What can I do to switch PCRs when BitLocker is already active? @@ -49,7 +49,7 @@ Before switching PCR banks you should suspend or disable BitLocker – or have y ## How can I identify which PCR bank is being used? -A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. +A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. - Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
                - DWORD: TPMActivePCRBanks
                diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 60e31fc6af..e6fafb1224 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -26,7 +26,7 @@ Computers that incorporate a TPM can create cryptographic keys and encrypt them You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM. -Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met. +Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as "sealing the key to the TPM." Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met. With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software. @@ -61,7 +61,7 @@ The Measured Boot feature provides antimalware software with a trusted (resistan ## TPM-based Virtual Smart Card -The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. +The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization's computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. ## TPM-based certificate storage @@ -93,7 +93,7 @@ When a TPM processes a command, it does so in a protected environment, for examp TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur. -Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic. +Because many entities can use the TPM, a single authorization success cannot reset the TPM's anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM's protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM's lockout logic. ### TPM 2.0 anti-hammering @@ -125,7 +125,7 @@ Beginning with Windows 10, version 1703, the minimum length for the BitLocker PI The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards: -- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors. +- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM's anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors. - Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements. diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index aab2d0711e..6207a1192c 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -9,6 +9,7 @@ ms.author: dansimp manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security @@ -28,9 +29,9 @@ For a basic feature description of TPM, see the [Trusted Platform Module Technol ## TPM design and implementation -Traditionally, TPMs are discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. +Traditionally, TPMs are discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. -TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM. +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM. The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index f768669a7c..f484ac475a 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -9,6 +9,7 @@ ms.author: dansimp manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual adobe-target: true ms.technology: itpro-security @@ -32,7 +33,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a - Generate, store, and limit the use of cryptographic keys. -- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into it. +- Use TPM technology for platform device authentication by using the TPM's unique RSA key, which is burned into it. - Help ensure platform integrity by taking and storing security measurements. diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md index 300fe10913..ca9f536057 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md @@ -8,6 +8,7 @@ ms.author: dansimp manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security @@ -29,7 +30,7 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based, | [Trusted Platform Module Overview](trusted-platform-module-overview.md) | Provides an overview of the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. | | [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. | | [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. | -| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer’s TPM information to Active Directory Domain Services. | +| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer's TPM information to Active Directory Domain Services. | | [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, describes how to turn the TPM on or off. | | [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. | | [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows features for which a TPM is required or recommended. | diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png deleted file mode 100644 index 5ce10dd81f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png deleted file mode 100644 index 6bc8237f7f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png deleted file mode 100644 index 7d67692ff3..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png b/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png deleted file mode 100644 index 3ffbcce88c..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png b/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png deleted file mode 100644 index 0148a800b2..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png b/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png deleted file mode 100644 index 3ceabfd15a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png deleted file mode 100644 index 09bbda3a06..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png deleted file mode 100644 index 17a97b8d3a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png deleted file mode 100644 index 7b226b7edd..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-addapps.png deleted file mode 100644 index 52e3983adf..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png b/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png deleted file mode 100644 index 808de2db0e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png deleted file mode 100644 index 3f7b7af6b6..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png b/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png deleted file mode 100644 index f889dbca48..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png b/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png deleted file mode 100644 index de066d3a8b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png deleted file mode 100644 index 7987e91454..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png b/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png deleted file mode 100644 index 70e726d379..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png deleted file mode 100644 index e48b59aa4b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png deleted file mode 100644 index 6aa8f89355..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png b/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png deleted file mode 100644 index 6786a93416..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png b/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png deleted file mode 100644 index bc801a8521..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png b/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png deleted file mode 100644 index 64d9ebda26..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png b/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png deleted file mode 100644 index 3ec8bec32d..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png deleted file mode 100644 index b3340d6e4f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png deleted file mode 100644 index 49c41b313d..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png deleted file mode 100644 index 51abff3771..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png deleted file mode 100644 index cf9f85181a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png deleted file mode 100644 index 66415d57fd..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png deleted file mode 100644 index a1d9bc70d9..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png deleted file mode 100644 index b09cb58508..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png deleted file mode 100644 index 19892b3a7c..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png b/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png deleted file mode 100644 index cfeee8a45f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png deleted file mode 100644 index 57c40a85d0..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png b/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png deleted file mode 100644 index 58f675399a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png deleted file mode 100644 index dd6450af37..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png deleted file mode 100644 index 3dbbb4e09b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png deleted file mode 100644 index 89a133bcbe..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png deleted file mode 100644 index f069f140dd..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png deleted file mode 100644 index e02310282d..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png deleted file mode 100644 index ae14d18238..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png deleted file mode 100644 index 91109c29c9..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png deleted file mode 100644 index 0aeb04bf0a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png deleted file mode 100644 index 7090e29ff1..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png deleted file mode 100644 index 313b0e4b73..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png deleted file mode 100644 index e759e45f28..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png deleted file mode 100644 index 8b81622c1a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png deleted file mode 100644 index 8bc8a4d845..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png deleted file mode 100644 index b31efa417c..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png deleted file mode 100644 index d12500349a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png deleted file mode 100644 index e2b9b2ccae..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png deleted file mode 100644 index b549db5548..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png deleted file mode 100644 index 5c0dd50bb0..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png deleted file mode 100644 index eef6b1efd0..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png deleted file mode 100644 index 5ed595983a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png deleted file mode 100644 index 59291bf62e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png deleted file mode 100644 index 3142b31f51..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png deleted file mode 100644 index aa0184a2c6..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png deleted file mode 100644 index f282ff5e6b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png deleted file mode 100644 index 2ecd78f1ca..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png deleted file mode 100644 index f397cd6797..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png deleted file mode 100644 index 30dde125e1..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png deleted file mode 100644 index 0fff54b6d2..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png deleted file mode 100644 index fdbc950c9e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png b/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png deleted file mode 100644 index af36a7cc4e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png and /dev/null differ diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index af39d39146..d8992b23c1 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index 319301f86f..45ec095169 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index d505b5d9ef..aab983edfc 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri + - tier3 ms.topic: reference --- @@ -127,7 +128,7 @@ This event generates when a logon session is created (on destination machine). I - **Account Name** [Type = UnicodeString]**:** the name of the account that reported information about successful logon. -- **Account Domain** [Type = UnicodeString]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following: - Domain NETBIOS name example: CONTOSO @@ -191,7 +192,7 @@ This event generates when a logon session is created (on destination machine). I - **Account Name** [Type = UnicodeString]**:** the name of the account for which logon was performed. -- **Account Domain** [Type = UnicodeString]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following: - Domain NETBIOS name example: CONTOSO @@ -289,7 +290,7 @@ For 4624(S): An account was successfully logged on. | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don’t comply with naming conventions. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions. | - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** is not SYSTEM. diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 81657a6361..425447b217 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri + - tier3 ms.topic: reference --- @@ -28,7 +29,7 @@ ms.topic: reference This event is logged for any logon failure. -It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation. +It generates on the computer where logon attempt was made, for example, if logon attempt was made on user's workstation, then event will be logged on this workstation. This event generates on domain controllers, member servers, and workstations. @@ -107,11 +108,11 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. + - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". -- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field. +- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. "Table 11. Windows Logon Types" contains the list of possible values for this field. **Table 11: Windows Logon Types** @@ -146,17 +147,17 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. + - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” +- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on." **Failure Information:** -- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has “**Account locked out**” value. +- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has "**Account locked out**" value. -- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes. +- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has "**0xC0000234**" value. The most common status codes are listed in Table 12. Windows logon status codes. **Table 12: Windows logon status codes.** @@ -189,7 +190,7 @@ This event generates on domain controllers, member servers, and workstations. More information: -- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the “Table 12. Windows logon status codes.”. +- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the "Table 12. Windows logon status codes.". **Process Information:** @@ -199,7 +200,7 @@ More information: If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager. - You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**. + You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**. - **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process. @@ -219,9 +220,9 @@ More information: **Detailed Authentication Information:** -- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information. +- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information. -- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are: +- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are: - **NTLM** – NTLM-family Authentication @@ -233,15 +234,15 @@ More information: - **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during the logon attempt. Possible values are: - - “NTLM V1” + - "NTLM V1" - - “NTLM V2” + - "NTLM V2" - - “LM” + - "LM" - Only populated if “**Authentication Package” = “NTLM”**. + Only populated if "**Authentication Package" = "NTLM"**. -- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package. +- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have "0" value if Kerberos was negotiated using **Negotiate** authentication package. ## Security Monitoring Recommendations @@ -250,19 +251,19 @@ For 4625(F): An account failed to log on. > [!IMPORTANT] > For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. +- If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value. -- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if "**Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). -- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” +- If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**." - If **Subject\\Account Name** is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for **Account For Which Logon Failed\\Security ID**. - To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event. -- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account. +- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **"Subject\\Security ID"** that corresponds to the account. - We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets. @@ -270,7 +271,7 @@ For 4625(F): An account failed to log on. - If your organization restricts logons in the following ways, you can use this event to monitor accordingly: - - If the **“Account For Which Logon Failed \\Security ID”** should never be used to log on from the specific **Network Information\\Workstation Name**. + - If the **"Account For Which Logon Failed \\Security ID"** should never be used to log on from the specific **Network Information\\Workstation Name**. - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses. @@ -286,14 +287,14 @@ For 4625(F): An account failed to log on. | Field | Value to monitor for | |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
                This issue is typically not a security issue, but it can be an infrastructure or availability issue. | - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
                Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. | - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
                Especially watch for a number of such events in a row. | - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
                Especially watch for a number of such events in a row. | - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. | - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. | - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. | - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
                This issue is typically not a security issue but it can be an infrastructure or availability issue. | - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | - | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0XC000005E – "There are currently no logon servers available to service the logon request."
                This issue is typically not a security issue, but it can be an infrastructure or availability issue. | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC0000064 – "User logon with misspelled or bad user account".
                Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC000006A – "User logon with misspelled or bad password" for critical accounts or service accounts.
                Especially watch for a number of such events in a row. | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0XC000006D – "This is either due to a bad username or authentication information" for critical accounts or service accounts.
                Especially watch for a number of such events in a row. | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC000006F – "User logon outside authorized hours". | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC0000070 – "User logon from unauthorized workstation". | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC0000072 – "User logon to account disabled by administrator". | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0XC000015B – "The user has not been granted the requested logon type (aka logon right) at this machine". | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0XC0000192 – "An attempt was made to logon, but the Netlogon service was not started".
                This issue is typically not a security issue but it can be an infrastructure or availability issue. | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0xC0000193 – "User logon with expired account". | + | **Failure Information\\Status** or
                **Failure Information\\Sub Status** | 0XC0000413 – "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine". | diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 3ca1095e98..2cefaaced0 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri + - tier3 ms.topic: reference --- @@ -26,11 +27,11 @@ ms.topic: reference ***Event Description:*** -This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided. +This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided. This event generates only on domain controllers. -This event is not generated if “Do not require Kerberos preauthentication” option is set for the account. +This event is not generated if "Do not require Kerberos preauthentication" option is set for the account. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -127,7 +128,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o - Using **MSB 0**-bit numbering, we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok. -> **Note**  In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
                MSB illustration +> **Note**  In the table below **"MSB 0"** bit numbering is used, because RFC documents use this style. In "MSB 0" style bit numbering begins from left.
                MSB illustration The most common values: @@ -185,14 +186,14 @@ The most common values: | 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | | 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | | 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | -| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
                It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
                It can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type | | 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | | 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | | 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | | 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later | | 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later | -| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired. +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user's password has expired. | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided. | 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | | 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | @@ -260,9 +261,9 @@ The most common values: - **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority that issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events. -- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events. +- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate's serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events. -- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events. +- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate's thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events. ## Security Monitoring Recommendations @@ -270,11 +271,11 @@ For 4771(F): Kerberos pre-authentication failed. | **Type of monitoring required** | **Recommendation** | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
                Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Security ID”** for accounts that are outside the allow list. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
                Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"Security ID"** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Security ID"** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"Security ID"** that corresponds to the accounts that should never be used. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"Security ID"** for accounts that are outside the allow list. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions. | - You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index e411b647ce..ad57e347c4 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri + - tier3 ms.topic: reference --- @@ -34,11 +35,11 @@ It shows successful and unsuccessful credential validation attempts. It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you'll see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) isn't presented in this event. -If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to “**0x0**”. +If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to "**0x0**". The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used. -For monitoring local account logon attempts, it's better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative. +For monitoring local account logon attempts, it's better to use event "[4624](event-4624.md): An account was successfully logged on" because it contains more details and is more informative. This event also generates when a workstation unlock event occurs. @@ -85,7 +86,7 @@ This event does *not* generate when a domain account logs on locally to a domain ***Field Descriptions:*** -- **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event. +- **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always "**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**" for [4776](event-4776.md) event. > **Note**  **Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](/windows/win32/secgloss/l-gly#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt. @@ -101,7 +102,7 @@ This event does *not* generate when a domain account logs on locally to a domain - **Source Workstation** \[Type = UnicodeString\]: the name of the computer from which the logon attempt originated. -- **Error Code** \[Type = HexInt32\]: contains error code for Failure events. For Success events this parameter has “**0x0**” value. The table below contains most common error codes for this event: +- **Error Code** \[Type = HexInt32\]: contains error code for Failure events. For Success events this parameter has "**0x0**" value. The table below contains most common error codes for this event: | Error Code | Description | |------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -126,16 +127,16 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun | **Type of monitoring required** | **Recommendation** | |-----------------|---------| -| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
                Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.
                To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | -| **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you're concerned about. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
                Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"Logon Account"** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Logon Account"** value (with other information) to monitor how or when a particular account is being used.
                To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"Logon Account"** that should never be used. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"Logon Account"** for accounts that are outside the allow list. | +| **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on. | Monitor the target **Source Workstation** for credential validation requests from the **"Logon Account"** that you're concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Logon Account"** for names that don't comply with naming conventions. | -- If NTLM authentication shouldn't be used for a specific account, monitor for that account. Don’t forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored. +- If NTLM authentication shouldn't be used for a specific account, monitor for that account. Don't forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored. -- You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored. +- You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don't forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored. - If a local account should be used only locally (for example, network logon or terminal services logon isn't allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values. diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index 97c0977a60..e935d656d9 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -212,9 +212,9 @@ For a change operation, you'll typically see two 5136 events for one action, wit - **Type** \[Type = UnicodeString\]**:** type of performed operation. - - **Value Added** – new value added. + - **Value Added** – new value added ('%%14674') - - **Value Deleted** – value deleted (typically “Value Deleted” is a part of change operation). + - **Value Deleted** – value deleted ('%%14675', typically “Value Deleted” is a part of change operation). @@ -236,4 +236,5 @@ For 5136(S): A directory service object was modified. - If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name. -- It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value. \ No newline at end of file +- It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value. + diff --git a/windows/security/threat-protection/auditing/images/netsh-command.png b/windows/security/threat-protection/auditing/images/netsh-command.png deleted file mode 100644 index 56d7caa0c4..0000000000 Binary files a/windows/security/threat-protection/auditing/images/netsh-command.png and /dev/null differ diff --git a/windows/security/threat-protection/auditing/images/synaptics.png b/windows/security/threat-protection/auditing/images/synaptics.png deleted file mode 100644 index 2ffc025437..0000000000 Binary files a/windows/security/threat-protection/auditing/images/synaptics.png and /dev/null differ diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md index ebf21e1e50..3985c12068 100644 --- a/windows/security/threat-protection/auditing/view-the-security-event-log.md +++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png deleted file mode 100644 index 043da38016..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png b/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png deleted file mode 100644 index 1943ec1fab..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png b/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png deleted file mode 100644 index 6913ecfcc6..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png b/windows/security/threat-protection/device-control/images/Devicesecuritypage.png deleted file mode 100644 index d35b3507f8..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png b/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png deleted file mode 100644 index c2cec3aca1..0000000000 Binary files a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/admintemplates.png b/windows/security/threat-protection/device-control/images/admintemplates.png deleted file mode 100644 index 4bf90b2b8a..0000000000 Binary files a/windows/security/threat-protection/device-control/images/admintemplates.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/baselines.png b/windows/security/threat-protection/device-control/images/baselines.png deleted file mode 100644 index d08380470f..0000000000 Binary files a/windows/security/threat-protection/device-control/images/baselines.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png deleted file mode 100644 index 3080e0d1f0..0000000000 Binary files a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/bluetooth.png b/windows/security/threat-protection/device-control/images/bluetooth.png deleted file mode 100644 index f4f5e4804b..0000000000 Binary files a/windows/security/threat-protection/device-control/images/bluetooth.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/class-guids.png b/windows/security/threat-protection/device-control/images/class-guids.png deleted file mode 100644 index 6951e4ed5a..0000000000 Binary files a/windows/security/threat-protection/device-control/images/class-guids.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png deleted file mode 100644 index 9d295dfa6b..0000000000 Binary files a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png deleted file mode 100644 index 4b8c80fdd7..0000000000 Binary files a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png deleted file mode 100644 index eaba30b27f..0000000000 Binary files a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png deleted file mode 100644 index b0b7eb7237..0000000000 Binary files a/windows/security/threat-protection/device-control/images/create-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png deleted file mode 100644 index 95ac48ec54..0000000000 Binary files a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png deleted file mode 100644 index 44be977537..0000000000 Binary files a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicecontrolcard.png b/windows/security/threat-protection/device-control/images/devicecontrolcard.png deleted file mode 100644 index 829014859f..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicecontrolcard.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png b/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png deleted file mode 100644 index a7cd33c892..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg deleted file mode 100644 index cd814377be..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicesbyconnection.png b/windows/security/threat-protection/device-control/images/devicesbyconnection.png deleted file mode 100644 index 4743358c57..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicesbyconnection.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicevendorid.jpg b/windows/security/threat-protection/device-control/images/devicevendorid.jpg deleted file mode 100644 index 10b636fc0d..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicevendorid.jpg and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png deleted file mode 100644 index cf8399acf4..0000000000 Binary files a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png deleted file mode 100644 index 152822dc29..0000000000 Binary files a/windows/security/threat-protection/device-control/images/general-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/hardware-ids.png b/windows/security/threat-protection/device-control/images/hardware-ids.png deleted file mode 100644 index 9017f289f6..0000000000 Binary files a/windows/security/threat-protection/device-control/images/hardware-ids.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png b/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png deleted file mode 100644 index 55be4d714a..0000000000 Binary files a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg deleted file mode 100644 index c86eab1470..0000000000 Binary files a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 003104ce73..9c1feb7d06 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -10,6 +10,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier2 ms.topic: conceptual ms.date: 12/16/2021 ms.reviewer: @@ -77,7 +78,7 @@ Set the following registry keys to enable HVCI. These keys provide exactly the s > [!IMPORTANT] > -> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. +> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. > > - In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have Windows Defender Application Control enabled. > diff --git a/windows/security/threat-protection/device-guard/images/device-guard-gp.png b/windows/security/threat-protection/device-guard/images/device-guard-gp.png deleted file mode 100644 index 6d265509ea..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/device-guard-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png b/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png deleted file mode 100644 index cefb124344..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png deleted file mode 100644 index 938e397751..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png b/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png deleted file mode 100644 index fa2c162cc0..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png b/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png b/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png deleted file mode 100644 index 4439bd2764..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png b/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png deleted file mode 100644 index db0ddb80db..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png deleted file mode 100644 index 55344d70d1..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png deleted file mode 100644 index d79ca2c2af..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png b/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png deleted file mode 100644 index 08492ef73b..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png b/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png deleted file mode 100644 index 2c5c7236eb..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png b/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png b/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png deleted file mode 100644 index 2c838be648..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png b/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png deleted file mode 100644 index 9499946283..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png b/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png deleted file mode 100644 index 4f6746eddf..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png b/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png deleted file mode 100644 index c6b33e6139..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png b/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png b/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png deleted file mode 100644 index e3729e8214..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png b/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png deleted file mode 100644 index 4f6746eddf..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png b/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png deleted file mode 100644 index 9f0ed93274..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png b/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png deleted file mode 100644 index bad5fe7cdd..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png deleted file mode 100644 index 782c2017ae..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png b/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png deleted file mode 100644 index 11687d092c..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png deleted file mode 100644 index 7661cb4eb9..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png b/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png deleted file mode 100644 index b9a4b1881f..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png deleted file mode 100644 index 25f73eb190..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png deleted file mode 100644 index 3a33c13350..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png b/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png deleted file mode 100644 index 9b423ea8ab..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md deleted file mode 100644 index 1bee48b996..0000000000 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Hypervisor-Protected Code Integrity (also known as Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. -keywords: virtualization, security, malware -ms.prod: windows-client -ms.mktglfcycl: deploy -ms.localizationpriority: medium -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: conceptual -ms.date: 10/20/2017 -ms.reviewer: -ms.author: vinpa -ms.technology: itpro-security ---- - -# Baseline protections and other qualifications for virtualization-based protection of code integrity - -**Applies to** -- Windows 10 - -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers won't be as hardened against certain threats. - -For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. - -> [!WARNING] -> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). - -The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. - -> [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. - -## Baseline protections - -|Baseline Protections | Description | Security benefits | -|--------------------------------|----------------------------------------------------|-------------------| -| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | -| Hardware: **CPU virtualization extensions**,
                plus **extended page tables** | These hardware features are required for VBS:
                One of the following virtualization extensions:
                • VT-x (Intel) or
                • AMD-V
                And:
                • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system can't be exploited because of this isolation. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This guarantee can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware can't run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

                Important:
                Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

                | Support for VBS and for management features. | - -> **Important**  The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide. - -## Other qualifications for improved security - -The following tables describe other hardware and firmware qualifications, and the improved security that is available when these qualifications are met. - - -### More security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 - -| Protections for Improved Security | Description | Security benefits | -|---------------------------------------------|----------------------------------------------------|------| -| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.
                • In the BIOS configuration, BIOS authentication must be set.
                • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
                • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This guarantee helps protect against a physically present user with BIOS access.
                • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | - -
                - -### More security qualifications starting with Windows 10, version 1607, and Windows Server 2016 - - -| Protections for Improved Security | Description | Security benefits | -|---------------------------------------------|----------------------------------------------------|-----| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).
                • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
                • HSTI 1.1.a provides extra security assurance for correctly secured silicon and platform. | -| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
                • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
                • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | - -
                - -### More security qualifications starting with Windows 10, version 1703 - - -| Protections for Improved Security | Description | Security benefits | -|---------------------------------------------|----------------------------------------------------|------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
                • UEFI runtime service must meet these requirements:
                    • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
                    • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
                    • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
                        • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
                        • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

                Notes:
                • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
                • This protection is applied by VBS on OS page tables.


                Also note the following guidelines:
                • Don't use sections that are both writeable and executable
                • Don't attempt to directly modify executable system memory
                • Don't use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                • Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                • Reduces the attack surface to VBS from system firmware.
                • Blocks other security attacks against SMM. | diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 7b0d87f42e..4f3fd11f90 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -8,6 +8,7 @@ ms.author: paoloma author: paolomatarazzo ms.collection: - highpri + - tier3 ms.topic: article ms.localizationpriority: medium ms.reviewer: @@ -133,7 +134,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile |Boot Manager|[10.0.15063][sp-3089]|[#3089][certificate-3089]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); CKG (vendor affirmed); HMAC (Cert. [#3061][hmac-3061]); PBKDF (vendor affirmed); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]

                Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)| |Windows OS Loader|[10.0.15063][sp-3090]|[#3090][certificate-3090]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]

                [Other algorithms: NDRNG][certificate-3090]| |Windows Resume [1]|[10.0.15063][sp-3091]|[#3091][certificate-3091]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790])| -|BitLocker® Dump Filter [2]|[10.0.15063][sp-3092]|[#3092][certificate-3092]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2522][rsa-2522]); SHS (Cert. [#3790][shs-3790])| +|BitLocker® Dump Filter [2]|[10.0.15063][sp-3092]|[#3092][certificate-3092]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2522][rsa-2522]); SHS (Cert. [#3790][shs-3790])| |Code Integrity (ci.dll)|[10.0.15063][sp-3093]|[#3093][certificate-3093]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); RSA (Certs. [#2522][rsa-2522] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]

                Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282][component-1282])| |Secure Kernel Code Integrity (skci.dll)[3]|[10.0.15063][sp-3096]|[#3096][certificate-3096]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); RSA (Certs. [#2522][rsa-2522] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]

                Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282][component-1282])| @@ -156,9 +157,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393][sp-2937]|[#2937][certificate-2937]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])

                Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

                Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922][component-922]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887][component-887]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#886][component-886])| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393][sp-2936]|[#2936][certificate-2936]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])

                Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

                Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922][component-922]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887][component-887])| |Boot Manager|[10.0.14393][sp-2931]|[#2931][certificate-2931]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); HMAC (Cert. [#2651][hmac-2651]); PBKDF (vendor affirmed); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: MD5; PBKDF (non-compliant); VMK KDF| -|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[#2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: NDRNG; MD5| -|BitLocker® Windows Resume (winresume)[1]|[10.0.14393][sp-2933]|[#2933][certificate-2933]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)[2]|[10.0.14393][sp-2934]|[#2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])| +|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[#2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: NDRNG; MD5| +|BitLocker® Windows Resume (winresume)[1]|[10.0.14393][sp-2933]|[#2933][certificate-2933]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)[2]|[10.0.14393][sp-2934]|[#2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])| |Code Integrity (ci.dll)|[10.0.14393][sp-2935]|[#2935][certificate-2935]|FIPS approved algorithms: RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: AES (non-compliant); MD5

                Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888])| |Secure Kernel Code Integrity (skci.dll)[3]|[10.0.14393][sp-2938]|[#2938][certificate-2938]|FIPS approved algorithms: RSA (Certs. [#2193][rsa-2193]); SHS (Certs. [#3347][shs-3347])

                Other algorithms: MD5

                Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888])| @@ -180,9 +181,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10586][sp-2605]|[#2606][certificate-2606]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629]); DRBG (Certs. [#955][drbg-955]); DSA (Certs. [#1024][dsa-1024]); ECDSA (Certs. [#760][ecdsa-760]); HMAC (Certs. [#2381][hmac-2381]); KAS (Certs. [#72][kas-72]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72][kdf-72]); KTS (AES Certs. [#3653][aes-3653]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887][rsa-1887], [#1888, and #1889][rsa-1888]); SHS (Certs. [#3047][shs-3047]); Triple-DES (Certs. [#2024][tdes-2024])

                Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

                Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666][component-666]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663][component-663]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#664][component-664])| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10586][sp-2605]|[#2605][certificate-2605]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629]); DRBG (Certs. [#955][drbg-955]); DSA (Certs. [#1024][dsa-1024]); ECDSA (Certs. [#760][ecdsa-760]); HMAC (Certs. [#2381][hmac-2381]); KAS (Certs. [#72][kas-72]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72][kdf-72]); KTS (AES Certs. [#3653][aes-3653]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887][rsa-1887], [#1888, and #1889][rsa-1888]); SHS (Certs. [#3047][shs-3047]); Triple-DES (Certs. [#2024][tdes-2024])

                Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

                Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666][component-666]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663][component-663])| |Boot Manager [4]|[10.0.10586][sp-2700]|[#2700][certificate-2700]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); HMAC (Cert. [#2381][hmac-2381]); PBKDF (vendor affirmed); RSA (Cert. [#1871][rsa-1871]); SHS (Certs. [#3047][shs-3047] and [#3048][shs-3048])

                Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)| -|BitLocker® Windows OS Loader (winload)[5]|[10.0.10586][sp-2701]|[#2701][certificate-2701]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629] and [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])

                Other algorithms: MD5; NDRNG| -|BitLocker® Windows Resume (winresume)[6]|[10.0.10586][sp-2702]|[#2702][certificate-2702]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])

                Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)[7]|[10.0.10586][sp-2703]|[#2703][certificate-2703]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653])| +|BitLocker® Windows OS Loader (winload)[5]|[10.0.10586][sp-2701]|[#2701][certificate-2701]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629] and [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])

                Other algorithms: MD5; NDRNG| +|BitLocker® Windows Resume (winresume)[6]|[10.0.10586][sp-2702]|[#2702][certificate-2702]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])

                Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)[7]|[10.0.10586][sp-2703]|[#2703][certificate-2703]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653])| |Code Integrity (ci.dll)|[10.0.10586][sp-2604]|[#2604][certificate-2604]|FIPS approved algorithms: RSA (Certs. [#1871][rsa-1871]); SHS (Certs. [#3048][shs-3048])

                Other algorithms: AES (non-compliant); MD5

                Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665])| |Secure Kernel Code Integrity (skci.dll)[8]|[10.0.10586][sp-2607]|[#2607][certificate-2607]|FIPS approved algorithms: RSA (Certs. [#1871][rsa-1871]); SHS (Certs. [#3048][shs-3048])

                Other algorithms: MD5

                Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665])| @@ -208,9 +209,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10240][sp-2605]|#[2606][certificate-2606]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497]); DRBG (Certs. [#868][drbg-868]); DSA (Certs. [#983][dsa-983]); ECDSA (Certs. [#706][ecdsa-706]); HMAC (Certs. [#2233][hmac-2233]); KAS (Certs. [#64][kas-64]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66][kdf-66]); KTS (AES Certs. [#3507][aes-3507]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783][rsa-1783], [#1798][rsa-1798], and [#1802][rsa-1802]); SHS (Certs. [#2886][shs-2886]); Triple-DES (Certs. [#1969][tdes-1969])

                Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

                Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576][component-576]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#575][component-575])| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10240][sp-2605]|[#2605][certificate-2605]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497]); DRBG (Certs. [#868][drbg-868]); DSA (Certs. [#983][dsa-983]); ECDSA (Certs. [#706][ecdsa-706]); HMAC (Certs. [#2233][hmac-2233]); KAS (Certs. [#64][kas-64]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66][kdf-66]); KTS (AES Certs. [#3507][aes-3507]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783][rsa-1783], [#1798][rsa-1798], and [#1802][rsa-1802]); SHS (Certs. [#2886][shs-2886]); Triple-DES (Certs. [#1969][tdes-1969])

                Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

                Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576][component-576])| |Boot Manager[9]|[10.0.10240][sp-2600]|[#2600][certificate-2600]|FIPS approved algorithms: AES (Cert. [#3497][aes-3497]); HMAC (Cert. [#2233][hmac-2233]); KTS (AES Cert. [#3498][aes-3498]); PBKDF (vendor affirmed); RSA (Cert. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871] and [#2886][shs-2886])

                Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)| -|BitLocker® Windows OS Loader (winload)[10]|[10.0.10240][sp-2601]|[#2601][certificate-2601]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])

                Other algorithms: MD5; NDRNG| -|BitLocker® Windows Resume (winresume)[11]|[10.0.10240][sp-2602]|[#2602][certificate-2602]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])

                Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)[12]|[10.0.10240][sp-2603]|[#2603][certificate-2603]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498])| +|BitLocker® Windows OS Loader (winload)[10]|[10.0.10240][sp-2601]|[#2601][certificate-2601]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])

                Other algorithms: MD5; NDRNG| +|BitLocker® Windows Resume (winresume)[11]|[10.0.10240][sp-2602]|[#2602][certificate-2602]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])

                Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)[12]|[10.0.10240][sp-2603]|[#2603][certificate-2603]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498])| |Code Integrity (ci.dll)|[10.0.10240][sp-2604]|[#2604][certificate-2604]|FIPS approved algorithms: RSA (Certs. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871])

                Other algorithms: AES (non-compliant); MD5

                Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572])| |Secure Kernel Code Integrity (skci.dll)[13]|[10.0.10240][sp-2607]|[#2607][certificate-2607]|FIPS approved algorithms: RSA (Certs. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871])

                Other algorithms: MD5

                Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572])| @@ -237,9 +238,9 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[#2357][certificate-2357]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); DSA (Cert. [#855][dsa-855]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [#2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])

                Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

                Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288][component-288]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#323][component-323])| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[#2356][certificate-2356]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [# 2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])

                Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

                Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288][component-288]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289])| |Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[#2351][certificate-2351]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); HMAC (Cert. [#1773][hmac-1773]); PBKDF (vendor affirmed); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)| -|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[#2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])

                Other algorithms: MD5; NDRNG| -|BitLocker® Windows Resume (winresume)[14]|[6.3.9600 6.3.9600.17031][sp-2353]|[#2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031][sp-2354]|[#2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])

                Other algorithms: N/A| +|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[#2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])

                Other algorithms: MD5; NDRNG| +|BitLocker® Windows Resume (winresume)[14]|[6.3.9600 6.3.9600.17031][sp-2353]|[#2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031][sp-2354]|[#2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])

                Other algorithms: N/A| |Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[#2355][certificate-2355]|FIPS approved algorithms: RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [# 2373][shs-2373])

                Other algorithms: MD5

                Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289])| \[14\] Applies only to Pro, Enterprise, and Embedded 8. @@ -256,9 +257,9 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone |Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[#1892][sp-1892]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258]); DSA (Cert. [#687][dsa-687]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])

                Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[#1891][certificate-1891]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258] and [#259][drbg-259]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RNG (Cert. [#1110][rng-1110]); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])

                Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)

                Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)| |Boot Manager|[6.2.9200][sp-1895]|[#1895][sp-1895]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); HMAC (Cert. #[1347][hmac-1347]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: MD5| -|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[#1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG| -|BitLocker® Windows Resume (WINRESUME)[15]|[6.2.9200][sp-1898]|[#1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: MD5| -|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[#1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])

                Other algorithms: N/A| +|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[#1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG| +|BitLocker® Windows Resume (WINRESUME)[15]|[6.2.9200][sp-1898]|[#1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: MD5| +|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[#1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])

                Other algorithms: N/A| |Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[#1897][sp-1897]|FIPS approved algorithms: RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: MD5| |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[#1893][sp-1893]|FIPS approved algorithms: DSA (Cert. [#686][dsa-686]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386]); Triple-DES MAC (Triple-DES Cert. [#1386][tdes-1386], vendor affirmed)

                Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Certificate, vendor affirmed)

                Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Certificate, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[#1894][sp-1894]|FIPS approved algorithms: AES (Cert. [#2196][aes-2196]); HMAC (Cert. #1346); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386])

                Other algorithms: AES (Cert. [#2196][aes-2196], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| @@ -278,7 +279,7 @@ Validated Editions: Windows 7, Windows 7 SP1 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.1.7600.16385][sp-1328]

                [6.1.7600.16915][sp-1328]

                [6.1.7600.21092][sp-1328]

                [6.1.7601.17514][sp-1328]

                [6.1.7601.17725][sp-1328]

                [6.1.7601.17919][sp-1328]

                [6.1.7601.21861][sp-1328]

                [6.1.7601.22076][sp-1328]|[1328][certificate-1328]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1178][aes-1178]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#24][drbg-24]); ECDSA (Cert. [#141][ecdsa-141]); HMAC (Cert. [#677][hmac-677]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#560][rsa-560]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])

                Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4| |Boot Manager|[6.1.7600.16385][sp-1319]

                [6.1.7601.17514][sp-1319]|[1319][certificate-1319]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])

                Other algorithms: MD5#1168 and); HMAC (Cert.); RSA (Cert.); SHS (Cert.)

                Other algorithms: MD5| |Winload OS Loader (winload.exe)|[6.1.7600.16385][sp-1326]

                [6.1.7600.16757][sp-1326]

                [6.1.7600.20897][sp-1326]

                [6.1.7600.20916][sp-1326]

                [6.1.7601.17514][sp-1326]

                [6.1.7601.17556][sp-1326]

                [6.1.7601.21655][sp-1326]

                [6.1.7601.21675][sp-1326]|[1326][certificate-1326]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])

                Other algorithms: MD5| -|BitLocker™ Drive Encryption|[6.1.7600.16385][sp-1332]

                [6.1.7600.16429][sp-1332]

                [6.1.7600.16757][sp-1332]

                [6.1.7600.20536][sp-1332]

                [6.1.7600.20873][sp-1332]

                [6.1.7600.20897][sp-1332]

                [6.1.7600.20916][sp-1332]

                [6.1.7601.17514][sp-1332]

                [6.1.7601.17556][sp-1332]

                [6.1.7601.21634][sp-1332]

                [6.1.7601.21655][sp-1332]

                [6.1.7601.21675][sp-1332]|[1332][certificate-1332]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])

                Other algorithms: Elephant Diffuser| +|BitLocker™ Drive Encryption|[6.1.7600.16385][sp-1332]

                [6.1.7600.16429][sp-1332]

                [6.1.7600.16757][sp-1332]

                [6.1.7600.20536][sp-1332]

                [6.1.7600.20873][sp-1332]

                [6.1.7600.20897][sp-1332]

                [6.1.7600.20916][sp-1332]

                [6.1.7601.17514][sp-1332]

                [6.1.7601.17556][sp-1332]

                [6.1.7601.21634][sp-1332]

                [6.1.7601.21655][sp-1332]

                [6.1.7601.21675][sp-1332]|[1332][certificate-1332]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])

                Other algorithms: Elephant Diffuser| |Code Integrity (CI.DLL)|[6.1.7600.16385][sp-1327]

                [6.1.7600.17122][sp-1327]v[6.1.7600.21320][sp-1327]

                [6.1.7601.17514][sp-1327]

                [6.1.7601.17950][sp-1327]v[6.1.7601.22108][sp-1327]|[1327][certificate-1327]|FIPS approved algorithms: RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])

                Other algorithms: MD5| |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.1.7600.16385][sp-1331]

                (no change in SP1)|[1331][certificate-1331]|FIPS approved algorithms: DSA (Cert. [#385][dsa-385]); RNG (Cert. [#649][rng-649]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846]); Triple-DES MAC (Triple-DES Cert. [#846][tdes-846], vendor affirmed)

                Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4| |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.1.7600.16385][sp-1330]

                (no change in SP1)|[1330][certificate-1330]|FIPS approved algorithms: AES (Cert. [#1168][aes-1168]); DRBG (Cert. [#23][drbg-23]); HMAC (Cert. [#673][hmac-673]); SHS (Cert. [#1081][shs-1081]); RSA (Certs. [#557][rsa-557] and [#559][rsa-559]); Triple-DES (Cert. [#846][tdes-846])

                Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| @@ -312,7 +313,7 @@ Validated Editions: Ultimate Edition |--- |--- |--- |--- | |Enhanced Cryptographic Provider (RSAENH) | [6.0.6000.16386][sp-893] | [893][certificate-893] | FIPS approved algorithms: AES (Cert. [#553][aes-553]); HMAC (Cert. [#297][hmac-297]); RNG (Cert. [#321][rng-321]); RSA (Certs. [#255][rsa-255] and [#258][rsa-258]); SHS (Cert. [#618][shs-618]); Triple-DES (Cert. [#549][tdes-549])

                Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6000.16386][sp-894]|[894][certificate-894]|FIPS approved algorithms: DSA (Cert. [#226][dsa-226]); RNG (Cert. [#321][rng-321]); SHS (Cert. [#618][shs-618]); Triple-DES (Cert. [#549][tdes-549]); Triple-DES MAC (Triple-DES Cert. [#549][tdes-549], vendor affirmed)

                Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4| -|BitLocker™ Drive Encryption|[6.0.6000.16386][sp-947]|[947][certificate-947]|FIPS approved algorithms: AES (Cert. [#715][aes-715]); HMAC (Cert. [#386][hmac-386]); SHS (Cert. [#737][shs-737])

                Other algorithms: Elephant Diffuser| +|BitLocker™ Drive Encryption|[6.0.6000.16386][sp-947]|[947][certificate-947]|FIPS approved algorithms: AES (Cert. [#715][aes-715]); HMAC (Cert. [#386][hmac-386]); SHS (Cert. [#737][shs-737])

                Other algorithms: Elephant Diffuser| |Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067][sp-891]|[891][certificate-891]|FIPS approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)

                Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 bits to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5| @@ -481,9 +482,9 @@ Validated Editions: Standard, Datacenter, Storage Server |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393][sp-2937]|[2937][certificate-2937]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])

                Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393][sp-2936]|[2936][certificate-2936]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])

                Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)| |Boot Manager|[10.0.14393][sp-2931]|[2931][certificate-2931]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); HMAC (Cert. [#2651][hmac-2651]); PBKDF (vendor affirmed); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: MD5; PBKDF (non-compliant); VMK KDF| -|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: NDRNG; MD5| -|BitLocker® Windows Resume (winresume)|[10.0.14393][sp-2933]|[2933][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)|[10.0.14393][sp-2934]|[2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])| +|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: NDRNG; MD5| +|BitLocker® Windows Resume (winresume)|[10.0.14393][sp-2933]|[2933][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)|[10.0.14393][sp-2934]|[2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])| |Code Integrity (ci.dll)|[10.0.14393][sp-2935]|[2935][certificate-2935]|FIPS approved algorithms: RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                Other algorithms: AES (non-compliant); MD5| |Secure Kernel Code Integrity (skci.dll)|[10.0.14393][sp-2938]|[2938][certificate-2938]|FIPS approved algorithms: RSA (Certs. [#2193][rsa-2193]); SHS (Certs. [#3347][shs-3347])

                Other algorithms: MD5| @@ -501,9 +502,9 @@ Validated Editions: Server, Storage Server, |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[2357][certificate-2357]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); DSA (Cert. [#855][dsa-855]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [#2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])

                Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[2356][certificate-2356]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [# 2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])

                Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)| |Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[2351][certificate-2351]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); HMAC (Cert. [#1773][hmac-1773]); PBKDF (vendor affirmed); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)| -|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])

                Other algorithms: MD5; NDRNG| -|BitLocker® Windows Resume (winresume)[16]|[6.3.9600 6.3.9600.17031][sp-2353]|[2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)[17]|[6.3.9600 6.3.9600.17031][sp-2354]|[2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])

                Other algorithms: N/A| +|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])

                Other algorithms: MD5; NDRNG| +|BitLocker® Windows Resume (winresume)[16]|[6.3.9600 6.3.9600.17031][sp-2353]|[2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)[17]|[6.3.9600 6.3.9600.17031][sp-2354]|[2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])

                Other algorithms: N/A| |Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[2355][certificate-2355]|FIPS approved algorithms: RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [# 2373][shs-2373])

                Other algorithms: MD5| \[16\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** @@ -522,9 +523,9 @@ Validated Editions: Server, Storage Server |Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[1892]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258]); DSA (Cert. [#687][dsa-687]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. #[1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])

                Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)

                Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[1891][certificate-1891]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258] and [#259][drbg-259]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RNG (Cert. [#1110][rng-1110]); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])

                Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)

                Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)| |Boot Manager|[6.2.9200][sp-1895]|[1895][sp-1895]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); HMAC (Cert. #[1347][hmac-1347]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: MD5| -|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG| -|BitLocker® Windows Resume (WINRESUME)|[6.2.9200][sp-1898]|[1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: MD5| -|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])

                Other algorithms: N/A| +|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG| +|BitLocker® Windows Resume (WINRESUME)|[6.2.9200][sp-1898]|[1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: MD5| +|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])

                Other algorithms: N/A| |Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[1897][sp-1897]|FIPS approved algorithms: RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                Other algorithms: MD5| |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[1893][sp-1893]|FIPS approved algorithms: DSA (Cert. [#686][dsa-686]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386]); Triple-DES MAC (Triple-DES Cert. [#1386][tdes-1386], vendor affirmed)

                Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[1894][sp-1894]|FIPS approved algorithms: AES (Cert. [#2196][aes-2196]); HMAC (Cert. [#1346][hmac-1346]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386])

                Other algorithms: AES (Cert. [#2196][aes-2196], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| @@ -542,7 +543,7 @@ Validated Editions: Server, Storage Server |Cryptographic Primitives Library (bcryptprimitives.dll)|[66.1.7600.16385 or 6.1.7601.17514][sp-1336]|[1336][certificate-1336]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#27][drbg-27]); DSA (Cert. [#391][dsa-391]); ECDSA (Cert. [#142][ecdsa-142]); HMAC (Cert. [#686][hmac-686]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#567][rsa-567]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])

                Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4| |Enhanced Cryptographic Provider (RSAENH)|[6.1.7600.16385][sp-1337]|[1337][certificate-1337]|FIPS approved algorithms: AES (Cert. [#1168][aes-1168]); DRBG (Cert. [#23][drbg-23]); HMAC (Cert. [#687][hmac-687]); SHS (Cert. [#1081][shs-1081]); RSA (Certs. [#559][rsa-559] and [#568][rsa-568]); Triple-DES (Cert. [#846][tdes-846])

                Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.1.7600.16385][sp-1338]|[1338][certificate-1338]|FIPS approved algorithms: DSA (Cert. [#390][dsa-390]); RNG (Cert. [#649][rng-649]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846]); Triple-DES MAC (Triple-DES Cert. [#846][tdes-846], vendor affirmed)

                Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4| -|BitLocker™ Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675][sp-1339]|[1339][certificate-1339]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])

                Other algorithms: Elephant Diffuser| +|BitLocker™ Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675][sp-1339]|[1339][certificate-1339]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])

                Other algorithms: Elephant Diffuser| @@ -661,20 +662,20 @@ For more details, expand each algorithm section. |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);

                **CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)

                **CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

                **CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

                **GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

                (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

                **IV Generated:** (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported

                GMAC supported

                **XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#4064][aes-4064]

                Version 10.0.14393| |**ECB** (e/d; 128, 192, 256);

                **CBC** (e/d; 128, 192, 256);

                **CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations [#4063][aes-4063]

                Version 10.0.14393| |**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)

                AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#4062][aes-4062]

                Version 10.0.14393| -|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations [#4061][aes-4061]

                Version 10.0.14393| +|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations [#4061][aes-4061]

                Version 10.0.14393| |**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

                AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" Cryptography Next Generation (CNG) Implementations [#3652][aes-3652]

                Version 10.0.10586| -|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" BitLocker® Cryptographic Implementations [#3653][aes-3653]

                Version 10.0.10586| +|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" BitLocker® Cryptographic Implementations [#3653][aes-3653]

                Version 10.0.10586| |**ECB** (e/d; 128, 192, 256);

                **CBC** (e/d; 128, 192, 256);

                **CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" RSA32 Algorithm Implementations [#3630][aes-3630]

                Version 10.0.10586| |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);

                **CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)

                **CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

                **CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

                **GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

                (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)v**IV Generated:** (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported

                GMAC supported

                **XTS((KS: XTS_128**((e/d) (f)) **KS: XTS_256**((e/d) (f))|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" SymCrypt Cryptographic Implementations [#3629][aes-3629]

                Version 10.0.10586| |**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

                AES [validation number 3497][aes-3497]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#3507][aes-3507]

                Version 10.0.10240| -|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                AES [validation number 3497][aes-3497]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations [#3498][aes-3498]

                Version 10.0.10240| +|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                AES [validation number 3497][aes-3497]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations [#3498][aes-3498]

                Version 10.0.10240| |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);

                **CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)

                **CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

                **CMAC(Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

                **GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

                (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

                **IV Generated:** (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported

                GMAC supported

                **XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#3497][aes-3497]

                Version 10.0.10240| |**ECB** (e/d; 128, 192, 256);

                **CBC** (e/d; 128, 192, 256);

                **CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations [#3476][aes-3476]

                Version 10.0.10240| |**ECB** (e/d; 128, 192, 256);

                **CBC** (e/d; 128, 192, 256);

                **CFB8** (e/d; 128, 192, 256);|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations [#2853][aes-2853]

                Version 6.3.9600| |**CCM (KS: 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                AES [validation number 2832][aes-2832]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations [#2848][aes-2848]

                Version 6.3.9600| |**CCM (KS: 128, 192, 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

                **CMAC (Generation/Verification) (KS: 128**; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

                **GCM (KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

                **(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)

                **IV Generated:** (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported;

                **OtherIVLen_Supported

                GMAC supported**|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #[2832][aes-2832]

                Version 6.3.9600| |**CCM (KS: 128, 192, 256**) **(Assoc. Data Len Range**: 0-0, 2^16) **(Payload Length Range**: 0 - 32 (**Nonce Length(s)**: 7 8 9 10 11 12 13 **(Tag Length(s)**: 4 6 8 10 12 14 16)

                AES [validation number 2197][aes-2197]

                **CMAC** (Generation/Verification) **(KS: 128;** Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 192**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 256**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16)

                AES [validation number 2197][aes-2197]

                **GCM(KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) **(KS: AES_192**(e/d) Tag Length(s): 128 120 112 104 96)

                **(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)

                **IV Generated:** (Externally); **PT Lengths Tested:** (0, 128, 1024, 8, 1016); **Additional authenticated data lengths tested:** (0, 128, 1024, 8, 1016); **IV Lengths Tested:** (8, 1024); **96 bit IV supported

                GMAC supported**|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#2216][aes-2216]| -|**CCM (KS: 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 (**Nonce Length(s)**: 12 **(Tag Length(s)**: 16)

                AES [validation number 2196][aes-2196]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations [#2198][aes-2198]| +|**CCM (KS: 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 (**Nonce Length(s)**: 12 **(Tag Length(s)**: 16)

                AES [validation number 2196][aes-2196]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations [#2198][aes-2198]| |**ECB** (e/d; 128, 192, 256);

                **CBC** (e/d; 128, 192, 256);

                **CFB8** (e/d; 128, 192, 256);

                **CFB128** (e/d; 128, 192, 256);

                **CTR** (int only; 128, 192, 256)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#2197][aes-2197]| |**ECB** (e/d; 128, 192, 256);

                **CBC** (e/d; 128, 192, 256);

                **CFB8** (e/d; 128, 192, 256);|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) [#2196][aes-2196]| |**CCM (KS: 128, 192, 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 **(Nonce Length(s):** 7 8 9 10 11 12 13 **(Tag Length(s): **4 6 8 10 12 14 16**)**

                AES [validation number 1168][aes-1168]|Windows Server 2008 R2 and SP1 CNG algorithms [#1187][aes-1187]

                Windows 7 Ultimate and SP1 CNG algorithms [#1178][aes-1178]| @@ -842,7 +843,7 @@ For more details, expand each algorithm section. |

                **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS)
                SHS[validation number 2886][shs-2886]

                **HMAC-SHA256** (Key Size Ranges Tested: KSBS)
                SHS[validation number 2886][shs-2886]

                **HMAC-SHA384** (Key Size Ranges Tested: KSBS)
                [ SHSvalidation number 2886][shs-2886]

                **HMAC-SHA512** (Key Size Ranges Tested: KSBS)
                SHS[validation number 2886][shs-2886]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#2233][hmac-2233]

                Version 10.0.10240| |

                **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS)
                SHS [validation number 2373][shs-2373]

                **HMAC-SHA256** (Key Size Ranges Tested: KSBS)
                SHS [validation number 2373][shs-2373]

                **HMAC-SHA384** (Key Size Ranges Tested: KSBS)
                SHS [validation number 2373][shs-2373]

                **HMAC-SHA512** (Key Size Ranges Tested: KSBS)
                SHS [validation number 2373][shs-2373]|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#1773][hmac-1773]

                Version 6.3.9600| |

                **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]

                **HMAC-SHA256** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]

                **HMAC-SHA384** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]

                **HMAC-SHA512** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]|Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) [#2122][hmac-2122]

                Version 5.2.29344| -|

                **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[#1902][shs-1902]

                **HMAC-SHA256 (Key Size Ranges Tested: KS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #[1347][hmac-1347]| +|

                **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[#1902][shs-1902]

                **HMAC-SHA256 (Key Size Ranges Tested: KS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #[1347][hmac-1347]| |

                **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS**[#1902][shs-1902]

                **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]

                **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]

                **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #[1346][hmac-1346]| |

                **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)**
                **SHS**[#1903][shs-1903]

                **HMAC-SHA256 (Key Size Ranges Tested: KSBS)**
                **SHS**[#1903][shs-1903]

                **HMAC-SHA384 (Key Size Ranges Tested: KSBS)**
                **SHS**[#1903][shs-1903]

                **HMAC-SHA512 (Key Size Ranges Tested: KSBS)**
                **SHS**[#1903][shs-1903]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #[1345][hmac-1345]| |

                **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]

                **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]
                **Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]

                **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll), [#1364][hmac-1364]| diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md deleted file mode 100644 index 6fb73d0cd6..0000000000 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Get support -description: Frequently asked questions about how to get support for Windows baselines and the Security Compliance Toolkit (SCT). -ms.prod: windows-client -ms.localizationpriority: medium -ms.author: dansimp -author: dulcemontemayor -manager: aaroncz -ms.topic: conceptual -ms.date: 06/25/2018 -ms.reviewer: -ms.technology: itpro-security ---- - -# Get Support for Windows baselines - -## Frequently asked questions - -### What is the Microsoft Security Compliance Manager (SCM)? - -The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. - -For more information, see [Security Compliance Manager (SCM) retired; new tools and procedures](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures). - -### Where can I get an older version of a Windows baseline? - -Any version of Windows baseline before Windows 10 version 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. To see if your version of Windows baseline is available on SCT, see the [Version matrix](#version-matrix). - -- [SCM 4.0 download](https://www.microsoft.com/download/details.aspx?id=53353) -- [SCM frequently asked questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx) -- [SCM release notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx) -- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx) - -### What file formats are supported by the new SCT? - -The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. A local group policy object (LGPO) also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. The `.cab` files from SCM are no longer supported. - -### Does SCT support the Desired State Configuration (DSC) file format? - -Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We're currently developing a tool to provide customers with these features. - -### Does SCT support the creation of Microsoft Configuration Manager DCM packs? - -No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO backups to DSC format is the [BaselineManagement module](https://github.com/Microsoft/BaselineManagement). - -### Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies? - -No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit also doesn't include SCAP support. - -## Version matrix - -### Client versions - -| Name | Build | Baseline release date | Security tools | -|---|---|---|---| -| Windows 10 | [Version 1709](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft)

                [Version 1703](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final)

                [Version 1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)

                [1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final)

                [1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017

                August 2017

                October 2016

                January 2016

                January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | - -### Server versions - -| Name | Build | Baseline release date | Security tools | -|---|---|---|---| -|Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -|Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)| -|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | - -### Microsoft products - -| Name | Details | Security tools | -|--|--|--| -| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | - -> [!NOTE] -> Browser baselines are built-in to new OS versions starting with Windows 10. - -## See also - -[Windows security baselines](windows-security-baselines.md) diff --git a/windows/security/threat-protection/images/AH_icon.png b/windows/security/threat-protection/images/AH_icon.png deleted file mode 100644 index 3fae6eba9a..0000000000 Binary files a/windows/security/threat-protection/images/AH_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/SS_icon.png b/windows/security/threat-protection/images/SS_icon.png deleted file mode 100644 index e69ea2a796..0000000000 Binary files a/windows/security/threat-protection/images/SS_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/TVM_icon.png b/windows/security/threat-protection/images/TVM_icon.png deleted file mode 100644 index 63f8c75929..0000000000 Binary files a/windows/security/threat-protection/images/TVM_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/Untitled-1.png b/windows/security/threat-protection/images/Untitled-1.png deleted file mode 100644 index 7e4e011d4f..0000000000 Binary files a/windows/security/threat-protection/images/Untitled-1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/air-icon.png b/windows/security/threat-protection/images/air-icon.png deleted file mode 100644 index 985e3e4429..0000000000 Binary files a/windows/security/threat-protection/images/air-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-icon.png b/windows/security/threat-protection/images/asr-icon.png deleted file mode 100644 index bf649e87ec..0000000000 Binary files a/windows/security/threat-protection/images/asr-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-notif.png b/windows/security/threat-protection/images/asr-notif.png deleted file mode 100644 index 2f8eb02556..0000000000 Binary files a/windows/security/threat-protection/images/asr-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-rules-gp.png b/windows/security/threat-protection/images/asr-rules-gp.png deleted file mode 100644 index fa6285cb56..0000000000 Binary files a/windows/security/threat-protection/images/asr-rules-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-test-tool.png b/windows/security/threat-protection/images/asr-test-tool.png deleted file mode 100644 index 569ee7a256..0000000000 Binary files a/windows/security/threat-protection/images/asr-test-tool.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-allow-app-ps.png b/windows/security/threat-protection/images/cfa-allow-app-ps.png deleted file mode 100644 index f93dbe34e3..0000000000 Binary files a/windows/security/threat-protection/images/cfa-allow-app-ps.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-allow-app.png b/windows/security/threat-protection/images/cfa-allow-app.png deleted file mode 100644 index afb220f764..0000000000 Binary files a/windows/security/threat-protection/images/cfa-allow-app.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-allow-folder-ps.png b/windows/security/threat-protection/images/cfa-allow-folder-ps.png deleted file mode 100644 index 88cd35c6ce..0000000000 Binary files a/windows/security/threat-protection/images/cfa-allow-folder-ps.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-audit-gp.png b/windows/security/threat-protection/images/cfa-audit-gp.png deleted file mode 100644 index 89abf15424..0000000000 Binary files a/windows/security/threat-protection/images/cfa-audit-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-filecreator.png b/windows/security/threat-protection/images/cfa-filecreator.png deleted file mode 100644 index 96e6874361..0000000000 Binary files a/windows/security/threat-protection/images/cfa-filecreator.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-gp-enable.png b/windows/security/threat-protection/images/cfa-gp-enable.png deleted file mode 100644 index f8d3056d80..0000000000 Binary files a/windows/security/threat-protection/images/cfa-gp-enable.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-notif.png b/windows/security/threat-protection/images/cfa-notif.png deleted file mode 100644 index 62ca8c3021..0000000000 Binary files a/windows/security/threat-protection/images/cfa-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-on.png b/windows/security/threat-protection/images/cfa-on.png deleted file mode 100644 index 7441a54834..0000000000 Binary files a/windows/security/threat-protection/images/cfa-on.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-prot-folders.png b/windows/security/threat-protection/images/cfa-prot-folders.png deleted file mode 100644 index a61b54a696..0000000000 Binary files a/windows/security/threat-protection/images/cfa-prot-folders.png and /dev/null differ diff --git a/windows/security/threat-protection/images/check-no.png b/windows/security/threat-protection/images/check-no.png deleted file mode 100644 index 040c7d2f63..0000000000 Binary files a/windows/security/threat-protection/images/check-no.png and /dev/null differ diff --git a/windows/security/threat-protection/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/images/create-endpoint-protection-profile.png deleted file mode 100644 index f9a64efbd7..0000000000 Binary files a/windows/security/threat-protection/images/create-endpoint-protection-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/images/create-exploit-guard-policy.png b/windows/security/threat-protection/images/create-exploit-guard-policy.png deleted file mode 100644 index 1253d68613..0000000000 Binary files a/windows/security/threat-protection/images/create-exploit-guard-policy.png and /dev/null differ diff --git a/windows/security/threat-protection/images/edr-icon.png b/windows/security/threat-protection/images/edr-icon.png deleted file mode 100644 index 8c750dee42..0000000000 Binary files a/windows/security/threat-protection/images/edr-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-app-allow.png b/windows/security/threat-protection/images/enable-cfa-app-allow.png deleted file mode 100644 index ddf0ca23e9..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-app-allow.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-app-folder.png b/windows/security/threat-protection/images/enable-cfa-app-folder.png deleted file mode 100644 index 7401e1e87f..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-app-folder.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-app.png b/windows/security/threat-protection/images/enable-cfa-app.png deleted file mode 100644 index f8e4dc98d1..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-app.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-intune.png b/windows/security/threat-protection/images/enable-cfa-intune.png deleted file mode 100644 index 620d786868..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-intune.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-ep-intune.png b/windows/security/threat-protection/images/enable-ep-intune.png deleted file mode 100644 index e89118fd47..0000000000 Binary files a/windows/security/threat-protection/images/enable-ep-intune.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-np-intune.png b/windows/security/threat-protection/images/enable-np-intune.png deleted file mode 100644 index 604dceff4c..0000000000 Binary files a/windows/security/threat-protection/images/enable-np-intune.png and /dev/null differ diff --git a/windows/security/threat-protection/images/ep-default.png b/windows/security/threat-protection/images/ep-default.png deleted file mode 100644 index eafac1db7a..0000000000 Binary files a/windows/security/threat-protection/images/ep-default.png and /dev/null differ diff --git a/windows/security/threat-protection/images/ep-prog.png b/windows/security/threat-protection/images/ep-prog.png deleted file mode 100644 index d36cdd8498..0000000000 Binary files a/windows/security/threat-protection/images/ep-prog.png and /dev/null differ diff --git a/windows/security/threat-protection/images/event-viewer-import.png b/windows/security/threat-protection/images/event-viewer-import.png deleted file mode 100644 index 96d12d3af1..0000000000 Binary files a/windows/security/threat-protection/images/event-viewer-import.png and /dev/null differ diff --git a/windows/security/threat-protection/images/event-viewer.gif b/windows/security/threat-protection/images/event-viewer.gif deleted file mode 100644 index 7909bfe728..0000000000 Binary files a/windows/security/threat-protection/images/event-viewer.gif and /dev/null differ diff --git a/windows/security/threat-protection/images/events-create.gif b/windows/security/threat-protection/images/events-create.gif deleted file mode 100644 index 68f057de3a..0000000000 Binary files a/windows/security/threat-protection/images/events-create.gif and /dev/null differ diff --git a/windows/security/threat-protection/images/events-import.gif b/windows/security/threat-protection/images/events-import.gif deleted file mode 100644 index 55e77c546f..0000000000 Binary files a/windows/security/threat-protection/images/events-import.gif and /dev/null differ diff --git a/windows/security/threat-protection/images/exp-prot-gp.png b/windows/security/threat-protection/images/exp-prot-gp.png deleted file mode 100644 index d7b921aa69..0000000000 Binary files a/windows/security/threat-protection/images/exp-prot-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/get-support.png b/windows/security/threat-protection/images/get-support.png deleted file mode 100644 index 427ba670de..0000000000 Binary files a/windows/security/threat-protection/images/get-support.png and /dev/null differ diff --git a/windows/security/threat-protection/images/lab-creation-page.png b/windows/security/threat-protection/images/lab-creation-page.png deleted file mode 100644 index 75540493da..0000000000 Binary files a/windows/security/threat-protection/images/lab-creation-page.png and /dev/null differ diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png deleted file mode 100644 index f8c9c07b16..0000000000 Binary files a/windows/security/threat-protection/images/linux-mdatp-1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png deleted file mode 100644 index f8c9c07b16..0000000000 Binary files a/windows/security/threat-protection/images/linux-mdatp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-fig1.png b/windows/security/threat-protection/images/mobile-security-guide-fig1.png deleted file mode 100644 index 4bdc6c0c9c..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-fig1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-fig2.png b/windows/security/threat-protection/images/mobile-security-guide-fig2.png deleted file mode 100644 index becb48f0ed..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-fig2.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-figure3.png b/windows/security/threat-protection/images/mobile-security-guide-figure3.png deleted file mode 100644 index f78d187b04..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-figure3.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-figure4.png b/windows/security/threat-protection/images/mobile-security-guide-figure4.png deleted file mode 100644 index 6f9b3725f8..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-figure4.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mte-icon.png b/windows/security/threat-protection/images/mte-icon.png deleted file mode 100644 index 1d5693a399..0000000000 Binary files a/windows/security/threat-protection/images/mte-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/ngp-icon.png b/windows/security/threat-protection/images/ngp-icon.png deleted file mode 100644 index 9aca3db517..0000000000 Binary files a/windows/security/threat-protection/images/ngp-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/np-notif.png b/windows/security/threat-protection/images/np-notif.png deleted file mode 100644 index 69eb1bbeee..0000000000 Binary files a/windows/security/threat-protection/images/np-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/images/powershell-example.png b/windows/security/threat-protection/images/powershell-example.png deleted file mode 100644 index 4ec2be97af..0000000000 Binary files a/windows/security/threat-protection/images/powershell-example.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-asr-blocks.png b/windows/security/threat-protection/images/sccm-asr-blocks.png deleted file mode 100644 index 00225ec18c..0000000000 Binary files a/windows/security/threat-protection/images/sccm-asr-blocks.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-asr-rules.png b/windows/security/threat-protection/images/sccm-asr-rules.png deleted file mode 100644 index dfb1cb201b..0000000000 Binary files a/windows/security/threat-protection/images/sccm-asr-rules.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-cfa-block.png b/windows/security/threat-protection/images/sccm-cfa-block.png deleted file mode 100644 index 2868712541..0000000000 Binary files a/windows/security/threat-protection/images/sccm-cfa-block.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-cfa.png b/windows/security/threat-protection/images/sccm-cfa.png deleted file mode 100644 index bd2e57d73f..0000000000 Binary files a/windows/security/threat-protection/images/sccm-cfa.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-ep-xml.png b/windows/security/threat-protection/images/sccm-ep-xml.png deleted file mode 100644 index d7a896332a..0000000000 Binary files a/windows/security/threat-protection/images/sccm-ep-xml.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-ep.png b/windows/security/threat-protection/images/sccm-ep.png deleted file mode 100644 index 1d16250401..0000000000 Binary files a/windows/security/threat-protection/images/sccm-ep.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-np-block.png b/windows/security/threat-protection/images/sccm-np-block.png deleted file mode 100644 index 0655fdad69..0000000000 Binary files a/windows/security/threat-protection/images/sccm-np-block.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-np.png b/windows/security/threat-protection/images/sccm-np.png deleted file mode 100644 index a9f11a2e95..0000000000 Binary files a/windows/security/threat-protection/images/sccm-np.png and /dev/null differ diff --git a/windows/security/threat-protection/images/seccon-framework.png b/windows/security/threat-protection/images/seccon-framework.png deleted file mode 100644 index 06f66acf99..0000000000 Binary files a/windows/security/threat-protection/images/seccon-framework.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-compliance-toolkit-1.png b/windows/security/threat-protection/images/security-compliance-toolkit-1.png deleted file mode 100644 index 270480af39..0000000000 Binary files a/windows/security/threat-protection/images/security-compliance-toolkit-1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-control-classification.png b/windows/security/threat-protection/images/security-control-classification.png deleted file mode 100644 index 75467f2098..0000000000 Binary files a/windows/security/threat-protection/images/security-control-classification.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/images/security-control-deployment-methodologies.png deleted file mode 100644 index 4f869474e2..0000000000 Binary files a/windows/security/threat-protection/images/security-control-deployment-methodologies.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-update.png b/windows/security/threat-protection/images/security-update.png deleted file mode 100644 index f7ca20f34e..0000000000 Binary files a/windows/security/threat-protection/images/security-update.png and /dev/null differ diff --git a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg deleted file mode 100644 index e79d2b057d..0000000000 Binary files a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg and /dev/null differ diff --git a/windows/security/threat-protection/images/svg/check-no.svg b/windows/security/threat-protection/images/svg/check-no.svg deleted file mode 100644 index 89a87afa8b..0000000000 --- a/windows/security/threat-protection/images/svg/check-no.svg +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark no - - \ No newline at end of file diff --git a/windows/security/threat-protection/images/svg/check-yes.svg b/windows/security/threat-protection/images/svg/check-yes.svg deleted file mode 100644 index 483ff5fefc..0000000000 --- a/windows/security/threat-protection/images/svg/check-yes.svg +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark yes - - \ No newline at end of file diff --git a/windows/security/threat-protection/images/tpm-capabilities.png b/windows/security/threat-protection/images/tpm-capabilities.png deleted file mode 100644 index aecbb68522..0000000000 Binary files a/windows/security/threat-protection/images/tpm-capabilities.png and /dev/null differ diff --git a/windows/security/threat-protection/images/tpm-remote-attestation.png b/windows/security/threat-protection/images/tpm-remote-attestation.png deleted file mode 100644 index fa092591a1..0000000000 Binary files a/windows/security/threat-protection/images/tpm-remote-attestation.png and /dev/null differ diff --git a/windows/security/threat-protection/images/turn-windows-features-on-or-off.png b/windows/security/threat-protection/images/turn-windows-features-on-or-off.png deleted file mode 100644 index 8d47a53b51..0000000000 Binary files a/windows/security/threat-protection/images/turn-windows-features-on-or-off.png and /dev/null differ diff --git a/windows/security/threat-protection/images/vbs-example.png b/windows/security/threat-protection/images/vbs-example.png deleted file mode 100644 index 6a1cc80fd4..0000000000 Binary files a/windows/security/threat-protection/images/vbs-example.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna1.png b/windows/security/threat-protection/images/wanna1.png deleted file mode 100644 index e90d1cc12c..0000000000 Binary files a/windows/security/threat-protection/images/wanna1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna2.png b/windows/security/threat-protection/images/wanna2.png deleted file mode 100644 index 7b4a1dcd97..0000000000 Binary files a/windows/security/threat-protection/images/wanna2.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna3.png b/windows/security/threat-protection/images/wanna3.png deleted file mode 100644 index 9b0b176366..0000000000 Binary files a/windows/security/threat-protection/images/wanna3.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna4.png b/windows/security/threat-protection/images/wanna4.png deleted file mode 100644 index 17fefde707..0000000000 Binary files a/windows/security/threat-protection/images/wanna4.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna5.png b/windows/security/threat-protection/images/wanna5.png deleted file mode 100644 index 92ecf67d20..0000000000 Binary files a/windows/security/threat-protection/images/wanna5.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna6.png b/windows/security/threat-protection/images/wanna6.png deleted file mode 100644 index 26824af34d..0000000000 Binary files a/windows/security/threat-protection/images/wanna6.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna7.png b/windows/security/threat-protection/images/wanna7.png deleted file mode 100644 index 634bd1449d..0000000000 Binary files a/windows/security/threat-protection/images/wanna7.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna8.png b/windows/security/threat-protection/images/wanna8.png deleted file mode 100644 index 59b42eb6f6..0000000000 Binary files a/windows/security/threat-protection/images/wanna8.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdatp-pillars2.png b/windows/security/threat-protection/images/wdatp-pillars2.png deleted file mode 100644 index 8a67d190b7..0000000000 Binary files a/windows/security/threat-protection/images/wdatp-pillars2.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdeg.png b/windows/security/threat-protection/images/wdeg.png deleted file mode 100644 index 312167da41..0000000000 Binary files a/windows/security/threat-protection/images/wdeg.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png deleted file mode 100644 index 01801a519d..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png deleted file mode 100644 index 38404d7569..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/images/wdsc-exp-prot-export.png deleted file mode 100644 index eac90e96f5..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-export.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png deleted file mode 100644 index 53edeb6135..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot.png b/windows/security/threat-protection/images/wdsc-exp-prot.png deleted file mode 100644 index 67abde13e0..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot.png and /dev/null differ diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md deleted file mode 100644 index 307fd1ee4b..0000000000 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) -description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. -ms.prod: windows-client -ms.localizationpriority: medium -ms.author: dansimp -author: dansimp -ms.reviewer: -manager: aaroncz -ms.technology: itpro-security -ms.date: 12/31/2017 -ms.topic: article ---- - -# What is Microsoft Baseline Security Analyzer and its uses? - -Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. - -MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016. - -> [!NOTE] -> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. - -## The Solution -A script can help you with an alternative to MBSA’s patch-compliance checking: - -- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script. -For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0). - -For example: - -[![VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) -[![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) - -The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. -The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers. - -## More Information - -For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit. - -- [Windows security baselines](windows-security-baselines.md) -- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319) -- [Microsoft Security Guidance blog](/archive/blogs/secguide/) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png deleted file mode 100644 index 08cb4d5676..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png deleted file mode 100644 index 9e58d99ead..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png deleted file mode 100644 index 877b707030..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png deleted file mode 100644 index 5172022256..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index ad5d373c27..0b7b4ac15b 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -15,6 +15,7 @@ ms.custom: asr ms.technology: itpro-security ms.collection: - highpri + - tier2 ms.topic: how-to --- diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 6b284c9344..afc6aaef79 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -15,6 +15,7 @@ ms.custom: asr ms.technology: itpro-security ms.collection: - highpri + - tier2 ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png deleted file mode 100644 index daa96d291d..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg deleted file mode 100644 index 21a6b4f235..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg deleted file mode 100644 index ab2d5152ca..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg +++ /dev/null @@ -1,20 +0,0 @@ - - - - - - - - - - MsPortalFx.base.images-10 - - - - - - - - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg deleted file mode 100644 index dbbad7d780..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg deleted file mode 100644 index 06ab4c09d7..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - - - - - - - - - - - - - - Icon-general-18 - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png deleted file mode 100644 index a3286fb528..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png deleted file mode 100644 index e51cd9384c..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 393d33b206..ba53584a0f 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -10,6 +10,7 @@ manager: aaroncz ms.technology: itpro-security adobe-target: true ms.collection: + - tier2 - highpri ms.date: 12/31/2017 ms.topic: article diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md deleted file mode 100644 index 0ee92c6736..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows) -description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps. -ms.prod: windows-client -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/13/2017 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.technology: itpro-security -ms.topic: how-to ---- - -# Set up and use Microsoft Defender SmartScreen on individual devices - -**Applies to:** -- Windows 10, version 1703 -- Windows 11 -- Microsoft Edge - -Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. - -## How users can use Windows Security to set up Microsoft Defender SmartScreen -Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless an administrator has used Group Policy or Microsoft Intune to prevent it. - ->[!NOTE] ->If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. - -**To use Windows Security to set up Microsoft Defender SmartScreen on a device** -1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**. - -2. In the **Reputation-based protection** screen, choose from the following options: - - - In the **Check apps and files** area: - - - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue. - - - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - - - In the **Microsoft Defender SmartScreen for Microsoft Edge** area: - - - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge. - - - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - - In the **Potentially unwanted app blocking** area: - - - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md#potentially-unwanted-application-pua). - - **Block apps.** This setting will prevent new apps from installing on the device and warn users of apps that are existing on the device. - - - **Block downloads.** This setting will alert users and stop the downloads of apps in the Microsoft Edge browser (based on Chromium). - - - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps. - - - In the **Microsoft Defender SmartScreen from Microsoft Store apps** area: - - - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue. - - - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - - ![Windows Security, Microsoft Defender SmartScreen controls.](images/windows-defender-smartscreen-control-2020.png) - -## How Microsoft Defender SmartScreen works when a user tries to run an app -Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. - -By default, users can bypass Microsoft Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Microsoft Defender SmartScreen (not recommended). - -## How users can report websites as safe or unsafe -Microsoft Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. - -**To report a website as safe from the warning message** -- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. - -**To report a website as unsafe from Microsoft Edge** -- If a site seems potentially dangerous, users can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. - -**To report a website as unsafe from Internet Explorer 11** -- If a site seems potentially dangerous, users can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. - -## Related topics -- [Threat protection](../index.md) - -- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index e6f9bec119..969423ed4a 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 08/16/2021 ms.technology: itpro-security @@ -23,7 +24,7 @@ ms.technology: itpro-security **Applies to** - Windows 11 -- Windows 10 +- Windows 10 Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. @@ -47,7 +48,7 @@ It's advisable to set **Account lockout duration** to approximately 15 minutes. ### Default values -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page. | Server type or Group Policy Object (GPO) | Default value | | - | - | diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 7436c55ccd..1aa90a6526 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 11/02/2018 ms.technology: itpro-security @@ -34,7 +35,7 @@ The **Account lockout threshold** policy setting determines the number of failed Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. However, it's important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account. -Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine. +Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn't need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine. ### Possible values @@ -46,7 +47,7 @@ Because vulnerabilities can exist when this value is configured and when it's no ### Best practices -The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](../windows-security-baselines.md) recommend a value of 10 could be an acceptable starting point for your organization. +The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend a value of 10 could be an acceptable starting point for your organization. As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). @@ -116,7 +117,7 @@ Because vulnerabilities can exist when this value is configured and when it's no - Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account. - [Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. + [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems. diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index bd80ebe594..760392434f 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, management, and security conside ## Reference -This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md). +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts). There are two options if this setting is enabled: diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md index 8cdc5e7f53..f28c135001 100644 --- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png b/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png deleted file mode 100644 index 52acafba66..0000000000 Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png and /dev/null differ diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png b/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png deleted file mode 100644 index 858be4e70e..0000000000 Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png and /dev/null differ diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png b/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png deleted file mode 100644 index 2efa6877c8..0000000000 Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png and /dev/null differ diff --git a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md deleted file mode 100644 index f0dbde13f1..0000000000 --- a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 1/4/2019 -ms.reviewer: -manager: aaroncz -ms.topic: include -ms.prod: m365-security ---- -Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index b65e3da751..41c09e6eb4 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/18/2018 ms.technology: itpro-security @@ -29,7 +30,7 @@ Describes the best practices, location, values, management, and security conside ## Reference -Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy. +Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user's session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy. > [!NOTE] > If the **Interactive logon: Machine inactivity limit** security policy setting is configured, the device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings. @@ -42,7 +43,7 @@ If **Machine will be locked after** is set to zero (0) or has no value (blank), ### Best practices -Set the time for elapsed user-input inactivity based on the device’s usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity. +Set the time for elapsed user-input inactivity based on the device's usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity. ### Location @@ -52,7 +53,7 @@ Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Pol ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | @@ -85,7 +86,7 @@ This policy setting helps you prevent unauthorized access to devices under your ### Countermeasure -Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device’s usage and location requirements. +Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device's usage and location requirements. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 91919d8ae3..92341b9213 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re ### Best practices -The [Windows security baselines](../windows-security-baselines.md) don't recommend configuring this setting. +The [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) don't recommend configuring this setting. ### Location diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md index bcdeda1852..5eb5a6a0b4 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 02c1a25fd5..f9b90574fd 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -35,7 +35,7 @@ The **Minimum password age** policy setting determines the period of time (in da ### Best practices -[Windows security baselines](../windows-security-baselines.md) recommend setting **Minimum password age** to one day. +[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend setting **Minimum password age** to one day. Setting the number of days to 0 allows immediate password changes. This setting isn't recommended. Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index cde1a5df8b..b74a12c22c 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 03/30/2022 ms.technology: itpro-security @@ -50,7 +51,7 @@ In addition, requiring long passwords can actually decrease the security of an o ### Default values -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page. | Server type or Group Policy Object (GPO) | Default value | | - | - | diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index 67f28accd4..42cb403da5 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -11,6 +11,7 @@ ms.reviewer: manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index a9b0b1ae89..465adda6a7 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -9,6 +9,7 @@ author: vinaypamnani-msft manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md index e1585d602e..23edb11516 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -75,7 +76,7 @@ HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index c7b9c6ad9d..b84eb1eaf9 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.technology: itpro-security ms.date: 12/31/2017 @@ -112,4 +113,4 @@ The use of ALT key character combinations may greatly enhance the complexity of ## Related articles -- [Password Policy](password-policy.md) +- [Password Policy](/microsoft-365/admin/misc/password-policy-recommendations) diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md index b4163b8525..e28f4796b7 100644 --- a/windows/security/threat-protection/security-policy-settings/password-policy.md +++ b/windows/security/threat-protection/security-policy-settings/password-policy.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index 1891e3b322..275d4a0bd8 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -40,7 +40,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. -[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). +[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). ### Location @@ -69,7 +69,7 @@ Users can accidentally lock themselves out of their accounts if they mistype the ### Countermeasure -[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15. +[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index 79136b00da..e5a2bba1d9 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index f8f1af1c61..205e5f9c9a 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -59,7 +59,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it's operating in FIPS 140-2 approved mode. -For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](../windows-security-baselines.md). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md). +For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md). ### Location diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 0439fc8ee1..7e7e14c8c0 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 12/16/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index f9355db522..cacb1ef857 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -68,6 +68,8 @@ href: wdac-wizard-create-supplemental-policy.md - name: Editing a WDAC policy with the Wizard href: wdac-wizard-editing-policy.md + - name: Creating WDAC Policy Rules from WDAC Events + href: wdac-wizard-parsing-event-logs.md - name: Merging multiple WDAC policies with the Wizard href: wdac-wizard-merging-policies.md - name: WDAC deployment guide diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index c2987aea45..bf315dd58b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 10/16/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md deleted file mode 100644 index acdfc6b79b..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Use audit events to create then enforce WDAC policy rules (Windows) -description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -author: jsuther1974 -ms.reviewer: jogeurte -ms.author: vinpa -manager: aaroncz -ms.date: 05/03/2021 -ms.technology: itpro-security -ms.topic: article ---- - -# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced - -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). - -Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your Windows Defender Application Control policy (WDAC) but should be included. - -While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed. - -## Overview of the process to create WDAC policy to allow apps using audit events - -> [!NOTE] -> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md). - -To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy. - -1. Install and run an application not allowed by the WDAC policy but that you want to allow. - -2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md). - - **Figure 1. Exceptions to the deployed WDAC policy**
                - - ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png) - -3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. - - ```powershell - $PolicyName= "Lamna_FullyManagedClients_Audit" - $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" - $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml" - $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt" - ``` - -4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**. - - ```powershell - New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings - ``` - - > [!NOTE] - > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md). - -5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)). - -6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level. - - > [!NOTE] - > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**. - -7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy. - - For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md). - -8. Convert the Base or Supplemental policy to binary and deploy using your preferred method. - -## Convert WDAC **BASE** policy from audit to enforced - -As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. - -**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout. - -Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode. - -1. Initialize the variables that will be used and create the enforced policy by copying the audit version. - - ```powershell - $EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced" - $AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml" - $EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml" - cp $AuditPolicyXML $EnforcedPolicyXML - ``` - -2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step. - - ```powershell - $EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID - $EnforcedPolicyID = $EnforcedPolicyID.Substring(11) - ``` - - > [!NOTE] - > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. - -3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment. - - ```powershell - Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9 - Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10 - ``` - -4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement: - - ```powershell - Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete - ``` - -5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary: - - > [!NOTE] - > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML. - - ```powershell - $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml" - ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary - ``` - -## Make copies of any needed **supplemental** policies to use with the enforced base policy - -Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure. - -1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used. - - ```powershell - $SupplementalPolicyName = "Lamna_Supplemental1" - $CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml" - $EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml" - ``` - -2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement. - - ```powershell - $SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID - $SupplementalPolicyID = $SupplementalPolicyID.Substring(11) - ``` - - > [!NOTE] - > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. - -3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary: - - ```powershell - $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml" - ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary - ``` - -4. Repeat the steps above if you have other supplemental policies to update. - -## Deploy your enforced policy and supplemental policies - -Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png b/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png deleted file mode 100644 index dac1240786..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png b/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png deleted file mode 100644 index 6d265509ea..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png deleted file mode 100644 index cefb124344..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png deleted file mode 100644 index 938e397751..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png deleted file mode 100644 index 3c93b2b948..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png deleted file mode 100644 index 4f6746eddf..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png deleted file mode 100644 index e3729e8214..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png deleted file mode 100644 index 782c2017ae..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png deleted file mode 100644 index b9a4b1881f..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png deleted file mode 100644 index 25f73eb190..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png deleted file mode 100644 index 3a33c13350..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png deleted file mode 100644 index 12ec2b924f..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png deleted file mode 100644 index 5cdb4cf3c4..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png deleted file mode 100644 index 8ef2d0e3ce..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png deleted file mode 100644 index f201956d4d..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png deleted file mode 100644 index 0c5eacc3f9..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png deleted file mode 100644 index 98e5507000..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png deleted file mode 100644 index 1b5483103b..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png deleted file mode 100644 index c37d55910d..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png deleted file mode 100644 index e132440266..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png deleted file mode 100644 index cbd0366eff..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png deleted file mode 100644 index 4d8325baa6..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png deleted file mode 100644 index e5ae089d6b..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png deleted file mode 100644 index 55f5173b03..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png new file mode 100644 index 0000000000..841b3104fe Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png new file mode 100644 index 0000000000..75fd7c7798 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png new file mode 100644 index 0000000000..50dcbf7715 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png new file mode 100644 index 0000000000..f0e2056bcc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png new file mode 100644 index 0000000000..ef32ad6c9a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png new file mode 100644 index 0000000000..09e857e82e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png new file mode 100644 index 0000000000..5b3de97aff Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png new file mode 100644 index 0000000000..ee1af12b3d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png new file mode 100644 index 0000000000..5ae44b24cd Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png new file mode 100644 index 0000000000..4fd2a0813f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png deleted file mode 100644 index 67df953a08..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index fc266be640..7acb0c4301 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -11,11 +11,12 @@ ms.localizationpriority: medium audience: ITPro ms.collection: - highpri + - tier3 author: jgeurten ms.reviewer: jsuther ms.author: vinpa manager: aaroncz -ms.date: 11/01/2022 +ms.date: 02/08/2023 ms.technology: itpro-security ms.topic: article --- @@ -72,7 +73,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- ```xml - 10.0.25210.0 + 10.0.25290.0 {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} @@ -201,6 +202,56 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -229,11 +280,16 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + + + + + + @@ -413,18 +469,44 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -557,6 +639,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + @@ -713,16 +801,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - @@ -745,37 +823,54 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + - - - - + - + + + + + + + - @@ -785,7 +880,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -797,70 +892,47 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - + + + - + - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + @@ -868,14 +940,232 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -885,17 +1175,139 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - + + + + - - + + + + - - + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -927,36 +1339,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -972,24 +1354,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - @@ -998,394 +1362,184 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1393,38 +1547,69 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - + + + + + + + - + + + + + + + + + + + + - + + + + + + @@ -1433,58 +1618,26 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - + @@ -1495,675 +1648,776 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + @@ -2179,7 +2433,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - 10.0.25210.0 + 10.0.25290.0 diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index b4c9fd2969..73c7ef9d1e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: jgeurten -ms.reviewer: isbrahm +ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz ms.topic: conceptual diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md new file mode 100644 index 0000000000..c89baad871 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md @@ -0,0 +1,141 @@ +--- +title: Windows Defender Application Control Wizard WDAC Event Parsing +description: Creating WDAC policy rules from the WDAC event logs and the MDE Advanced Hunting WDAC events. +keywords: WDAC event parsing, allow listing, block listing, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: windows-client +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +author: jgeurten +ms.reviewer: jsuther1974 +ms.author: vinpa +manager: aaroncz +ms.topic: conceptual +ms.date: 02/01/2023 +ms.technology: itpro-security +--- + +# Creating WDAC Policy Rules from WDAC Events in the Wizard + +**Applies to** + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). + +As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.html), the WDAC Wizard supports creating WDAC policy rules from the following event log types: + +1. [WDAC event log events on the system](#wdac-event-viewer-log-parsing) +2. [Exported WDAC events (EVTX files) from any system](#wdac-event-log-file-parsing) +3. [Exported WDAC events from MDE Advanced Hunting](#mde-advanced-hunting-wdac-event-parsing) + + +## WDAC Event Viewer Log Parsing + +To create rules from the WDAC event logs on the system: + +1. Select **Policy Editor** from the WDAC Wizard main page. +2. Select **Convert Event Log to a WDAC Policy**. +3. Select the **Parse Event Logs** button under the **Parse Event Logs from the System Event Viewer to Policy** header. + + The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse WDAC and AppLocker event log system events](images/wdac-wizard-event-log-system.png)](images/wdac-wizard-event-log-system-expanded.png) + +4. Select the Next button to view the audit and block events and create rules. +5. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## WDAC Event Log File Parsing + +To create rules from the WDAC `.EVTX` event logs files on the system: + +1. Select **Policy Editor** from the WDAC Wizard main page. +2. Select **Convert Event Log to a WDAC Policy**. +3. Select the **Parse Log File(s)** button under the **Parse Event Log evtx Files to Policy** header. +4. Select the WDAC CodeIntegrity Event log EVTX file(s) from the disk to parse. + + The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse evtx file WDAC events](images/wdac-wizard-event-log-files.png)](images/wdac-wizard-event-log-files-expanded.png) + +5. Select the Next button to view the audit and block events and create rules. +6. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## MDE Advanced Hunting WDAC Event Parsing + +To create rules from the WDAC events in [MDE Advanced Hunting](querying-application-control-events-centrally-using-advanced-hunting.md): + +1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export: + + ```KQL + | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName + ``` + + The following Advanced Hunting query is recommended: + + ```KQL + DeviceEvents + // Take only WDAC events + | where ActionType startswith 'AppControlCodeIntegrity' + // SigningInfo Fields + | extend IssuerName = parsejson(AdditionalFields).IssuerName + | extend IssuerTBSHash = parsejson(AdditionalFields).IssuerTBSHash + | extend PublisherName = parsejson(AdditionalFields).PublisherName + | extend PublisherTBSHash = parsejson(AdditionalFields).PublisherTBSHash + // Audit/Block Fields + | extend AuthenticodeHash = parsejson(AdditionalFields).AuthenticodeHash + | extend PolicyId = parsejson(AdditionalFields).PolicyID + | extend PolicyName = parsejson(AdditionalFields).PolicyName + // Keep only required fields for the WDAC Wizard + | project Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName + ``` + +2. Export the WDAC event results by selecting the **Export** button in the results view. + + > [!div class="mx-imgBorder"] + > [![Export the MDE Advanced Hunting results to CSV](images/wdac-wizard-event-log-mde-ah-export.png)](images/wdac-wizard-event-log-mde-ah-export-expanded.png) + +3. Select **Policy Editor** from the WDAC Wizard main page. +4. Select **Convert Event Log to a WDAC Policy**. +5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header. +6. Select the WDAC MDE Advanced Hunting export CSV files from the disk to parse. + + The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse the Advanced Hunting CSV WDAC event files](images/wdac-wizard-event-log-mde-ah-parsing.png)](images/wdac-wizard-event-log-mde-ah-parsing-expanded.png) + +7. Select the Next button to view the audit and block events and create rules. +8. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## Creating Policy Rules from the Events + +On the "Configure Event Log Rules" page, the unique WDAC log events will be shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers. + +To create a rule and add it to the WDAC policy: + +1. Select an audit or block event in the table by selecting the row of interest. +2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules. +3. Select the attributes and fields that should be added to the policy rules using the checkboxes provided for the rule type. +4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated. + + > [!div class="mx-imgBorder"] + > [![Adding a publisher rule to the WDAC policy](images/wdac-wizard-event-rule-creation.png)](images/wdac-wizard-event-rule-creation-expanded.png) + +5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies. + +> [!WARNING] +> It is not recommended to deploy the event log policy on its own, as it likely lacks rules to authorize Windows and may cause blue screens. + + +## Up next + +- [Merging Windows Defender Application Control (WDAC) policies using the Wizard](wdac-wizard-merging-policies.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 6ac671b28d..9f5f66cd38 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -11,6 +11,7 @@ ms.localizationpriority: medium audience: ITPro ms.collection: - highpri + - tier3 author: vinaypamnani-msft ms.reviewer: isbrahm ms.author: vinpa @@ -38,7 +39,7 @@ In most organizations, information is the most valuable asset, and ensuring that Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). -Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.). +Application control is a crucial line of defense for protecting enterprises given today's threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.). > [!NOTE] > Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png deleted file mode 100644 index 363648cbc0..0000000000 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png deleted file mode 100644 index eec35c6dcf..0000000000 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png deleted file mode 100644 index abf5a30659..0000000000 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md deleted file mode 100644 index a3773ffe67..0000000000 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Manage Windows Security in Windows 10 in S mode -description: Learn how to manage Windows Security settings in Windows 10 in S mode. Windows 10 in S mode is streamlined for tighter security and superior performance. -keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows -search.product: eADQiWindows 10XVcnh -ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 04/30/2018 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-security -ms.topic: how-to ---- - -# Manage Windows Security in Windows 10 in S mode - -**Applies to** - -- Windows 10 in S mode, version 1803 - -Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software. - -The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. - -:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png"::: - -For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). - -## Managing Windows Security settings with Intune - -In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts. - -For information about using Intune to manage Windows Security settings on your organization's devices, see [Set up Intune](/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](/intune/endpoint-protection-windows-10). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 3f25837b24..41b535c96b 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -11,6 +11,7 @@ manager: aaroncz ms.technology: itpro-security ms.collection: - highpri + - tier2 ms.date: 12/31/2017 ms.topic: article --- diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png b/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png deleted file mode 100644 index 99e8cb1384..0000000000 Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png deleted file mode 100644 index fbd6a798b0..0000000000 Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png deleted file mode 100644 index 865af86b19..0000000000 Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index f605793303..6c14ed44e0 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -23,7 +23,7 @@ ms.topic: conceptual - Windows 11 - Windows 10 -This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective. +This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective. > [!NOTE] > System Guard Secure Launch feature requires a supported processor. For more information, see [System requirements for System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md#system-requirements-for-system-guard). @@ -76,7 +76,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png) > [!NOTE] -> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). +> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). > [!NOTE] > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md index 4aeb22b1f0..c1666220e4 100644 --- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index c3caab02c2..b607d65908 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: article ms.technology: itpro-security appliesto: diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index f8f7c3977f..8fcc33e6d3 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index ea3861bad7..2f4b0c3d20 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security @@ -51,11 +52,13 @@ This topic describes how to create a standard port rule for a specified protocol 4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. - >**Note:** Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + > [!Note] + > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. 5. On the **Program** page, click **All programs**, and then click **Next**. - >**Note:** This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. + > [!Note] + > This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. 6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number. @@ -71,6 +74,7 @@ This topic describes how to create a standard port rule for a specified protocol 9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. - >**Note:** If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + > [!Note] + > If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type. 10. On the **Name** page, type a name and description for your rule, and then click **Finish**. diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 77ea069a39..cce89be934 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -9,6 +9,7 @@ author: paolomatarazzo manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md deleted file mode 100644 index 759c9f4ce3..0000000000 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows) -description: Evaluating Windows Defender Firewall with Advanced Security Design Examples -ms.reviewer: jekrynit -ms.author: paoloma -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -ms.topic: conceptual -ms.date: 09/08/2021 -ms.technology: itpro-security -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 ---- - -# Evaluating Windows Defender Firewall with Advanced Security Design Examples - - -The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization. - -- [Firewall Policy with Advanced Security Design Example](firewall-policy-design-example.md) - -- [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) - -- [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) - -- [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) - diff --git a/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif b/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif deleted file mode 100644 index 5c7dfb0ebc..0000000000 Binary files a/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif and /dev/null differ diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index 0dead272e0..7bd82a831e 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -9,6 +9,7 @@ author: paolomatarazzo manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md deleted file mode 100644 index 430a461918..0000000000 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Procedures Used in This Guide (Windows) -description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide. -ms.reviewer: jekrynit -ms.author: paoloma -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -ms.topic: conceptual -ms.date: 09/08/2021 -ms.technology: itpro-security -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 ---- - -# Procedures Used in This Guide - - -The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. - -- [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) - -- [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) - -- [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) - -- [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) - -- [Configure Authentication Methods](configure-authentication-methods.md) - -- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md) - -- [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) - -- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md) - -- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md) - -- [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md) - -- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md) - -- [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) - -- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) - -- [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) - -- [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) - -- [Create a Group Policy Object](create-a-group-policy-object.md) - -- [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) - -- [Create an Authentication Request Rule](create-an-authentication-request-rule.md) - -- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) - -- [Create an Inbound Port Rule](create-an-inbound-port-rule.md) - -- [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) - -- [Create an Outbound Port Rule](create-an-outbound-port-rule.md) - -- [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md) - -- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) - -- [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) - -- [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md) - -- [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md) - -- [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md) - -- [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) - -- [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) - -- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) - -- [Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall.md) - -- [Open Windows Defender Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md) - -- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md) - -- [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) - -- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 56c5f70707..13cf7bd61a 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -8,6 +8,7 @@ ms.author: paoloma manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/08/2021 ms.reviewer: jekrynit @@ -36,7 +37,7 @@ The Windows Defender Firewall with Advanced Security MMC snap-in is more flexibl ## Feature description -Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy. +Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network's isolation strategy. ## Practical applications diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 5d976ff196..c79a189b61 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -2,14 +2,16 @@ title: Common Criteria Certifications description: This topic details how Microsoft supports the Common Criteria certification program. ms.prod: windows-client -ms.author: paoloma -author: paolomatarazzo +ms.author: sushmanemali +author: s4sush manager: aaroncz ms.topic: article ms.localizationpriority: medium ms.date: 11/4/2022 -ms.reviewer: +ms.reviewer: paoloma ms.technology: itpro-security +ms.collection: + - tier3 --- # Common Criteria certifications @@ -24,12 +26,16 @@ The product releases below are currently certified against the cited *Protection - The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration - The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions -For more details, expand each product section. +### Windows 11, Windows 10 (version 20H2, 21H1, 21H2), Windows Server, Windows Server 2022, Azure Stack HCIv2 version 21H2, Azure Stack Hub and Edge -
                +Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients -

                - Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack) +- [Security Target](https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf) +- [Administrative Guide](https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf) +- [Assurance Activity Report](https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf) +- [Validation Report](https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf) + +### Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack) Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients @@ -38,10 +44,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Validation Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf) -
                - -
                - Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V +### Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. @@ -50,10 +53,7 @@ Certified against the Protection Profile for Virtualization, including the Exten - [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf) - [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1909, Windows Server, version 1909 +### Windows 10, version 1909, Windows Server, version 1909 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. @@ -62,10 +62,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1903, Windows Server, version 1903 +### Windows 10, version 1903, Windows Server, version 1903 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -74,10 +71,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1809, Windows Server, version 1809 +### Windows 10, version 1809, Windows Server, version 1809 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -86,10 +80,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1803, Windows Server, version 1803 +### Windows 10, version 1803, Windows Server, version 1803 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -98,10 +89,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1709, Windows Server, version 1709 +### Windows 10, version 1709, Windows Server, version 1709 Certified against the Protection Profile for General Purpose Operating Systems. @@ -110,10 +98,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1703, Windows Server, version 1703 +### Windows 10, version 1703, Windows Server, version 1703 Certified against the Protection Profile for General Purpose Operating Systems. @@ -122,10 +107,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1607, Windows Server 2016 +### Windows 10, version 1607, Windows Server 2016 Certified against the Protection Profile for General Purpose Operating Systems. @@ -134,10 +116,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Validation Report](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1507, Windows Server 2012 R2 +### Windows 10, version 1507, Windows Server 2012 R2 Certified against the Protection Profile for General Purpose Operating Systems. @@ -146,8 +125,6 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf) -
                - ## Archived certified products The product releases below were certified against the cited *Protection Profile* and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1): @@ -156,12 +133,7 @@ The product releases below were certified against the cited *Protection Profile* - The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration - The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions -For more details, expand each product section. - - -
                -
                - Windows Server 2016, Windows Server 2012 R2, Windows 10 +### Windows Server 2016, Windows Server 2012 R2, Windows 10 Certified against the Protection Profile for Server Virtualization. @@ -170,10 +142,7 @@ Certified against the Protection Profile for Server Virtualization. - [Validation Report](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1607, Windows 10 Mobile, version 1607 +### Windows 10, version 1607, Windows 10 Mobile, version 1607 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -182,10 +151,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1607, Windows Server 2016 +### Windows 10, version 1607, Windows Server 2016 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -194,10 +160,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Validation Report](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1511 +### Windows 10, version 1511 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -206,10 +169,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1507, Windows 10 Mobile, version 1507 +### Windows 10, version 1507, Windows 10 Mobile, version 1507 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -218,10 +178,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 10, version 1507 +### Windows 10, version 1507 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -230,10 +187,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Validation Report](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf) -
                - -
                - Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830 +### Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -241,10 +195,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf) -
                - -
                - Surface Pro 3, Windows 8.1 +### Surface Pro 3, Windows 8.1 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -252,10 +203,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf) -
                - -
                - Windows 8.1, Windows Phone 8.1 +### Windows 8.1, Windows Phone 8.1 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -263,10 +211,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf) -
                - -
                - Windows 8, Windows Server 2012 +### Windows 8, Windows Server 2012 Certified against the Protection Profile for General Purpose Operating Systems. @@ -274,10 +219,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf) -
                - -
                - Windows 8, Windows RT +### Windows 8, Windows RT Certified against the Protection Profile for General Purpose Operating Systems. @@ -285,10 +227,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf) -
                - -
                - Windows 8, Windows Server 2012 BitLocker +### Windows 8, Windows Server 2012 BitLocker Certified against the Protection Profile for Full Disk Encryption. @@ -296,10 +235,7 @@ Certified against the Protection Profile for Full Disk Encryption. - [Administrative Guide](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) -
                - -
                - Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client +### Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -307,10 +243,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Administrative Guide](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) -
                - -
                - Windows 7, Windows Server 2008 R2 +### Windows 7, Windows Server 2008 R2 Certified against the Protection Profile for General Purpose Operating Systems. @@ -318,46 +251,31 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) -
                - -
                - Microsoft Windows Server 2008 R2 Hyper-V Role +### Microsoft Windows Server 2008 R2 Hyper-V Role - [Security Target](https://www.microsoft.com/download/en/details.aspx?id=29305) - [Administrative Guide](https://www.microsoft.com/download/en/details.aspx?id=29308) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) -
                - -
                - Windows Vista, Windows Server 2008 at EAL4+ +### Windows Vista, Windows Server 2008 at EAL4+ - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) -
                - -
                - Windows Vista, Windows Server 2008 at EAL1 +### Windows Vista, Windows Server 2008 at EAL1 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) -
                - -
                - Microsoft Windows Server 2008 Hyper-V Role +### Microsoft Windows Server 2008 Hyper-V Role - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) - [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf) -
                - -
                - Windows Server 2003 Certificate Server +### Windows Server 2003 Certificate Server - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) - [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) @@ -366,12 +284,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) -
                - -
                - Windows Rights Management Services +### Windows Rights Management Services - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) - -
                \ No newline at end of file diff --git a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png deleted file mode 100644 index 94be89b74f..0000000000 Binary files a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index a6ce54113b..4ff1d859be 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -7,6 +7,7 @@ ms.author: vinpa manager: aaroncz ms.collection: - highpri + - tier2 ms.topic: article ms.date: 6/30/2022 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 3987f694a9..6e2f83d198 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -7,6 +7,7 @@ ms.author: vinpa manager: aaroncz ms.collection: - highpri + - tier2 ms.topic: article ms.date: 6/30/2022 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png deleted file mode 100644 index 242f5dd9bc..0000000000 Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index b08b62f673..bac325bbe0 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -8,6 +8,7 @@ author: vinaypamnani-msft manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 02/14/2022 ms.reviewer: rmunck @@ -20,7 +21,7 @@ ms.technology: itpro-security The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products. -The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy. +The SCT enables administrators to effectively manage their enterprise's Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.

                The Security Compliance Toolkit consists of: @@ -74,9 +75,9 @@ More information on the Policy Analyzer tool can be found on the [Microsoft Secu LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. -LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted “LGPO text” files. +LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted "LGPO text" files. It can export local policy to a GPO backup. -It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. +It can export the contents of a Registry Policy file to the "LGPO text" format that can then be edited, and can build a Registry Policy file from an LGPO text file. Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 0c513379b1..807e2e2800 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -8,6 +8,7 @@ author: vinaypamnani-msft manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 01/26/2022 ms.reviewer: jmunck diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index 64689039a1..ad5c50ecc7 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -1,7 +1,6 @@ --- title: Secure Boot and Trusted Boot description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 -search.appverid: MET150 author: vinaypamnani-msft ms.author: vinpa manager: aaroncz @@ -9,9 +8,6 @@ ms.topic: conceptual ms.date: 09/21/2021 ms.prod: windows-client ms.technology: itpro-security -ms.localizationpriority: medium -ms.collection: -ms.custom: ms.reviewer: jsuther --- @@ -25,11 +21,11 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. -As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it's trusted by the Secure Boot policy and hasn’t been tampered with. +As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with. ## Trusted Boot -Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. +Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product's early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index d432c8a8ff..0e145097a8 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -31,5 +31,7 @@ href: feature-lifecycle.md - name: Deprecated Windows features href: deprecated-features.md + - name: Resources for deprecated features + href: deprecated-features-resources.md - name: Removed Windows features href: removed-features.md \ No newline at end of file diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md new file mode 100644 index 0000000000..e2f67c9051 --- /dev/null +++ b/windows/whats-new/deprecated-features-resources.md @@ -0,0 +1,73 @@ +--- +title: Resources for deprecated features in the Windows client +description: Resources and details for deprecated features in the Windows Client. +ms.date: 02/14/2023 +ms.prod: windows-client +ms.technology: itpro-fundamentals +ms.localizationpriority: medium +author: mestew +ms.author: mstewart +manager: aaroncz +ms.reviewer: +ms.topic: reference +--- + +# Resources for deprecated features + +**Applies to** + +- Windows 10 +- Windows 11 + +This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features: + +## Microsoft Support Diagnostic Tool resources + +The [Microsoft Support Diagnostic Tool (MSDT)](/windows-server/administration/windows-commands/msdt) gathers diagnostic data for analysis by support professionals. MSDT is the engine used to run legacy Windows built-in troubleshooters. There are currently 28 built-in troubleshooters for MSDT. Half of the built-in troubleshooters have already been [redirected](#redirected-msdt-troubleshooters) to the Get Help platform, while the other half will be [retired](#retired-msdt-troubleshooters). + +If you're using MSDT to run [custom troubleshooting packages](/previous-versions/windows/desktop/wintt/package-schema), it will be available as a [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before the tool is fully retired in 2025. This change will allow you to continue to use MSDT to run custom troubleshooting packages while transitioning to a new platform. [Contact Microsoft support](https://support.microsoft.com/contactus) for Windows if you require additional assistance. + +### Redirected MSDT troubleshooters + +The following troubleshooters will automatically be redirected when you access them from **Start** > **Settings** > **System** > **Troubleshoot**: + +- Background Intelligent Transfer Service (BITS) +- Bluetooth +- Camera +- Internet Connections +- Network Adapter +- Playing Audio +- Printer +- Program Compatibility Troubleshooter +- Recording Audio +- Video Playback +- Windows Network Diagnostics +- Windows Media Player DVD +- Windows Media Player Library +- Windows Media Player Settings +- Windows Update + +### Retired MSDT troubleshooters + +The following troubleshooters will be removed in a future release of Windows: + +- Connection to a Workplace using DirectAccess +- Devices and Printers +- Hardware and Devices +- HomeGroup +- Incoming Connections +- Internet Explorer Performance +- Internet Explorer Safety +- Keyboard +- Power +- Search and Indexing +- Speech +- System Maintenance +- Shared Folders +- Windows Store Apps + +## Next steps + +- [Windows feature lifecycle](feature-lifecycle.md) +- [Deprecated Windows features](deprecated-features.md) +- [Removed Windows features](removed-features.md) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 3c58ebfc65..c32948df18 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -36,6 +36,7 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | +| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 | | Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**.

                Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 | | Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022| | Windows Information Protection | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).

                For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 | diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 19bd51f371..bd292f17c7 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.topic": "article", diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md deleted file mode 100644 index bdfa205f5c..0000000000 --- a/windows/whats-new/windows-10-insider-preview.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Documentation for Windows 10 Insider Preview (Windows 10) -description: Preliminary documentation for some Windows 10 features in Insider Preview. -ms.prod: windows-client -author: dansimp -ms.date: 04/14/2017 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.technology: itpro-fundamentals ---- - -# Documentation for Windows 10 Insider Preview - ->[!NOTE] -> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This section contains preliminary documentation for some enterprise features in Windows 10 Insider Preview. Information in this section may change frequently. - - - - -  - -  - - - - - diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 4a63cc1f7c..3c6653f5b0 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -1,16 +1,15 @@ --- title: Windows 11 requirements -description: Hardware requirements to deploy Windows 11 +description: Hardware requirements to deploy Windows 11. manager: aaroncz author: mestew ms.author: mstewart ms.prod: windows-client ms.localizationpriority: medium ms.topic: article -ms.custom: seo-marvel-apr2020 ms.collection: highpri ms.technology: itpro-fundamentals -ms.date: 12/31/2017 +ms.date: 02/13/2023 --- # Windows 11 requirements @@ -19,51 +18,60 @@ ms.date: 12/31/2017 - Windows 11 -This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support). +This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support). ## Hardware requirements To install or upgrade to Windows 11, devices must meet the following minimum hardware requirements: - -- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). -- RAM: 4 gigabytes (GB) or greater. -- Storage: 64 GB\* or greater available storage is required to install Windows 11. - - Extra storage space might be required to download updates and enable specific features. -- Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. -- System firmware: UEFI, Secure Boot capable. -- TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. -- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. -- Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be more requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). +- **Processor**: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](/windows-hardware/design/minimum/windows-processor-requirements) or system on a chip (SoC). -Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). +- **Memory**: 4 gigabytes (GB) or greater. -For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). +- **Storage**: 64 GB or greater available disk space. -## Operating system requirements + > [!NOTE] + > There might be more storage requirements over time for updates, and to enable specific features within the OS. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). + +- **Graphics card**: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. + +- **System firmware**: UEFI, Secure Boot capable. + +- **TPM**: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. + +- **Display**: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. + +- **Internet connection**: Internet connectivity is necessary to perform updates, and to download and use some features. + + - Windows 11 Home edition requires an internet connection and a Microsoft Account to complete device setup on first use. + +For more information, see the following Windows Insider blog post: [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). + +For more information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). + +## OS requirements Eligible Windows 10 devices must be on version 2004 or later, and have installed the September 14, 2021 security update or later, to upgrade directly to Windows 11. > [!NOTE] -> S mode is only supported on the Home edition of Windows 11. -> If you are running a different edition of Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
                 
                -> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. +> +> - S mode is only supported on the Home edition of Windows 11. +> - If you're running a different edition of Windows in S mode, before upgrading to Windows 11, first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode). +> - To switch a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you can't switch back to S mode later. ## Feature-specific requirements -Some features in Windows 11 have requirements beyond those requirements listed above. See the following list of features and associated requirements. +Some features in Windows 11 have requirements beyond the minimum [hardware requirements](#hardware-requirements). - **5G support**: requires 5G capable modem. - **Auto HDR**: requires an HDR monitor. -- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. -- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. +- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. +- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and greater. - **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. - **DirectStorage**: requires an NVMe SSD to store and run games that use the Standard NVM Express Controller driver and a DirectX12 GPU with Shader Model 6.0 support. - **DirectX 12 Ultimate**: available with supported games and graphics chips. - **Presence**: requires sensor that can detect human distance from device or intent to interact with device. -- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) +- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output). - **Multiple Voice Assistant**: requires a microphone and speaker. - **Snap**: three-column layouts require a screen that is 1920 effective pixels or greater in width. - **Mute** and **unmute**: from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. @@ -76,35 +84,43 @@ Some features in Windows 11 have requirements beyond those requirements listed a - **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. -- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. +- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live *Countries and Regions* page for the most up-to-date information on availability. Some features in the Xbox app require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. ## Virtual machine support -The following configuration requirements apply to VMs running Windows 11. +The following configuration requirements apply to VMs running Windows 11. -- Generation: 2 \* -- Storage: 64 GB or greater -- Security: - - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled - - Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager) - - General settings: Secure boot capable, virtual TPM enabled -- Memory: 4 GB or greater -- Processor: Two or more virtual processors +- **Generation**: 2 -The VM host CPU must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). + > [!NOTE] + > In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. -\* In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. +- **Storage**: 64 GB or greater disk space. -> [!NOTE] -> Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. +- **Security**: + + - **Azure**: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled. + - **Hyper-V**: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager). + + - General settings: Secure boot capable, virtual TPM enabled. + +- **Memory**: 4 GB or greater. + +- **Processor**: Two or more virtual processors. + + - The VM host processor must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). + + > [!NOTE] + > There may be some instances where this requirement for the VM host doesn't apply. For more information, see [Options for using Windows 11 with Mac computers](https://support.microsoft.com/topic/cd15fd62-9b34-4b78-b0bc-121baa3c568c). + + - Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in the BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. ## Next steps -[Plan for Windows 11](windows-11-plan.md)
                -[Prepare for Windows 11](windows-11-prepare.md) +- [Plan for Windows 11](windows-11-plan.md) +- [Prepare for Windows 11](windows-11-prepare.md) ## See also -[Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
                -[What's new in Windows 11 overview](/windows/whats-new/windows-11-overview) - +- [Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) +- [What's new in Windows 11 overview](/windows/whats-new/windows-11-overview)