deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into Benny-54-cleanup-part2

Browse Source
This commit is contained in:
Benny Shilpa 2022-05-11 15:52:02 +05:30 committed by GitHub
commit 032b035e4e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 494 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

292
template.md Normal file
View File

@ -0,0 +1,292 @@
---
title: # ARTICLE TITLE in 55 chars or less, most important for SEO. Best to match H1 and TOC, but doesn't have to.
description: # A summary of the content. 75-300 characters. Used in site search. Sometimes used on a search engine results page for improved SEO. Always end with period.
ms.date: mm/dd/yyyy
ms.prod: windows
ms.technology: windows #more to come...
ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
ms.localizationpriority: medium #high null
author: # GitHub username (aczechowski)
ms.author: # MS alias (aaroncz)
ms.reviewer: # MS alias of feature PM, optional
manager: # MS alias of manager (dougeby)
ms.collection: # optional
- # highpri - high priority, strategic, important, current, etc. articles
- # openauth - the article is owned by PM or community for open authoring
---
# Metadata and Markdown Template
_Applies to:_
- Windows 11
- Windows 10
This docs.ms template contains examples of markdown syntax, and guidance on setting the metadata. It's available in the root directory of the Windows repository (`~\windows-docs-pr\template.md`).
When you create a new markdown file article, **Save as** this template to a new file, fill out the metadata as specified below, set the H1 heading above (`#`) to the title of the article, and delete the template content.
## Metadata
The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
- You _must_ have a space between the colon (`:`) and the value for a metadata element.
- Remove all metadata comments (`#`)
- Colons in a value (like the title) break the metadata parser. In their place, use the HTML encoding `:` (for example, `title: Azure Rights Management: the basics`).
- `title`: This title appears in search engine results and the browser tab.
- Don't end with a period.
- Use Microsoft style _sentence case_.
- The title can match the H1 heading (`#`) and the name in the toc.yml, but doesn't have to.
- It should be roughly 55 characters or less for best search engine optimization (SEO).
- `description`: Summarize the content, shows in search engine results. 75-300 characters. Always end with a period.
- `ms.date`: After you Save As this template to the target file, with the Docs Authoring Pack extension installed, right-click anywhere in the .md file to **Update `ms.date` metadata value** and save the file.
- `author`: The author field contains the **Github username** of the author.
- This value is used in GitHub notifications, assignments, and other build automation in both the private and public repositories.
- It's also used to display the first (left-most) contributor in the published article.
- `ms.author` & `manager`: Microsoft aliases. ms.author and author are typically the same.
- `ms.reviewer`: Optionally can specify the name of the PM associated with the article. Just for reference, not currently used by any automation.
- `ms.prod`: Should always be `windows` for Windows content. (Some older articles still use `w10` and `w11`.)
- `ms.technology`: Select one of the options based on the feature area. Currently the only option is `windows`.
- `ms.topic`: Select one of the options based on the content type. This attribute is used in calculating content health (different content types are used differently by customers, so have different metrics).
- `ms.localizationpriority`: **Medium** is the default, which is machine translation. For specific, high-priority content that requires human translation (extra cost), set this value to **high**. For any components that are only `en-us`, set this value to **null** for no localization.
## Basic markdown and GFM
All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles:
- [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main)
- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
- [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
## Headings
Examples of first- and second-level headings are above.
There **must** be only one first-level heading (`#`, also known as H1) in your article, which is displayed as the published title at the top of the page.
Second-level headings (`##`, also known as H2) generate the on-page TOC that appears in the **In this article** section beside or underneath the on-page title.
Limit the length of second-level headings to avoid excessive line wraps.
Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`).
Configuration Manager content does use custom anchors in some articles. They're almost always prefixed with `bkmk_`, for example, `bkmk_client`. These anchors can help reduce the anchor size, but does require HTML code that may not always be supported by the docs build system. There's other functionality with the Docs Authoring Pack and the build validation that only works with native header anchors. Use custom anchors sparingly, and remove them in older articles when possible. When removing custom anchors, make sure to update all internal links from the old custom anchor to the native header kebab format.
### Third-level heading
Third-level headings (and beyond) can be any length, as they don't appear **In this article**.
#### Fourth-level heading
##### Fifth level heading
## Text styling
_Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps differentiate with the double asterisk (`**`) for bold)
**Bold**
~~Strikethrough~~
## Links
> [!TIP]
> Use the **Docs Authoring Pack** extension to easily add links!
>
> 1. **Alt** + **M** to open the Docs Authoring Pack menu.
> 1. Select **Link** and then follow the prompts.
>
> It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.)
For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
### Article in the same repo
To link to an article in the same repo, use **file-relative links**. These links have the path to the target as relative to the current file, and always include the `.md` or `.yml` extension. For example, `[Windows client documentation for IT Pros](index.yml)`
#### Link to headings
To link to a heading _in the same markdown file_, add just the anchor as the link. It's either a custom HTML anchor (`#bkmk_client`) or the kebab case of the header. For example: `[Link to an article in the same repo](#article-in-the-same-repo)`. Kebab case is preferred over a custom anchor, as the build validates the link. Make sure headings aren't duplicated in the same article.
To link to a heading _in a markdown file in the same repo_, use relative linking + hashtag linking. For example: `[Windows 11 availability](../whats-new/windows-11-plan.md#windows-11-availability)`
### Another docs.ms article
To link to another docs.ms article not in the same repo, use a **root-relative link**. This style supports the potential future use of the doc content in a separate disconnected environment, like for a high security government customer, which would have a different domain. For example, `[Public contributor guide](/contribute/additional-resources)`.
### External URLs
To link to an external file, use the full URL as the link. For example: `[Github](https://www.github.com)`
- The link should always be **HTTPS**.
- Remove any local from the URL, unless it doesn't work without it. Most all microsoft.com properties support language neutral URLs.
### Example links
If you need to provide an example of a URL in the article, enclose it in a code block. For example: `https://www.contoso.com`
This style makes sure the URL is ignored during build validation and the broken links report.
### Tips for links
When your pull request runs, the build system validates all file-relative links and non-custom anchors. It will return a warning if it can't resolve a link.
VSCode supports file-relative links and non-custom anchors, so you can easily navigate between pages, and test that links are valid.
There's a broken link report that runs once a week in the build system, get the report from OPS.
Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target.
For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
## Lists
### Ordered lists
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
You can explicitly number each line if needed, but this style lets the build autonumber it. This style is beneficial if you need to add or remove a step.
#### Ordered list with an embedded list
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is embedded.
1. This list is embedded.
1. This list is ordered.
1. This list is ordered.
### Unordered Lists
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
#### Unordered list with embedded lists
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
- This list is embedded.
- This list is embedded.
- This list is bulleted.
- This list is bulleted.
1. This list is embedded and ordered.
1. This list is embedded and ordered.
- This list is bulleted.
## Horizontal rule
---
## Tables
| Tables | Are | Cool |
| ------------- |:-------------:| -----:|
| col 3 is | right-aligned | $1600 |
| col 2 is | centered | $12 |
| col 1 is default | left-aligned | $1 |
The Docs Authoring Pack has features to manage markdown tables. Select the entire table, then right-click to see the options.
## Code
### Codeblock
```json
{
"aggregator": {
"batchSize": 1000,
flushTimeout": "00:00:30"
}
}
```
### In-line code
This sentence includes an example of `in-line code`.
## Blockquote
> The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
## Images
Use the Docs Authoring Pack menu to easily insert media.
Always include alt text for accessibility, and always end it with a period.
### Static Image
:::image type="content" source="media/deploy1.png" alt-text="A graphic of a laptop as a suitcase.":::
### Image with lightbox
:::image type="content" source="media/deploy2.png" alt-text="A graphic of a computer with external monitor." lightbox="media/W10-WaaS-poster.PNG":::
### Animated gif
:::image type="content" source="media/docs-filter-toc.gif" alt-text="Animated gif of 'filter by title' option in the table of contents.":::
### Linked Image
[![Alt text for linked image.](memdocs/media/docs-github-edit.png)](https://azure.microsoft.com)
## Alerts
### Note
> [!NOTE]
> This is NOTE
### Warning
> [!WARNING]
> This is WARNING
### Tip
> [!TIP]
> This is TIP
### Caution
> [!CAUTION]
> This is CAUTION
### Important
> [!IMPORTANT]
> This is IMPORTANT
## Videos
### YouTube
> [!VIDEO https://www.youtube.com/embed/rnhnZTrSZzI]
## docs.ms extensions
> [!div class="nextstepaction"]
> [Next step action](/mem/configmgr)

5
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 05/09/2022
ms.reviewer:
manager: dansimp
---
@ -72,6 +72,9 @@ manager: dansimp
<hr/>
> [!Important]
> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types)).
<!--Policy-->
<a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**

2
windows/configuration/windows-10-accessibility-for-ITPros.md
View File

@ -89,3 +89,5 @@ This topic helps IT administrators learn about built-in accessibility features,
[Inclusive Design](https://www.microsoft.com/design/inclusive)
[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)

154
windows/hub/doc-test.md Normal file
View File

@ -0,0 +1,154 @@
---
title: Doc team test
description: A test article for the doc team's use.
ms.date: 05/10/2022
ms.prod: windows
ms.technology: windows
ms.topic: reference
ms.localizationpriority: null
ROBOTS: NOINDEX
author: aczechowski
ms.author: aaroncz
ms.reviewer: mstewart
manager: dougeby
---
# Doc team test
This article is for testing purposes only.
> [!NOTE]
> For more markdown examples and tips, see the **template.md** file at the root of the repository. Including examples of links and images.
## Basic Markdown and GFM
All basic and Github-flavored markdown is supported. For more information, see:
- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
- [Github-flavored markdown (GFM) documentation](https://guides.github.com/features/mastering-markdown)
## Headings
Examples of first and second-level headings are above.
There **must** be only one first level heading in your article, which will be displayed as the on-page title.
Second-level headings will generate the on-page TOC that appears in the "In this article" section underneath the on-page title.
### Third-level heading (`###`)
#### Fourth-level heading (`####`)
##### Fifth-level heading (`#####`)
## Text styling
_Italics_ (`_`)
**Bold** (`**`)
~~Strikethrough~~ (`~~`)
## Lists
### Ordered lists
1. This
1. Is
1. An
1. Ordered
1. List
#### Ordered list with an embedded list
1. Here
1. Comes
1. An
1. Embedded
1. Scarlett
1. Professor Plum
1. Ordered
1. List
### Unordered Lists
- This
- Is
- A
- Bulleted
- List
#### Unordered list with an embedded list
- This
- Bulleted
- List
- Peacock
- Green
- Contains
- Other
1. Colonel Mustard
1. Yellow
1. gold
1. White
1. cream
1. silver
- Lists
## Horizontal rule
---
## Tables
| Tables | Are | Cool |
|---------------------|:-------------:|------:|
| Column 3 is | Right-aligned | $1600 |
| Column 2 is | Centered | $12 |
| Column 1 is default | Left-aligned | $1 |
## Code
### Code block
```json
{
"aggregator": {
"batchSize": 1000,
flushTimeout": "00:00:30"
}
}
```
### In-line code
This example is for `in-line code`.
## Blockquotes
> The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
## Alerts
### Note
> [!NOTE]
> This alert is a NOTE
### Warning
> [!WARNING]
> This alert is a WARNING
### Tip
> [!TIP]
> This alert is a TIP
### Caution
> [!CAUTION]
> This alert is a CAUTION
### Important
> [!IMPORTANT]
> This alert is a IMPORTANT

15
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -119,7 +119,8 @@ The following table lists management options for each setting, For Windows 10 (
| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | |
| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [32. Widgets](#bkmk-widgets) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
### Settings for Windows Server 2016 with Desktop Experience
@ -596,7 +597,7 @@ Alternatively, you can configure the following Registry keys as described:
| - | - |
| Allow Address Bar drop-down list suggestions | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI<br/>REG_DWORD name: ShowOneBox<br/> Set to **0**|
| Allow configuration updates for the Books Library | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary<br/>REG_DWORD name: AllowConfigurationUpdateForBooksLibrary<br/> Set to **0**|
| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main<br/>REG_SZ name: Use FormSuggest<br/>Value : **No** |
| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main<br/>REG_SZ name: Use FormSuggest<br/>Value: **No** |
| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main<br/>REG_DWORD name: DoNotTrack<br/> REG_DWORD: **1** |
| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main<br/>REG_SZ name: FormSuggest Passwords<br /> REG_SZ: **No** |
| Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes<br/>REG_DWORD name: ShowSearchSuggestionsGlobal <br />Value: **0**|
@ -1736,7 +1737,7 @@ In Group Policy, configure:
-and-
- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SmartScreen** with a value of **Anywhere**.
- Create an SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SmartScreen** with a value of **Anywhere**.
### <a href="" id="bkmk-spotlight"></a>25. Personalized Experiences
@ -1919,6 +1920,14 @@ You can turn off Services Configuration by setting the following registry entrie
Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection** and set the value to **1**.
### <a href="" id="bkmk-widgets"></a>32. Widgets
Widgets is a news and feeds service that can be customized by the user. If you turn off this service, apps using this service may stop working.
You can turn off Widgets by setting the following registry entries:
Add a REG_DWORD value named **AllowWidgets** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Widgets** and set the value to **0**.
### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
|Allowed traffic endpoints|

1
windows/security/identity-protection/index.md
View File

@ -21,6 +21,7 @@ Learn more about identity and access management technologies in Windows 10.
| Section | Description |
|-|-|
| [Local Administrator Password Solution](/defender-for-identity/cas-isp-laps) | Local Administrator Password Solution (LAPS) provides management of local account passwords of domain-joined computers. Passwords are stored in Azure Active Directory (Azure AD) and protected by an access control list (ACL), so only eligible users can read them or request a reset.
| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
| [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |

2
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -30,7 +30,7 @@ This article depicts the BitLocker deployment comparison chart.
| Requirements |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) |
|---------|---------|---------|---------|
|Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows 10 IoT |
|Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
|Supported Windows SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
|Minimum Windows version |1909 | None | None |
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |

50
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -1,6 +1,6 @@
---
title: Overview of BitLocker Device Encryption in Windows
description: This topic provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
ms.prod: m365-security
ms.mktglfcycl: explore
ms.sitesec: library
@ -26,28 +26,28 @@ ms.custom: bitlocker
- Windows 11
- Windows Server 2016 and above
This topic explains how BitLocker Device Encryption can help protect data on devices running Windows.
For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
This article explains how BitLocker Device Encryption can help protect data on devices running Windows.
For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md).
When users travel, their organizations confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies.
Table 2 lists specific data-protection concerns and how they are addressed in Windows 11, Windows 10, and Windows 7.
Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
**Table 2. Data Protection in Windows 11, Windows 10, and Windows 7**
| Windows 7 | Windows 11 and Windows 10 |
|---|---|
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
| There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
| There's no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. |
| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when you lose the PIN or password. |
| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
## Prepare for drive and file encryption
The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and thats a scenario that organizations need to avoid.
The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's strong likelihood that users will try to bypass security. This situation is especially true for data protection, and thats a scenario that organizations need to avoid.
Whether youre planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.
### TPM pre-provisioning
@ -59,13 +59,13 @@ In Windows 7, preparing the TPM for use offered a couple of challenges:
Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled.
Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
## Deploy hard drive encryption
BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.
BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Pre-installation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows isn't yet installed), it takes only a few seconds to enable BitLocker.
With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
## BitLocker Device Encryption
@ -76,8 +76,8 @@ Microsoft expects that most devices in the future will pass the testing requirem
Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
* When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
* If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
* If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
* If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
* If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
@ -92,9 +92,9 @@ Administrators can manage domain-joined devices that have BitLocker Device Encry
## Used Disk Space Only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that didn't have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk.
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
## Encrypted hard drive support
@ -105,22 +105,22 @@ For more information about encrypted hard drives, see [Encrypted Hard Drive](../
## Preboot information protection
An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided.
Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign in. Challenging users for input more than once should be avoided.
Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
## Manage passwords and PINs
When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files.
When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign in, which makes it virtually impossible for the attacker to access or modify user data and system files.
Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis.
Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md).
## Configure Network Unlock
Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs should not leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
Network Unlock requires the following infrastructure:
* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
@ -143,11 +143,11 @@ Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administrat
* Enforces the BitLocker encryption policy options that you set for your enterprise.
* Integrates with existing management tools, such as Microsoft Endpoint Configuration Manager.
* Offers an IT-customizable recovery user experience.
* Supports Windows 10.
* Supports Windows 11 and Windows 10.
> [!IMPORTANT]
> Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026.
Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more details, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune in Microsoft Endpoint Manager for administration and monitoring. For more details, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune in Microsoft Endpoint Manager for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).

4
windows/security/threat-protection/windows-defender-application-control/feature-availability.md
View File

@ -14,7 +14,7 @@ author: denisebmsft
ms.reviewer: jgeurten
ms.author: deniseb
manager: dansimp
ms.date: 07/29/2021
ms.date: 05/09/2022
ms.custom: asr
ms.technology: windows-sec
---
@ -32,7 +32,7 @@ ms.technology: windows-sec
| Capability | WDAC | AppLocker |
|-------------|------|-------------|
| Platform support | Available on Windows 10 and Windows 11 | Available on Windows 8+ |
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later |
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs. |
| Management solutions | <ul><li>[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul> | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |